Behavioral study of users when interacting with active honeytokens

Asaf Shabtai, Maya Bercovitch, Lior Rokach, Ya'akov Gal, Yuval Elovici, Erez Shmueli

ACM Transactions on Information and System Security (TISSEC) 18 (3), 1-21, 2016

Active honeytokens are fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders. In this article, we are interested in understanding how users (e.g., employees) behave when interacting with honeytokens, specifically addressing the following questions: Can users distinguish genuine data objects from honeytokens? And, how does the user’s behavior and tendency to misuse data change when he or she is aware of the use of honeytokens? First, we present an automated and generic method for generating the honeytokens that are used in the subsequent behavioral studies. The results of the first study indicate that it is possible to automatically generate honeytokens that are difficult for users to distinguish from real tokens. The results of the second study unexpectedly show that users did not behave differently when informed in advance that honeytokens were …