In adversarial contexts, success often hinges on understanding not just what the opponent knows, but what they believe and how they revise those beliefs. This study investigates how large language models can be made more resilient and strategically capable by modeling the opponent’s reasoning using Bayesian belief revision. By formalizing negotiations as Bayesian games of incomplete information, it is shown that models equipped with belief revision are better able to counter deceptive or willful-thinking adversaries. The findings underscore the role of second-order reasoning in adversarial settings, with implications for social manipulation in the context of, for example, online communication and intelligence gathering.

This paper investigates how large language models can be steered to act more strategically in text-based negotiation settings. Two prompt-based action space designs are compared, namely emotional tone prompts and explicit offer prompts, within a negotiation environment, and outcomes are compared in simulated dialogues. The results show that both approaches improve strategic outcomes compared to a baseline, with tone-based actions yielding higher agreement rates and offer-based actions providing more stable tradeoffs. These findings demonstrate how action space design influences agent behavior, providing insights for deployment of large language models in strategic negotiation scenarios to gain an advantage in, for example, online influence operations.

The digitalization of our societies makes them increasingly vulnerable to emerging cyberthreats. These cyberthreats can manifest themselves in the form of organized, sophisticated, and persistent threat actors, as well as nonadversarial mistakes. Staff involved in responding to cyberthreats and handling incidents in organizations need cyber situation awareness. This paper presents a case study on what challenges members of staff involved in cybersecurity in a large, complex organization experience when developing cyber situation awareness while handling a remote code execution vulnerability in the form of Log4Shell. Two types of qualitative empirical material were used for the case study, data collected through semi-structured interviews with ten informants, and internal documentation. The empirical material was analyzed to create a timeline of events in the organization. The results show how information about the threat spread throughout the organization, the types of artifacts that served as common operational pictures, and the role played by information sharing in maintaining staff cyber situation awareness. Three major challenges to the organization were found: (i) information sharing among staff was not effortless, (ii) there was no organization-wide common operational picture established, and (iii) inaccurate information was shared. This study adds a real-world contribution to the literature on organizational handling of cyberthreats.

In the realm of cybersecurity, leveraging machine learning holds promise for advancing threat detection capabilities. Yet, the sheer volume of unlabeled data presents a challenging hurdle to efficient data management. This chapter delves into the efficacy of active learning methodologies in alleviating the burden of manual data labeling. By employing various query strategies, the study identifies the most informative unlabeled data points suitable for labeling. Examining the performance across different query strategies involved testing a transformer model's ability in discerning tweets referencing advanced persistent threats. In scenarios where labeled training data is scarce, the results suggest that the K-means diversity-based query strategy outperforms both the uncertainty-based approach and the random data point selection. Furthermore, the study investigated the cost-effective active learning paradigm, which integrates high-confidence data points into the training dataset. Surprisingly, this approach emerged as the least effective strategy. In summary, the findings not only explain the potential of active learning in cybersecurity, but also underscore the importance of strategic data selection in optimizing model performance. 

The combination of reinforcement learning and look-ahead search introduced in AlphaGo, has revolutionized our understanding of tactics and strategy in classical strategy games such as Go and chess. Until recently, this pioneering approach has been limited to perfect information games, where players have full information about the current state of the game. This paper investigates the recent generalization of reinforcement learning with search to imperfect information games, such as poker, where parts of the game state, e.g., the opponent’s hand, is hidden from the player. The paper explores how well this approach scales as the amount of hidden information increases. To this end, the current state of the art in reinforcement learning with search, the student of games general learning algorithm, is reproduced and evaluated across three variants of a custom poker game, each differing by the number of hidden cards dealt to players. It is found that games with less hidden information are learned more effectively, and that computational demands scale sublinearly with increasing hidden information.

In recent years, the Swedish public sector has undergone rapid digitalization, while cybersecurity efforts have not kept even steps. This study investigates conditions for cybersecurity work at Swedish administrative authorities by examining organizational conditions at the authorities, what cybersecurity staff do to acquire the cyber situation awareness required for their role, as well as what experience cybersecurity staff have with incidents. In this study, 17 semi-structured interviews were held with respondents from Swedish administrative authorities. The results showed the diverse conditions for cybersecurity work that exist at the authorities and that a variety of roles are involved in that work. It was found that national-level support for cybersecurity was perceived as somewhat lacking. There were also challenges in getting access to information elements required for sufficient cyber situation awareness.

In the domain of cybersecurity, machine learning can offer advanced threat detection. However, the volume of unlabeled data poses challenges for efficient data management. This study investigates the potential for active learning to reduce the effort required for manual data labeling. Through different query strategies, the most informative unlabeled data points were selected for labeling. The performance of different query strategies was assessed by testing a transformer model's ability to accurately distinguish tweets mentioning names of advanced persistent threats. The findings suggest that the K-means diversity-based query strategy outperformed both the uncertainty-based approach and the random data point selection, when the amount of labeled training data was limited. This study also evaluated the cost-effective active learning approach, which incorporates high-confidence data points into the training dataset. However, this was shown to be the least effective strategy.

Recent experimental studies have explored how well adaptive honeypot allocation strategies defend against human adversaries. As the experimental subjects were drawn from an unknown, nondescript pool of subjects using Amazon Mechanical Turk, the relevance to defense against real-world adversaries is unclear. The present study reproduces the experiments with more relevant experimental subjects. The results suggest that the strategies considered are less effective against attackers from the current population. In particular, their ability to predict the next attack decreased steadily over time, that is, the human subjects from this population learned to attack less and less predictably.

Remote photoplethysmography (rPPG) is a technique that aims to remotely estimate the heart rate of an individual using an RGB camera. Although several studies use the rPPG methodology, it is usually applied in a laboratory in a controlled environment, where both the camera and the subject are static, and the illumination is ideal for the task. However, applying rPPG in a real-life scenario is much more demanding, since dynamic illumination issues arise. The work presented in this paper introduces a framework to estimate the heart rate of an individual in real-time using an RGB camera in a situation characterized by dynamic illumination. Such situations occur, for example, when either the camera or the subject is moving, and/or the face visibility is limited. The framework uses a face detection program to extract regions of interest on an individual's face. These regions are combined and constitute the input to a convolutional neural network, which is trained to estimate the heart rate in real-time. The method is evaluated on three publicly available datasets, and an in-house dataset specifically collected for the purpose of this study, that includes motions and dynamic illumination. The method shows good performance on all four datasets, outperforming other methods.

This chapter examines the conditions for automation of cybersecurity work roles, and the probabilities of them being automated. Further, variables that limit the automation potential for current cybersecurity roles are reviewed. Based on a well-established and widely adopted reference resource that lists typical skill requirements and duties of cybersecurity workers, an assessment of the susceptibility for automation of cybersecurity work was performed by an expert panel. All cybersecurity work descriptions were ranked in terms of proneness for automation according to four criteria: requirements for creativity, social interaction, physical work, and the existence of relevant statistical training data. It was found that technical roles, for example database administrators and data analysts, are easiest to automate. Roles associated with management and accountability, for example, legal advisors and cyber operations planners, are more difficult to automate. Finally, requirements for physical work is a negligible factor when it comes to cybersecurity work automation.