Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 12 Exercises: Signalling

Lying: A lie is an assertion that is believed to be false, typically used with the purpose of deceiving or misleading someone.
The Wikipedia page includes a very long list of types of lies.

Cheap Talk: Cheap talk is communication that is:

  • (relatively) costless to transmit and receive
  • non-binding (i.e. does not limit strategic choices by either party)
  • unverifiable (i.e. cannot be verified by a third party like a court)

Honest Signal: Communication that is credible and can only be made when true, and thus believed by the receiver. (Closely related to Signalling Theory in evolutionary biology).

Costly Signal: A type of honest signal where people engage in a costly action (e.g. education) to signal that that type of action is less costly for them.

Lying and Cybersecurity

In many situations, both attackers and defenders want to communicate with each other. In all of these situations, there is an underlying challenge: the listener needs to determine if the communication is cheap talk or an honest signal. In situations where the speaker wants to speak the trust and be trusted, the speaker must try to find a way to signal their honesty credibly so that their communication is not interpreted as cheap talk.

Look at all of the different communications in a typical data breach / ransomware situation from this perspective:

  • An attacker claims to a company that they have stolen data from a company.
  • An attacker claims that they will release the stolen data unless they are paid a ransom
  • An attacker claims that they will NOT release the stolen data after they are paid a ransom
  • An attacker claims that they will provide the decryption key after they are paid a ransom
  • A company claims that they will NOT pay the ransom
  • An attacker claims to 3rd parties on the dark web that they have valid, stolen data to sell
  • An attacker claims to 3rd parties on the dark web that if their data is purchased, it won’t also be sold to others
  • A company publicly claims that they did not pay the ransom (for PR purposes)
  • A company publicly claims that the vulnerability used was fixed (so other hackers cannot use it)

Types of Signals

Pre-commitment: If someone pre-commits to a course of action, that can signal intentions.
For example, signing a contract promising a payment if you pay a ransom

Sinking costs: If you invest a lot of resources up front in a particular course of action, you signal that you intend to do that

Tying hands: If you set up negative consequences for potential future actions, you can signal that you don’t intend to do something

Costly signal: If you invest your resources in something (like education, or a brand name), you signal that you signal that doing that investment is easier for you

Note: All of these are variations on each other; it is often hard to distingish them.