From Phishing to Prompt Bombing: Innovative Game-Theoretic Solutions for Modern Cyber Threats
Article Information
Abstract
The rise of multi-factor authentication (MFA) has significantly enhanced cybersecurity postures, yet its effectiveness is increasingly challenged by sophisticated social engineering attacks, particularly those exploiting MFA fatigue. MFA fatigue, a tactic where attackers inundate users with authentication prompts, aims to induce erroneous approvals, as notably exemplified by the 2022 Uber breach. This phenomenon undermines the very security MFA is designed to provide by leveraging human vulnerabilities. Game theory, a powerful mathematical framework for analyzing strategic decision-making, offers a robust methodology to model the dynamic interactions between attackers and defenders. By applying game theoretic principles, it becomes possible to predict attacker behaviors, understand user responses under pressure, and design optimal countermeasures. This article presents a comprehensive game-theoretic analysis of MFA fatigue attacks, including formal mathematical models, empirical validation through Monte Carlo simulations, and practical implementation frameworks. The proposed game-theoretic countermeasures reduce MFA fatigue attack success rates by 87% (from 68.3% to 8.9%) in simulations, with combined approaches achieving as low as 3.2% (=95% reduction) in some scenarios. The research synthesizes current approaches, provides novel theoretical contributions, and establishes a roadmap for future research in this critical cybersecurity domain.
Graphical Abstract
Keywords
Data Availability Statement
Funding
Conflicts of Interest
Ethical Approval and Consent to Participate
References
- Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J. G., & Levi, M. (2012). The economics of information security and privacy. Measuring the Cost of Cybercrime, eds R. Böhme (Berlin: Springer).
[Google Scholar] - Do, C. T., Tran, N. H., Hong, C., Kamhoua, C. A., Kwiat, K. A., Blasch, E., ... & Iyengar, S. S. (2017). Game theory for cyber security and privacy. ACM Computing Surveys (CSUR), 50(2), 1-37.
[CrossRef] [Google Scholar] - Farahmand, F. (2018). Applying behavior economics to improve cyber security behaviors.
[Google Scholar] - Jubur, M., Saxena, N., & Reegu, F. A. (2024). Usability and Security Analysis of the Compare-and-Confirm Method in Mobile Push-Based Two-Factor Authentication. IEEE Transactions on Mobile Computing.
[CrossRef] [Google Scholar] - Cranor, L. F. (2008). A framework for reasoning about the human in the loop. https://www.usenix.org/legacy/event/upsec/tech/full_papers/cranor/cranor.pdf
[Google Scholar] - Das, S., Wang, B., Tingle, Z., & Camp, L. J. (2019). Evaluating user perception of multi-factor authentication: A systematic review. arXiv preprint arXiv:1908.05901.
[Google Scholar] - Egelman, S., & Peer, E. (2015, April). Scaling the security wall: Developing a security behavior intentions scale (sebis). In Proceedings of the 33rd annual ACM conference on human factors in computing systems (pp. 2873-2882).
[CrossRef] [Google Scholar] - Felt, A. P., & Wagner, D. (2011). Phishing on mobile devices. https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf
[Google Scholar] - Furnell, S., & Clarke, N. (2012). Power to the people? The evolving recognition of human aspects of security. computers & security, 31(8), 983-988.
[CrossRef] [Google Scholar] - Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). Draft nist special publication 800-63-3 digital identity guidelines. National Institute of Standards and Technology, Los Altos, CA.
[Google Scholar] - Herley, C., & Van Oorschot, P. (2011). A research agenda acknowledging the persistence of passwords. IEEE Security & privacy, 10(1), 28-36.
[CrossRef] [Google Scholar] - Huang, L., & Zhu, Q. (2020). A dynamic games approach to proactive defense strategies against advanced persistent threats in cyber-physical systems. Computers & Security, 89, 101660.
[CrossRef] [Google Scholar] - Ives, B., Walsh, K. R., & Schneider, H. (2004). The domino effect of password reuse. Communications of the ACM, 47(4), 75-78.
[CrossRef] [Google Scholar] - Kahneman, D., & Tversky, A. (2013). Prospect theory: An analysis of decision under risk. In Handbook of the fundamentals of financial decision making: Part I (pp. 99-127).
[CrossRef] [Google Scholar] - Karlsson, F., Åström, J., & Karlsson, M. (2015). Information security culture–state-of-the-art review between 2000 and 2013. Information & Computer Security, 23(3), 246-285.
[CrossRef] [Google Scholar] - Laszka, A., Farhang, S., & Grossklags, J. (2017, October). On the economics of ransomware. In International conference on decision and game theory for security (pp. 397-417). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Hasan, S. S. U., Ghani, A., Daud, A., Akbar, H., & Khan, M. F. (2025). A Review on Secure Authentication Mechanisms for Mobile Security. Sensors, 25(3), 700.
[CrossRef] [Google Scholar] - Manshaei, M. H., Zhu, Q., Alpcan, T., Bacşar, T., & Hubaux, J. P. (2013). Game theory meets network security and privacy. Acm Computing Surveys (Csur), 45(3), 1-39.
[CrossRef] [Google Scholar] - Micallef, N., Just, M., Baillie, L., & Alharby, M. (2017, November). Stop annoying me! an empirical investigation of the usability of app privacy notifications. In Proceedings of the 29th Australian Conference on Computer-Human Interaction (pp. 371-375).
[CrossRef] [Google Scholar] - Chonka, A. (2020). Cybersecurity framework, Version 1.1. National Institute of Standards and Technology (NIST) Special Publication 800-161.
[Google Scholar] - Akeiber, H. J. (2025). The Evolution of Social Engineering Attacks: A Cybersecurity Engineering Perspective. Al-Rafidain Journal of Engineering Sciences, 294-316.
[CrossRef] [Google Scholar] - Ang, K. W., Chekole, E. G., & Zhou, J. (2025). Unveiling the Covert Vulnerabilities in Multi-Factor Authentication Protocols: A Systematic Review and Security Analysis. ACM Computing Surveys.
[CrossRef] [Google Scholar] - Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & security, 31(4), 597-611.
[CrossRef] [Google Scholar] - Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V., & Wu, Q. (2010, January). A survey of game theory as applied to network security. In 2010 43rd Hawaii international conference on system sciences (pp. 1-10). IEEE.
[CrossRef] [Google Scholar] - Xiao, L., Chen, T., Han, G., Zhuang, W., & Sun, L. (2017). Game theoretic study on channel-based authentication in MIMO systems. IEEE Transactions on Vehicular Technology, 66(8), 7474-7484.
[CrossRef] [Google Scholar] - Schneier, B. (2013). Click Here to Kill Everybody: Security and Survival in a Hyperconnected World. Signature, 16, 24.
[Google Scholar] - Khan, H., Hengartner, U., & Vogel, D. (2015). Usability and security perceptions of implicit authentication: convenient, secure, sometimes annoying. In Eleventh Symposium on Usable Privacy and Security (SOUPS 2015) (pp. 225-239).
[Google Scholar] - Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., & Furlong, M. (2007, April). Password sharing: implications for security design based on social practice. In Proceedings of the SIGCHI conference on Human factors in computing systems (pp. 895-904).
[CrossRef] [Google Scholar] - Tam, L., Glassman, M., & Vandenwauver, M. (2010). The psychology of password management: a tradeoff between security and convenience. Behaviour & Information Technology, 29(3), 233-244.
[CrossRef] [Google Scholar] - Thompson, N., McGill, T. J., & Wang, X. (2017). “Security begins at home”: Determinants of home computer and mobile device security behavior. computers & security, 70, 376-391.
[CrossRef] [Google Scholar] - Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & management, 49(3-4), 190-198.
[CrossRef] [Google Scholar] - Podapati, V. H., Nigam, D., & Das, S. (2025, July). SoK: a systematic review of context-and behavior-aware adaptive authentication in mobile environments. In International Symposium on Human Aspects of Information Security and Assurance (pp. 406-419). Cham: Springer Nature Switzerland.
[CrossRef] [Google Scholar] - Zhang, N., Mi, X., Feng, X., Wang, X., Tian, Y., & Qian, F. (2018). Understanding and mitigating the security risks of voice-controlled third-party skills on amazon alexa and google home. arXiv preprint arXiv:1805.01525.
[Google Scholar]
Cite This Article
TY - JOUR AU - Vamsi, Tummalapalli Sri Ganesh AU - Yogi, Manas Kumar AU - Mundru, Yamuna PY - 2025 DA - 2025/12/25 TI - From Phishing to Prompt Bombing: Innovative Game-Theoretic Solutions for Modern Cyber Threats JO - ICCK Transactions on Cybersecurity T2 - ICCK Transactions on Cybersecurity JF - ICCK Transactions on Cybersecurity VL - 2 IS - 1 SP - 35 EP - 57 DO - 10.62762/TC.2025.969565 UR - https://www.icck.org/article/abs/TC.2025.969565 KW - game theory KW - cybersecurity KW - social engineering KW - MFA fatigue KW - multi-factor authentication KW - strategic interaction KW - behavioral security KW - nash equilibrium KW - empirical validation AB - The rise of multi-factor authentication (MFA) has significantly enhanced cybersecurity postures, yet its effectiveness is increasingly challenged by sophisticated social engineering attacks, particularly those exploiting MFA fatigue. MFA fatigue, a tactic where attackers inundate users with authentication prompts, aims to induce erroneous approvals, as notably exemplified by the 2022 Uber breach. This phenomenon undermines the very security MFA is designed to provide by leveraging human vulnerabilities. Game theory, a powerful mathematical framework for analyzing strategic decision-making, offers a robust methodology to model the dynamic interactions between attackers and defenders. By applying game theoretic principles, it becomes possible to predict attacker behaviors, understand user responses under pressure, and design optimal countermeasures. This article presents a comprehensive game-theoretic analysis of MFA fatigue attacks, including formal mathematical models, empirical validation through Monte Carlo simulations, and practical implementation frameworks. The proposed game-theoretic countermeasures reduce MFA fatigue attack success rates by 87% (from 68.3% to 8.9%) in simulations, with combined approaches achieving as low as 3.2% (=95% reduction) in some scenarios. The research synthesizes current approaches, provides novel theoretical contributions, and establishes a roadmap for future research in this critical cybersecurity domain. SN - 3069-3349 PB - Institute of Central Computation and Knowledge LA - English ER -
@article{Vamsi2025From,
author = {Tummalapalli Sri Ganesh Vamsi and Manas Kumar Yogi and Yamuna Mundru},
title = {From Phishing to Prompt Bombing: Innovative Game-Theoretic Solutions for Modern Cyber Threats},
journal = {ICCK Transactions on Cybersecurity},
year = {2025},
volume = {2},
number = {1},
pages = {35-57},
doi = {10.62762/TC.2025.969565},
url = {https://www.icck.org/article/abs/TC.2025.969565},
abstract = {The rise of multi-factor authentication (MFA) has significantly enhanced cybersecurity postures, yet its effectiveness is increasingly challenged by sophisticated social engineering attacks, particularly those exploiting MFA fatigue. MFA fatigue, a tactic where attackers inundate users with authentication prompts, aims to induce erroneous approvals, as notably exemplified by the 2022 Uber breach. This phenomenon undermines the very security MFA is designed to provide by leveraging human vulnerabilities. Game theory, a powerful mathematical framework for analyzing strategic decision-making, offers a robust methodology to model the dynamic interactions between attackers and defenders. By applying game theoretic principles, it becomes possible to predict attacker behaviors, understand user responses under pressure, and design optimal countermeasures. This article presents a comprehensive game-theoretic analysis of MFA fatigue attacks, including formal mathematical models, empirical validation through Monte Carlo simulations, and practical implementation frameworks. The proposed game-theoretic countermeasures reduce MFA fatigue attack success rates by 87\% (from 68.3\% to 8.9\%) in simulations, with combined approaches achieving as low as 3.2\% (=95\% reduction) in some scenarios. The research synthesizes current approaches, provides novel theoretical contributions, and establishes a roadmap for future research in this critical cybersecurity domain.},
keywords = {game theory, cybersecurity, social engineering, MFA fatigue, multi-factor authentication, strategic interaction, behavioral security, nash equilibrium, empirical validation},
issn = {3069-3349},
publisher = {Institute of Central Computation and Knowledge}
}
Article Metrics
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.