Countering Social Engineering and MFA Fatigue Using Game Theory in Cybersecurity

Abstract

Social engineering and multi-factor authentication (MFA) fatigue attacks exploit human vulnerabilities to bypass cybersecurity defenses, posing significant threats to organizational security. This study proposes a game-theoretic framework to counter these attacks by modeling the strategic interactions between attackers and defenders. Social engineering, including tactics like phishing and MFA fatigue (prompt bombing), leverages cognitive biases and user frustration. Using a non-cooperative game with incomplete information, we define players (attackers and defenders), strategies (e.g., phishing vs. adaptive MFA), and payoffs (breach success vs. system security). The framework employs predictive analysis to anticipate attack vectors, gamified training to enhance user awareness, and context-aware MFA to reduce fatigue. Deception strategies, such as honeypots, increase attacker uncertainty, while continuous monitoring detects suspicious patterns. A proposed gamified training program simulates real-world threats, reinforcing user decision-making through feedback and competition. Evaluation metrics include reduced breach rates, improved user engagement, and enhanced MFA resistance. By integrating game theory, organizations can optimize defenses, balancing security and usability. This approach provides a proactive, adaptive strategy to mitigate human-centric vulnerabilities, ensuring resilience against evolving social engineering and MFA fatigue threats in cybersecurity.