Behavioral Study of Users When Interacting with Active Honeytokens

Asaf Shabtai, Maya Bercovitch, Lior Rovach, Yakov Gal, Yuval Elovici, Erez Shmueli

Research output: Contribution to journalArticlepeer-review


Active honeytokens are fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders. In this article, we are interested in understanding how users (e.g., employees) behave when interacting with honeytokens, specifically addressing the following questions: Can users distinguish genuine data objects from honeytokens? And, how does the user’s behavior and tendency to misuse data change when he or she is aware of the use of honeytokens? First, we present an automated and generic method for generating the honeytokens that are used in the subsequent behavioral studies. The results of the first study indicate that it is possible to automatically generate honeytokens that are difficult for users to distinguish from real tokens. The results of the second study unexpectedly show that users did not behave differently when informed in advance that honeytokens were planted in the database and that these honeytokens would be monitored to detect illegitimate behavior. These results can inform security system designers about the type of environmental variables that affect people’s data misuse behavior and how to generate honeytokens that evade detection.
Original languageEnglish
Article number9
Pages (from-to)9:1-9:21
Number of pages21
JournalACM Transactions on Information and System Security
Issue number3
Publication statusPublished - 14 Apr 2016

Fingerprint Dive into the research topics of 'Behavioral Study of Users When Interacting with Active Honeytokens'. Together they form a unique fingerprint.

Cite this