1. Brain Dynamics of Nicotine

2. Dynamic Connectivity Under Metabolic Constraints

3. Cyber Security: Pattern Recognition Under Ambiguity

The studies are described in detail below:



  • Recruiting subjects ages 21-55 with moderate to severe nicotine addiction.

  • Requires one visit, after 12 hours of abstaining from nicotine.  Subjects will then "smoke" in the scanner, so permit analysis of how the brain responds to cravings and satisfaction of cravings.

  • Inclusion criteria (addiction and abstaining) will be confirmed physiologically (breathalyzer) prior to participation. 

  • Contact:   lcneuro@partners.org



  • Recruiting subjects ages 18-70, who do not have insulin-dependent diabetes.

  • Requires three visits:  one under normal conditions, one under 12-hour fasting conditions, and one after having followed a low-carb diet for 1-2 weeks.  During your MRI, you will perform a cognitive task (navigating through a virtual maze) before and after sipping a sweet drink containing 75g of glucose. 

  • Inclusion criteria (dietary compliance) will be confirmed physiologically (breathalyzer, urine-analysis) prior to participation.

  • Contact:  lcneuro@partner.org



  • Recruiting subjects ages 18-45.

  • Requires one visit, during which you will play the CYBERSECURITY ENTERPRISES game while we scan your brain with fMRI.

  • Requires showing competency on game shown below before scheduling.

  • Please submit contact information and preliminary scores below (silver scores or better required).

  • Inclusion Criteria (ability to play CYBERSECURITY ENTERPRISES game) will be confirmed behaviorally prior to participation.

  • Contact:  lcneuro@partners.org


Below is a shot of an actual (real, non-simulated) cyberattack, as provided by the NORSE Intelligence Service (http://map.ipviking.com or click button below).  Each day, military and intelligence personnel, as well as private security companies such as NORSE, monitor hacking attempts upon sensitive or unauthorized targets (e.g., banks, power/water infrastructure, military/nuclear facilities).  Cybersecurity analysts are tasked with evaluating thousands of alerts of suspicious activity a day, in order to distinguish serious threats from accidental attempted entry.  This is done by identifying a hacker's profile or "signature":  certain features (such as intrusion time of day, country of origin, specific target, file size, or intrusion type) that appear to be non-random in predicting imminent cyberattacks.

Not everyone can make an effective intelligence analyst:  the analyst needs to be very sensitive to seeing real patterns, but also must avoid seeing patterns that are not there.  This study aims to identify what makes the brains of the very best pattern-detectors different.  To see if you qualify, please take the test below.

Actual Footage of Cyberattack, As Shown via NORSE Live Stream (http://map.ipviking.com)


You are a cyber security analyst.  Your job is to sift through online communications--as provided by intelligence services like NORSE (above)--and to identify the hacker "signature" that best predicts an imminent attack.  Incoming intelligence reports will present you with activity flagged as suspicious in the form of several communications at a time in a tabular graphical format, with each communication in a separate row.  Each communication uses symbols that represent features associated with the activity.   

Each communication has four features, represented by four different columns:


A hacker will always have a unique "signature," such as always attacking at a particular time, hitting a particular target, utilizing a particular type of intrusion, etc. In the first version of this game, you will receive immediate feedback on whether you correctly identified the attack (100% probability that you neutralized the attack) or whether you were incorrect in the feature that you selected as the hacker's signature (0% probability that you neutralized the attack).  Your supervisor will then present you with a new communications report to evaluate. The hacker will always maintain the same signature until you effectively identify the signature several times in a row.   Your streak will neutralize the attack, and you will move on to a new threat: a hacker with a different strategy, and therefore a different signature (the feature that identifies him).  

Your mission is to identify as many true hacking attempts as you can--in the shortest amount of time--while also avoiding raising false alarms on accidental intrusions.  Good luck!


Identify the hacker's signature as quickly and accurately as you can. You will be presented with a chart representing NORSE intelligence.  Each row shows features (time, target, file size, and intrusion type) for each reported suspicious activity. You can use the mouse cursor to select any one of the five answer choices. An example chart is shown below.


                                                                                     TIME                  TARGET          FILE SIZE         INTRUSION TYPE

The actual signature has to be a unique feature (i.e., that feature will not be contained by any other row). In the example shown in the screenshot shown above, the hacker's signature cannot be file-size=4, since there are two rows with that feature. You can confirm your selection by using the mouse button to select the row containing the signature that you believe identifies the hacker.  Upon doing so, your supervisor will immediately provide feedback as to whether you were correct or wrong.  Once you receive feedback, the chart will update with a new communication report of suspicious activity.   The hacker's signature (i.e., the particular feature) will remain the same until a streak of correct identifications on your part neutralizes the attack.  The old hacker's attempts will then be taken over by a new hacker, with a different signature.


For example, in the above series of suspicious activity reports, the hacker's signature is that he always targets Paris (represented by the Eiffel Tower).  Once you identify this signature several times in a row, the SIGNATURES IDENTIFIED count will increase by one, and a new hacker will then take over with a new signature feature that identifies him.  Your mission will continuously track the number of SIGNATURES IDENTIFIED, as well as the total amount of time it takes you to do so.

Your mission will end either after having identified five hacker signatures (mode L1) or after running out of time after ten minutes (mode L2).   Feel free to play and to submit scores from both modes, although L1 is the shorter of the two. At the end of the game, a results screen will appear showing your statistics. If you complete the mission quickly and accurately enough, you will be awarded a bronze, silver, or gold medal for both your average amount time required to identify each signature, as well as your average accuracy in identifying hacker signatures. 

At least a silver score in both time and accuracy is required for further consideration for our study. You are allowed to practice the task as many times as you like in order to reach this threshold score. If you would like to submit your score, please carefully copy your authentication code, average identification time, identification accuracy, and contact information into the form below. Your authentication code must match your posted results in order for you to be considered for the study, so make sure you copy this code correctly! Good luck!


Click here for full screen CYFALL task

Name *
For scheduling your visits, could you let us know of your availability during a typical work week? Please let us know: What days work best for you? What is the earliest time you can make it for testing? When is the latest you have to leave to go to work/other appointments? We are able to *start* experiments anytime between 7.30 AM and 5pm.


The CYBERSECURITY ENTERPRISES (CSE) game simulates what intelligence analysts do every day, in identifying patterns that best predict an imminent cybersecurity strike.  The version of CYBERSECURITY ENTERPRISES that you will play in the MRI machine is very similar to the one that you played on our website, with one important difference.

In the website version, the feedback that you received was always 100% accurate.  Thus, if you found the signature, your supervisor always told you that you were correct.  And, if you did not find the signature, your supervisor always told you that you were wrong.

However, real life generally does not provide such clear-cut feedback.  For example, consider a young graduate who is in the process of applying for her first job.  In her first round of applications, she notices that the resumes printed on expensive stationery seem to be more successful than the resumes printed on ordinary printer paper.  Thus, she starts printing all of her resumes on expensive stationery, with the hope of improving her chances in the job market.  However, she instinctively understands that improving her chances  does not mean that every single one of her expensive stationery-printed resumes will lead to an interview, nor does it mean that every single one of her plain printer paper resumes will result in a rejection.  Rather, the job-seeker's aim is to increase her odds of success in a complex environment in which many variables are unknown (for example, the job-seeker is not in a position to know each company's internal politics, hiring policies, budget, etc.).  

In real-world settings, we learn not in response to deterministic feedback (feedback that is always correct) but in response to probabilistic feedback (feedback that is usually correct).  That is also true in an intelligence setting.  A successful analyst identifies a signature that predicts that a hacker is going to launch an cyberattack.  It is a good and useful rule of thumb if it works 90% of the time.  But that means that 10% of the time the analyst can follow that good and useful rule of thumb and still be wrong (the hacker presents his signature but doesn't launch a cyberattack, due to other factors that forced him to abort that day).  This game will show us how your brain learns in this more realistically ambiguous setting.

For the intelligence simulation that you will be playing in the MRI scanner, after each of your choices you will receive feedback on the likelihood (0% - 100%) that the cyberattack has been neutralized.    Using those likelihoods, you will learn what hacker signature best predicts an imminent cybersecurity strike.

Below is shown a video that shows the ambiguous format in some detail.  Please review carefully before arrival at the fMRI session.