Improving IT Security Through Security Measures: Using Our Game-Theory-Based Model of IT Security Implementation

Abstract

We developed a quantitative model based on game theory related to IT security promotion and implementation in an organization. This model clarified the kinds of organizational conditions in which an employee does or does not carry out security measures. We also clarified the desired and undesired conditions for security implementation in an organization. In addition, we showed that an extremely undesirable dilemma that hitherto has not attracted attention might occur. Then we applied this model to an incident that occurred at a certain school. Using public information and survey data, we calculated the parameters of the model quantitatively. Then we found what kinds of changes to the parameters would be effective for making security improvements. Furthermore, we used the model to show the appropriate order of promoting security measures.

1 Introduction

Serious security incidents are likely to occur when security measures that have been decided upon in an organization are not carried out. To prevent the occurrence of such incidents, it is necessary to analyze the mechanisms for promoting the security measures within the organization. To meet this requirement, we apply an IT security implementation model to an actual Information Technology (IT) security incident and analyze the results obtained in applying it.

2 IT Security Implementation Game

The subject of IT security has been studied from the viewpoint of economics and social psychology [1–3]. On the basis of these studies, we have previously developed a game-theory-based model for implementing IT security in organizations [4]. This model consists of two players: one is an IT security promotion section, which promotes the implementation of IT security, and the other is an employee who implements IT security in his or her section. In this study, we applied the model to an actual IT security incident and investigated the effect of the model parameters on the promotion of security implementation and the effectiveness of varying the parameters.

This model is a security measures promotion and implementation game in which security measures are promoted and implemented on the basis of a strategy of non-cooperativity that does not consider repetition or a mixed strategy. The IT security promotion section selects security measures and promotes their implementation. The employee is sometimes instructed by the promotion section to implement security measures while carrying out his or her duties.

The strategy of the IT security promotion section regarding security measures is either “promotion” or “non-promotion”. The employee thinks about how the measures will affect his or her duties and the efforts that will be necessary to carry them out. As a result, the employee uses his or her judgment in deciding whether to implement a given measure. That is to say, the strategy of the employee is either “implementation” or “non-implementation” of the measure in question. Table 1 shows the payoff matrix of this game.

Table 1. Game between promotion section and employee. (Source: IPSJ Journal, vol. 52, no. 6, p. 2024).

In the matrix, P ₁ is the probability that the promotion section recognizes a security incident, S _p is the post-measure expense incurred after the incident occurs, M is the gain to the IT security promotion section obtained by promoting the security measure, P ₂ is the probability that the employee recognizes the incident, Y _d is the loss of duties that the employee cannot perform due to time limitations and a decline in the efficiency of carrying out the security measure, Y ₂ is the quantity of losses of money an employee incurs when an incident occurs, C _a is the cost that an employee expends when he or she carries out the security measure requested by the promotion section, and V is the penalty that the promotion section gives the employee when the incident occurs.

Moreover, x and y are defined as the difference between the payoff of “implementation” and the payoff of “non-implementation” when the IT security promotion section selects “non-promotion” and “promotion”, respectively. {The strategy of the IT security promotion section: the strategy of the employee} denotes the combination of the strategy of the IT security promotion section and the strategy of the employee. G ₂ (The strategy of the IT security promotion section: the strategy of the employee) denotes the payoff for the employee.

x and y are given as follows:

$$ \begin{aligned} x & = G_{2} ({\text{non-promotion:}}\;{\text{implementation}}) \\ & \quad - G_{2} ({\text{non-promotion:}}\,{\text{non-implementation}}) \\ & = - Y_{d} + P_{2} Y_{2} ; \\ \end{aligned} $$

(1)

$$ \begin{aligned} y & = G_{2} ({\text{promotion:}}\;{\text{implementation}}) \\ & \quad - G_{2} ({\text{promotion:}}\,{\text{non - implementation}}) \\ & = - Y_{d} - C_{a} + P_{2} (Y_{2} + V), \\ \end{aligned} $$

(2)

respectively.

From expressions (1) and (2),

$$ y = x - C_{a} + P_{2} V. $$

(3)

Based on the x and y values, five types of the game exist. Figure 1 shows x, y, and the five games.

Fig. 1.

Five games between the IT security promotion section and the employee. (Source: IPSJ Journal, vol. 53, no. 9, p. 2163).

• (1) Regular implementation game (x ≥ 0, y ≥ 0)

In this case, the Nash equilibrium and the Pareto optimum are {promotion: implementation}. Regardless of the strategy of the promotion section, the dominant strategy of the employee is “implementation”. With or without the promotion of the promotion section, the employee always carries out a security measure. This game is therefore the most desirable state for implementing security measures.

• (2) Promotion-implementation game ( x < 0, y ≥ 0)

The Nash equilibrium and the Pareto optimum are {promotion: implementation}. The dominant strategy of the employee is “implementation” when the strategy of the promotion section is “promotion” and “non-implementation” when the strategy of the promotion section is “non-promotion”. With the promotion of the promotion section, the employee carries out a security measure. This game is therefore a desirable state for implementing security measures.

• (3) Promotion-non-implementation dilemma game ( x ≥ 0, y < 0)

The Nash equilibrium is {promotion: non implementation}, and this combination of the strategy is not the Pareto optimum. This game is in a dilemma state. The dominant strategy of the employee is “implementation” when the strategy of the promotion section is “non-promotion” and “non-implementation” when the strategy of the promotion section is “promotion”. That is to say, the dominant strategy of the employee is to always take the opposite action to the strategy of the promotion section. This game is therefore the most undesirable state for implementing security measures.

• (4) Regular non-implementation dilemma game (− P ₂ V ≤ x < 0, y < 0)

The Nash equilibrium is {promotion: non-implementation}, and it is not the Pareto optimum. This game is in a dilemma state. All strategies except {promotion: non-implementation} are the Pareto optimum. Regardless of the strategy of the promotion section, the dominant strategy of the employee is “non-implementation”. With or without the promotion of the promotion section, the employee does not ever carry out a security measure. This game is therefore in an undesirable state for implementing security measures.

• (5) Regular non-implementation game ( x < 0, x < − P ₂ V, y < 0)

The Nash equilibrium is {promotion: non-implementation}. All strategies are the Pareto optimums. Regardless of the strategy of the promotion section, the dominant strategy of the employee is “non-implementation”. With or without the promotion of the promotion section, the employee always does not carry out security measure. This game is therefore in an undesirable state in which to implement security measures.

3 Analysis of Actual IT Security Incident

3.1 Analysis Method

The model described in Sect. 2 was applied to an actual IT security incident. To enable the same standard to be used in comparing and analyzing the model parameters, the parameter values are considered in monetary terms.

3.2 Actual IT Security Incident

The proposed model was applied to an actual IT security incident that happened with a PC used by teachers at a school [5]. In this case, the PC was set so that its password had to be changed every week by the manager of the system, who belonged to the security promotion section. However, one of the teachers wrote down the password, and stored it in his desk drawer because he was not able to remember it. Some students found the password and, consequently, information stored in the PC was leaked out. It was therefore necessary to re-examine the achievement test in place. The teacher remembered the password at first, but when he forgot it, he asked the IT security promotion section to cancel it and reissue a new password, which he then wrote down and saved.

In this case, the security measure implemented by the promotion section was “change the password every week”. That is to say, the strategy of the IT security promotion section was “change the password every week” or “do not change the password every week”. When the promotion section chooses the strategy “do not change the password every week,” changing the password is left to the judgment of the employee (in this example, a teacher).

When the promotion section chooses a strategy of “changing,” the system forces the employee to change the password every week. The strategy of most employees is therefore to either “remember the password (or do not write it down)” or “do not remember the password (and write it down)”.

The payoff for an employee regarding security measures is examined as follows.

• (1) The cost per time of the employee

According to a survey by the Ministry of Internal Affairs and Communications, the (monthly basis) average salary of a high-school education job teacher is 430,111 yen [9]. On the basis of this value, cost per time is calculated as the employee works for 20 days in a month for 8 h a day. The cost per time of the employee is 2,688 yen.

• (2) The loss of duties of employee when carrying out the security measure

The time necessary for an employee to make a password and memorize it is equivalent to Y _d , that is, the loss of duties that the employee cannot perform owing to time taken carrying out the security measure and to a decline in his or her efficiency. It is thought that this work is completed in several minutes, including the work to make a so-called “good password” and memorize it. In this case, that time is estimated to be 3 min. In terms of cost per time, this time is equivalent to 134.4 yen.

• (3) The cost that an employee expends when carrying out the security measure

When the security promotion section chooses the strategy “change the password every week,” it is necessary for the employee to make a new password and memorize it 51 times a year (in addition to setting the first password). For the employee, this work for 51 times a year is given as cost Ca. From the cost per time, this work is calculated as 6,854 yen in monetary terms.

• (4) The quantity of losses that employee incurs when an incident occurs

On the other hand, a security incident and a business loss occur with a certain probability when a promotion section does not order a password change every week and when the employee does not perform it. In this case, a leak really occurred, and the achievement test was necessary. Therefore, trouble such as re-making, re-enforcement, and re-marking the achievement test incurs loss Y₂, that is, the quantity of losses an employee incurs when an incident occurs. In this case, it is estimated that the quantity of losses takes two days. From the cost per time, this is calculated as 43,008 yen.

• (5) Penalty

In addition, when an employee takes a strategy to write down a password on paper, even though that employee was instructed to change the password every week by the promotion section, without obeying the instructions, the work involved is only writing a random character string on paper; it hardly incurs a necessary cost at all. However, a penalty is imposed on the employee when a security incident thereby occurs.

According to an investigation performed for a personnel manager of a private enterprise, when an employee did not have malice, the most common penalty was a reprimand (submit an apology) issued to the employee in question [6].

When an employee writes down a password on paper, and it becomes a case security incident, it is therefore assumed that penalty V is to write a written apology and apologize to the person concerned within half a day. From the cost per time, V is calculated as 10,752 yen.

• (6) The probability that the employee recognizes the incident

We considered a rate of the number of information leakages reported in an investigation to be the probability of the incident that the employee recognized. This investigation was carried out for 206 randomly selected elementary schools, junior high schools, and high schools throughout the country [7]. A total of 99 answers to the questionnaire were received (48 % of recoveries) from 105 schools. According to this, the investigation revealed that eight schools had information leakage problems. Because there were 105 schools, probability P₂ (that an employee of the school recognizes the incident) is 7.62 %. Table 2 lists the values of the employee parameters for this case.

Table 2. Employee parameters. (Source: IPSJ Journal, vol. 53, no. 9, p. 2165)

The x and y values are calculated from these parameter values. From an expression (1) and an expression (3), the x and y values are calculated as 3142.8 and −2891.9. Because x ≥ 0 and y < 0, the state of this actual IT security incident is “(3) Promotion-non-implementation dilemma game” (Fig. 2).

Fig. 2.

State of actual incident. (Source: IPSJ Journal, vol. 53, no. 9, p. 2165)

In this incident, the teacher remembered the password at first but forgot it later. This case shows that if the promotion section had not required a password change, the teacher would probably have remembered it and not written it down. That is to say, it is understood that a “(3) Promotion-non-implementation dilemma game” occurs in this case. It was estimated that the employee considered probability P₂ of a security incident as from 0.31 % to 13 %.

Figure 3 shows a game position that was calculated by changing the value of P₂ every 1 %. If the value becomes big, the game position moves towards the direction of the “(1) Regular implementation game” domain.

Fig. 3.

Value of P₂ and state of the incident. (Created based on: IPSJ Journal, vol. 53, no. 9, p. 2165)

4 Examination on Improving IT Security Implementation in an Organization

We examined a number of methods to improve security. We changed parameter values where appropriate and analyzed game states by calculating the values of x and y at that time.

4.1 Extending Password Change Period

In the actual IT security incident, the PC had been set so that the password had to be changed by the system manager every week. We examined the measure of extending the password change period to once a month.¹ This means eleven changes (the first one made in the second month) per year are necessary, and the corresponding cost (C _a ) incurred by the employee decreases to 1,478 yen. Table 3 lists the employee parameter values obtained in implementing this measure.

Table 3. Employee parameter values (C_a is improved) (Source: IPSJ Journal, vol. 53, no. 9, p. 2166).

The calculated x and y values are respectively 3142.8 and 2484.1. Figure 4 shows the position of this game, which is a “(1) Regular implementation game”. Since the original game state was a “(3) Promotion-non-implementation dilemma game”, this means extending the password change period is a desirable security measure.

Fig. 4.

Decrease in Ca obtained by extending password change period. (Created based on: IPSJ Journal, vol. 53, no. 9, p. 2166).

4.2 Increasing Penalty

The measure of increasing penalty V was investigated next. A representative penalty is a salary reduction (that is, a disciplinary measure). Article 91 of the Japanese Labor Standards Law stipulates that the amount of salary reduction must not exceed half the average wage for a day. It also stipulates that the total sum of the amount of salary reduction must not exceed one tenth of the total sum of wages in one wage-payment period [8]. In cost per time terms, this penalty comes to 21, 504 yen. Table 4 lists the employee parameter values for this measure.

Table 4. Employee parameter values obtained by increasing penalty V. (Source: IPSJ Journal, vol. 53, no. 9, p. 2167)

The calculated x and y values are respectively 3142.8 and −2072.6. This is a “(3) Promotion-non-implementation dilemma game”. Figure 5 shows the game position, which is improved over the original state. However, increasing penalty V has little effect as a security measure because the game state remains a “(3) Promotion-non-implementation dilemma game”.

Fig. 5.

Change in game state obtained by increasing penalty V. (Created based on: IPSJ Journal, vol. 53, no. 9, p. 2167).

4.3 Extending Password Change Period and Using Encryption Software

Encryption software can be used to reduce security damage even if a third party illegally accesses PC files. We therefore investigated the measures of further extending the password change period and applying encryption software to PC files. The password change period was changed to half a year and the Y2 value was reduced by one-tenth by using encryption software. Table 5 lists the employee parameter values obtained in implementing these measures.

Table 5. Employeee parameter values obtained by using encryption software and extending password change period. (Source: IPSJ Journal, vol. 53, no. 9, p. 2168)

The calculated x and y values are respectively 193.3 and 878.6. Figure 6 shows the position of this game, which is a “(1) Regular implementation game”. Furthermore, the “(3) Promotion-non-implementation dilemma game” state, which was the original state and existed in implementing the aforementioned other measures, does not exist in implementing this measure. Therefore, extending the password change period and applying encryption software are very desirable as IT security measures.

Fig. 6.

Change in game state obtained by using encryption software and extending password change period. (Created based on: IPSJ Journal, vol. 53, no. 9, p. 2168).

5 Order of Security Measures

Using the game-theory-based model, we examined the order of several security measures.

5.1 Changing Organization State by Changing Parameters

We examined the case in which the state of the organization is at point P in Fig. 7.

Fig. 7.

Increase in parameters and change of state

From expressions (1)–(3), the state changes as follows when each parameter increases.

• (a) Increase Y _d. The state moves in the direction of arrow A to point Q.

• (b) Increase P _2. The state moves in the direction of arrow B to point R.

• (c) Increase y _2. The state moves in the direction of arrow B to point R.

• (d) Increase Ca. The state moves along the Y-axis in the direction of arrow C to point S.

• (e) Increase V. The state moves along the Y-axis in the direction of arrow D to point T.

5.2 Promotion Order of Two Security Measures

Here we assume that there are two security measures, 1 and 2. Measure 1 is effective in reducing the value of Y _d and measure 2 is effective in reducing the value of Ca. As shown in Fig. 8, we assume that the organization is at point P in “(4) Regular non-implementation dilemma game”.

Fig. 8.

Order of promoting two security measures

Let us examine the order of promoting these two security measures.

• (a) Measure 1 is promoted first

Because measure 1 makes the value of Y _d small, the state moves from point P to point Q in the direction of arrow A. Since point Q is in “(3) Promotion-non-implementation dilemma game,” this state is undesirable.

• (b) Measure 2 is promoted first

Because measure 2 makes the value of Ca small, the state moves from point P to point R in the direction of arrow B. Since point R is in “(2) Promotion-implementation game,” this state is desirable.

The state moves from point R to point S along the direction of arrow C if we promote security measure 1 in this state. Since point S is in “(1) Regular implementation game,” this state is most desirable.

Thus, even when the same combination of security measures is applied, the result becomes undesirable or desirable depending on the order in which they are promoted. In other words, our model makes it possible to determine the appropriate order of promoting security measures.

6 Summary

We applied the IT security implementation model of an organization to an actual security incident, calculated the model parameters, and clarified in which state of the model the incident is. We also used the model to examine the effects obtained in implementing a number of security measures by using this model. The results clarified the security measures that were the most effective.

We conclude from the results that this model has the potential to be a useful means for promoting security measures in an organization.

7 Limitations and Future Work

In this study, we made a number of assumptions when we calculated the model parameters. In future, it will be necessary to determine more accurate model parameters by giving questionnaires to general employees and performing several types of experiments.