Skip to main content
SpringerLink
Log in
Book cover

International Conference on Decision and Game Theory for Security

GameSec 2016: Decision and Game Theory for Security pp 370–381Cite as

A Logic for the Compliance Budget

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9996))

Abstract

Security breaches often arise as a result of users’ failure to comply with security policies. Such failures to comply may simply be innocent mistakes. However, there is evidence that, in some circumstances, users choose not to comply because they perceive that the security benefit of compliance is outweighed by the cost that is the impact of compliance on their abilities to complete their operational tasks. That is, they perceive security compliance as hindering their work. The ‘compliance budget’ is a concept in information security that describes how the users of an organization’s systems determine the extent to which they comply with the specified security policy. The purpose of this paper is to initiate a qualitative logical analysis of, and so provide reasoning tools for, this important concept in security economics for which quantitative analysis is difficult to establish. We set up a simple temporal logic of preferences, with a semantics given in terms of histories and sets of preferences, and explain how to use it to model and reason about the compliance budget. The key ingredients are preference update, to account for behavioural change in response to policy change, and an ability to handle uncertainty, to account for the lack of quantitative measures.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Alpcan, T., Başar, T., Security, N.: Decision and Game-Theoretic Approach. Cambridge University Press, Cambridge (2010)

    Book  Google Scholar 

  2. Anderson, R.: Why information security is hard: an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference, pp. 358–265. IEEE (2001)

    Google Scholar 

  3. Anderson, R., Moore, T.: The economics of information security. Science 314, 610–613 (2006)

    Article  Google Scholar 

  4. Baskent, C., McCusker, G.: Preferences and equilibria in history based models. In: Proceedings of the 12th Conference on Logic and the Foundations of Game and Decision Theory (2016). http://loft.epicenter.name

  5. Beautement, A., Sasse, A., Wonham, M.: The compliance budget. In: Proceedings of the New Security Paradigms Workshop (NSPW 2008), pp. 47–55. ACM (2008) doi:10.1145/1595676.1595684

  6. Beautement, A., Sasse, A.: The economics of user effort in information security. Comput. Fraud Secur. 10, 8–12 (2009). doi:10.1016/S1361-3723(09)70127-7

    Article  Google Scholar 

  7. Beautement, A., Coles, R., Griffin, J., Ioannidis, C., Monahan, B., Pym, D., Sasse, A., Wonham, M.: Modelling the human and technological costs and benefits of USB memory stick security. In: Johnson, M.E. (ed.) Managing Information Risk and the Economics of Security, pp. 141–163. Springer, New York (2009)

    Chapter  Google Scholar 

  8. Collinson, M., Monahan, B., Pym, D.: A Discipline of Mathematical Systems Modelling. College Publications, London (2012)

    MATH  Google Scholar 

  9. van Ditmarsch, H., Halpern, J., van der Hoek, W., Kooi, B. (eds.): Handbook of Epistemic Logic. College Publications, London (2015)

    Google Scholar 

  10. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)

    Article  Google Scholar 

  11. Gordon, L.A., Loeb, M.P., Resources, M.C.: A Cost-Benefit Analysis. McGraw Hill, New York (2006)

    Google Scholar 

  12. Harsanyi, J.: Games with incomplete information played by ‘Bayesian’ players, Part III. Manag. Sci. 14(7), 486–502 (1968)

    Article  MathSciNet  MATH  Google Scholar 

  13. Huth, M., Ryan, M.: Logic in Computer Science: Modelling and Reasoning About Systems. Cambridge University Press, Cambridge (2004)

    Book  MATH  Google Scholar 

  14. Ioannidis, C., Pym, D., Williams, J.: Investments and trade-offs in the economics of information security. In: Proceedings of the Financial Cryptography, Data Security, pp. 148–162 (2009)

    Google Scholar 

  15. Ioannidis, C., Pym, D., Williams, J.: Information security trade-offs and optimal patching policies. Eur. J. Oper. Res. 216(2), 434–444 (2012). doi:10.1016/j.ejor.2011.05.050

    Article  Google Scholar 

  16. Ioannidis, C., Pym, D., Williams, J.: Is public co-ordination of investment in information security desirable? J. Inf. Secur. 7, 60–80 (2016). http://dx.doi.org/10.4236/jis.2016.72005

    Google Scholar 

  17. Pacuit, E.: Some comments on history based structures. J. Appl. Logic 5(4), 613–624 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  18. Parikh, R., Ramanujam, R.: A knowledge-based semantics of messages. J. Logic Lang. Inf. 12(4), 453–467 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  19. A. Pnueli. The temporal logic of programs. In: Proceedings of the 18th Annual Symposium on Foundations of Computer Science (FOCS), pp. 46–57 (1977). doi:10.1109/SFCS.1977.32

  20. Tambe, M.: Security and Game Theory: Algorithms, Deployed Systems, Lessons Learned. Cambridge University Press, Cambridge (2011)

    Book  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University College London, London, UK

    Gabrielle Anderson & David Pym

  2. University of Bath, Bath, UK

    Guy McCusker

Authors
  1. Gabrielle Anderson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guy McCusker
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Pym
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guy McCusker .

Editor information

Editors and Affiliations

  1. New York University , New York, New York, USA

    Quanyan Zhu

  2. The University of Melbourne , Melbourne, Victoria, Australia

    Tansu Alpcan

  3. University of Brighton , Brighton, United Kingdom

    Emmanouil Panaousis

  4. University of Southern California , Los Angeles, California, USA

    Milind Tambe

  5. Carnegie Mellon University , Pittsburgh, New York, USA

    William Casey

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Anderson, G., McCusker, G., Pym, D. (2016). A Logic for the Compliance Budget. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds) Decision and Game Theory for Security. GameSec 2016. Lecture Notes in Computer Science(), vol 9996. Springer, Cham. https://doi.org/10.1007/978-3-319-47413-7_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47413-7_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47412-0

  • Online ISBN: 978-3-319-47413-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation