Abstract
Inadvertent insiders are trusted insiders who do not have malicious intent (as with malicious insiders) but do not responsibly managing security. The result is often enabling a malicious outsider to use the privileges of the inattentive insider to implement an insider attack. This risk is as old as conversion of a weak user password into root access, but the term inadvertent insider is recently coined to identify the link between the behavior and the vulnerability. In this paper, we propose to mitigate this threat using a novel risk budget mechanism that offers incentives to an insider to behave according to the risk posture set by the organization. We propose assigning an insider a risk budget, which is a specific allocation of risk points, allowing employees to take a finite number of risk-seeking choice. In this way, the employee can complete her tasks without subverting the security system, as with absolute prohibitions. In the end, the organization penalizes the insider if she fails to accomplish her task within the budget while rewards her in the presence of a surplus. Most importantly. the risk budget requires that the user make conscious visible choices to take electronic risks. We describe the theory behind the system, including specific work on the insider threats. We evaluated this approach using human-subject experiments, which demonstrate the effectiveness of our risk budget mechanism. We also present a game theoretic analysis of the mechanism.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
NASCIO. State cios take action now! Technical report, National The Association of State Chief Information Officers (2007)
CSO. The 2007 ecrime watch survey. Technical report, the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute’s (2007)
Homeland defense journal (2007)
Report to the nation on occupational fraud and abuse. Technical report, Association of Certified Fraud Examiners, Inc. (2006)
Zeckhauser, R.: Behavioral versus rational economics: What you see is what you conquer. Journal of Experimental Psychology 59(4), 435–449 (1986)
Gefen, D.: E-commerce: the role of familiarity and trust. The International Journal of Management Science 28, 725–737 (2000)
Stolfo, S., Bellovin, S., Hershkop, S., Keromytis, A., Sinclair, S., Smith, S. (eds.): Insider Attack and Cyber Security: Beyond the Hacker. Springer, Heidelberg (2008)
Acquisti, A., Gross, R.: Imagined communities: Awareness, information sharing and sharing on facebook. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 36–58. Springer, Heidelberg (2006)
Randazzo, M.R., Cappelli, D.M., Keeney, M.M., Moore, A.P., Kowalski, E.F.: Insider threat study: Illicit cyber activity in the banking and finance sector. Technical report (2004)
Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 367–377. Springer, Heidelberg (2007)
Camp, L.J.: Mental models of computer security. In: FC: International Conference on Financial FC: International Conference on Financial Cryptography. LNCS. Springer, Heidelberg (2007)
Camp, L.J.: Net trust: Signaling malicious web sites. I/S A Journal of Law and Policy in the Information Socirty 3(2), 211–235 (2007)
Kesan, J., Shah, R.: Establishing software defaults: Perspectives from law, computer science, and behavioral economics. The Notre Dame Law Review 82(2), 583–634 (2006)
Adkins, R.: An insurance style model for determining the appropriate investment level. In: Third Workshop on the Economics of Information Security, Minneapolis, MN (2004)
Karofsky, E.: Return on security investment: calculating the security investment equation. Secure Business Quarterly 1 (2001)
Masone, C., Smith, S.W.: Towards usefully secure email. IEEE Technology and Society (Special Issue on Security and Usability) 26, 25–34 (2007)
Good, N., Grossklags, J., Thaw, D., Perzanowski, A., Mulligan, D.K., Konstan, J.: User choices and regret: Understanding users’ decision process about consensually acquired spyware. I/S: A Journal of Law and Policy for the Information Society 2(2) (January 2006)
Goldberg, I., Hill, A., Shostack, A.: Trust, ethics and privacy. Boston University Law Review 81, 407–422 (2001)
Cranor, L.F., Garfinkel, S.: Security and Usability. O’Reilly, Cambridge (2005)
Chajewska, U., Koller, D., Parr, R.: Making rational decisions using adaptive utility elicitation. In: Proceedings of the 7th Conference on Artificial Intelligence (AAAI 2000) and of the 12th Conference on Innovative Applications of Artificial Intelligence (IAAI 2000). AAAI Press, Menlo Park (2000)
Yemini, A., Dailianas, D., Florissi, Huberman, G.: Marketnet: Market-based protection of information systems. In: The 12th Int. Symp. on Dynamic Games and Applications (2006)
MITRE Corporation. Horizontal integration: Broader access models for realizing information dominace. Technical Report JSR-04-132, JASON Defense Advisory Panel Reports (2004)
Molloy, I., Cheng, P., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: New Security Paradigms Workshop, Olympic, California, September 2008, Applied Computer Security Associates (2008)
Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, pp. 222–230 (2007)
Tsow, A., Viecco, C., Camp, L.J.: Privacy-aware architecture for sharing web histories. IBM Systems Journal (2007)
Osborne, M.J., Rubenstein, A.: A Course in Game Theory. The MIT Press, Cambridge (1994)
Mcafee siteadvisor
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Liu, D., Wang, X., Camp, L.J. (2009). Mitigating Inadvertent Insider Threats with Incentives. In: Dingledine, R., Golle, P. (eds) Financial Cryptography and Data Security. FC 2009. Lecture Notes in Computer Science, vol 5628. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03549-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-03549-4_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03548-7
Online ISBN: 978-3-642-03549-4
eBook Packages: Computer ScienceComputer Science (R0)