Abstract
While there exist strong security concepts and mechanisms, implementation and enforcement of these security measures is a critical concern in the security domain. Normal users, unaware of the implications of their actions, often attempt to bypass or relax the security mechanisms in place, seeking instead increased performance or ease of use. Thus, the human in the loop becomes the weakest link. This shortcoming adds a level of uncertainty unacceptable in highly critical information systems. Merely educating the user to adopt safe security practices is limited in its effectiveness; there is a need to implement a technically sound measure to address the weak human factor across a broad spectrum of systems. In this paper, we present a game theoretic model to elicit user cooperation with the security mechanisms in a system. We argue for a change in the design methodology, where users are persuaded to cooperate with the security mechanisms after suitable feedback. Users are offered incentives in the form of increased Quality of Service (QoS) in terms of application and system level performance increase. User’s motives and their actions are modeled in a game theoretic framework using the class of generalized pursuit-evasion differential games.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
DoD Directive 8500.1, Information Assurance, IA (2002)
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999)
Brostoff, S., Sasse, M.A.: Safe and Sound: a Safety-Critical Approach to Security. In: Proceedings of the workshop on New security paradigms. ACM Press, Cloudcroft (2001)
Brostoff, S., Sasse, M.A.: Ten strikes and you’re out: Increasing the number of login attempts can improve password usability. In: Workshop on Human-Computer Interaction and Security Systems, Ft. Lauderdale, FL, USA (2003)
CERT, CERT® Advisory CA-2000-04 Love Letter Worm (2005), http://www.cert.org/advisories/CA-2000-04.html
Hinds, C., Ekwueme, C.: Increasing security and usability of computer systems with graphical passwords. In: Proceedings of the 45th annual southeast regional conference. ACM Press, Winston-Salem (2007)
Levin, D.: Punishment in Selfish Wireless Networks: A Game Theoretic Analysis. In: Proceedings of Economics of Networked Systems. NetECON Ann Arbour, Michigan (2006)
Davis, M.: Game Theory: A nontechnical introduction. Dover, New York (1983)
Dourish, P., Grinter, R., Dalal, B., Flor, J.D., Joseph, M.: Security Day-to-Day: User Strategies for Managing Security as an Everyday, Practical Problem, Institute for Software Research, University of California, Irvine (2003)
Bergadano, F., Gunetti, D., Picardi, C.: User authentication through keystroke dynamics. ACM Trans. Inf. Syst. Secur. 5, 367–397 (2002)
Freedman, A.: The Dolichobrachistochrone Game, Differential Games, 107p. John Wiley & Sons, Inc., Chichester (1971)
Freedman, A.: Guarding a Territory, Differential Games, 29p. John Wiley & Sons, Inc., Chichester (1971)
Howard, M.: Browsing the Web and Reading E-mail Safely as an Administrator. In: MSDN (2004)
Irvine, C., Levin, T., Sypropoulou, E., Allen, B.: Security as a Dimension of Quality of Service in Active Service Environments. In: International Workshop on Active Middleware Services, San Francisco, CA (2001)
Irvine, C., Levin, T.: Quality of Security Service. In: Proceedings of the New Security Paradigms Workshop. ACM Press, Ballycotton (2000)
Linn, J.: Generic Security Service Application Program Interface, IETF Request for Comments (1993)
Luce, R.D., Raiffa, H.: Games and Decisions. Dover, New York (1989)
Mahajan, R., Rodrig, M., Wetherall, D., Zahorjan, J.: Experiences applying game theory to system design. In: Proceedings of the ACM SIGCOMM workshop on Practice and Theory of Incentives in Networked Systems. ACM Press, Portland (2004)
McAfeeCorporation, The Enemy Within (2005), http://www.theregister.co.uk/2005/12/15/mcafee_internal_security_survey/
Liu, P., Zang, W., Yu, M.: Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Trans. Inf. Syst. Secur. 8, 78–118 (2005)
Sankaranarayanan, V., Chandresekaran, M., Upadhyaya, S.: Position: The User is the Enemy. In: Proceedings of the New Security Paradigms Workshop, New Hampshire, USA (2007)
Sasse, M.A.: Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery. In: CHI 2003 Workshop on Human-Computer Interaction and Security Systems, Ft. Lauderdale, FL, USA (2003)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, Inc., New York (2000)
Somayaji, A., Forrest, S.: Automated Response Using System-Call Delays. In: Usenix Security Symposium (2000)
Stasiukonis, S.: Social Engineering, the USB Way. Dark Reading, Secure Network Technologies Inc. (2006), http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
Sturgeon, W.: Proof: Employees don’t care about security, Silicon.com (2006), http://software.silicon.com/security/0,39024655,39156503,00.htm
Tzur, R.: SandboxIE (2006), http://www.sandboxie.com/
Sankaranarayanan, V., Upadhyaya, S.: A Trust Assignment Model based on Alternate Actions Payoff. In: Stølen, K., Winsborough, W.H., Martinelli, F., Massacci, F. (eds.) iTrust 2006. LNCS, vol. 3986, pp. 339–353. Springer, Heidelberg (2006)
Weirich, D., Sasse, M.A.: Pretty good persuasion: a first step towards effective password security in the real world. In: Proceedings of New Security Paradigms Workshop. ACM Press, Cloudcroft (2001)
Whitten, A., Tygar, J.D.: Safe staging for computer security. In: HCI and Security Systems Workshop, CHI, Ft. Lauderdale, Florida (2003)
Xia, H., Brustoloni, J.C.: Hardening Web browsers against man-in-the-middle and eavesdropping attacks. In: Proceedings of the 14th international conference on World Wide Web. ACM Press, Chiba (2005)
Wall Street Journal: Data Breaches Surpass 2007 Level, But Businesses Rarely Are Penalized (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sankaranarayanan, V., Upadhyaya, S., Kwiat, K. (2010). QoS-T: QoS Throttling to Elicit User Cooperation in Computer Systems. In: Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2010. Lecture Notes in Computer Science, vol 6258. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14706-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-14706-7_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14705-0
Online ISBN: 978-3-642-14706-7
eBook Packages: Computer ScienceComputer Science (R0)