Intended Actions: Risk Is Conflicting Incentives

  • Lisa Rajbhandari
  • Einar Snekkenes
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)


Most methods for risk analysis take the view that risk is a combination of consequence and likelihood. Often, this is translated to an expert elicitation activity where likelihood is interpreted as (qualitative/ subjective) probabilities or rates. However, for cases where there is little data to validate probability or rate claims, this approach breaks down. In our Conflicting Incentives Risk Analysis (CIRA) method, we model risks in terms of conflicting incentives where risk analyst subjective probabilities are traded for stakeholder perceived incentives. The objective of CIRA is to provide an approach in which the input parameters can be audited more easily. The main contribution of this paper is to show how ideas from game theory, economics, psychology, and decision theory can be combined to yield a risk analysis process. In CIRA, risk magnitude is related to the magnitude of changes to perceived utility caused by potential state changes. This setting can be modeled by a one shot game where we investigate the degree of desirability the players perceive potential changes to have.


Game theory Risk analysis risk conflicting incentives intended actions 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ISO: ISO/IEC 27005 Information technology -Security techniques-Information security risk management, 1st edn. (2008)Google Scholar
  2. 2.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (2002)Google Scholar
  3. 3.
    IT Governance Institute: COBIT 4.1, ISA (2007)Google Scholar
  4. 4.
    Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)CrossRefGoogle Scholar
  5. 5.
    Bier, V.M.: Challenges to the acceptance of probabilistic risk analysis. Risk Analysis 19, 703–710 (1999)Google Scholar
  6. 6.
    Tversky, A., Kahneman, D.: Judgment under uncertainty: Heuristics and biases. Science 185(4157), 1124–1131 (1974)CrossRefGoogle Scholar
  7. 7.
    Shanteau, J., Stewart, T.R.: Why study expert decision making? some historical perspectives and comments. Organizational Behavior and Human Decision Processes 53(2), 95–106 (1992)CrossRefGoogle Scholar
  8. 8.
    Taleb, N.N.: The Black Swan: The Impact of the Highly Improbable, 2nd edn. Random House Trade Paperbacks (2010)Google Scholar
  9. 9.
    Clemen, R.T.: Making Hard Decision: An Introduction to Decision Analysis, 2nd edn. Duxbury (1996)Google Scholar
  10. 10.
    Wallenius, J., Dyer, J.S., Fishburn, P.C., Steuer, R.E., Zionts, S., Deb, K.: Multiple criteria decision making, multiattribute utility theory: Recent accomplishments and what lies ahead. Management Science 54(7), 1336–1349 (2008); INFORMSzbMATHCrossRefGoogle Scholar
  11. 11.
    Dodgson, J.S., Spackman, M., Pearman, A., Phillips, L.D.: Multi-criteria analysis: a manual. Department for Communities and Local Government, London (2009) ISBN 9781409810230Google Scholar
  12. 12.
    Slovic, P., Finucane, M., Peters, E., MacGregor, D.G.: Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality. Risk Analysis 24(2), 311–322 (2004)CrossRefGoogle Scholar
  13. 13.
    Loewenstein, G.F., Weber, E.U., Hsee, C.K., Welch, N.: Risk as feelings. Psychological Bulletin 127(2), 267–286 (2001)CrossRefGoogle Scholar
  14. 14.
    ASME Innovative Technologies Institute, LLC: Risk Analysis and Management for Critical Asset Protection (RAMCAP): The Framework, Version 2.0 (2006)Google Scholar
  15. 15.
    Cox, J.L.: Some limitations of “Risk = Threat x Vulnerability x Consequence” for risk analysis of terrorist attacks. Risk Analysis 28(6), 1749–1761 (2008)CrossRefGoogle Scholar
  16. 16.
    Hausken, K.: Probabilistic risk analysis and game theory. Risk Analysis 22(1), 17–27 (2002)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Cox Jr., L.A.T.: Game theory and risk analysis. Risk Analysis 29(8), 1062–1068 (2009)CrossRefGoogle Scholar
  18. 18.
    Bier, V.M., Cox Jr., L.A.T., Azaiez, M.N.: Why both game theory and reliability theory are important in defending infrastructure against intelligent attacks. In: Game Theoretic Risk Analysis of Security Threats. International Series in Operations Research & Management Science, vol. 128, pp. 1–11. Springer US (2009)Google Scholar
  19. 19.
    Carin, L., Cybenko, G., Hughes, J.: Cybersecurity strategies: The QuERIES methodology. Computer 41, 20–26 (2008)CrossRefGoogle Scholar
  20. 20.
    Banks, D., Anderson, S.: Combining game theory and risk analysis in counterterrorism: A smallpox example. In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 9–22. Springer, New York (2006)CrossRefGoogle Scholar
  21. 21.
    Bier, V.: Game-theoretic and relaibility methods in counterterrorism and security. In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 23–40. Springer, New York (2006)CrossRefGoogle Scholar
  22. 22.
    Fricker Jr., R.D.: Game theory in an age of terrorism: How can statisticians contribute? In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 3–7. Springer, New York (2006)CrossRefGoogle Scholar
  23. 23.
    Rajbhandari, L., Snekkenes, E.A.: Mapping between Classical Risk Management and Game Theoretical Approaches. In: De Decker, B., Lapon, J., Naessens, V., Uhl, A. (eds.) CMS 2011. LNCS, vol. 7025, pp. 147–154. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Liu, P., Zang, W.: Incentive-based modeling and inference of attacker intent, objectives, and strategies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 179–189. ACM, New York (2003)CrossRefGoogle Scholar
  25. 25.
    Anderson, R., Moore, T.: Information Security Economics – and Beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Kristandl, G., Bontis, N.: Constructing a definition for intangibles using the resource based view of the firm. Management Decision 45(9), 1510–1524 (2007)CrossRefGoogle Scholar
  27. 27.
    Mullainathan, S., Thaler, R.H.: Behavioral economics. NBER Working Paper 7948 (2000)Google Scholar
  28. 28.
    Camerer, C.F., Lowenstein, G.: Behavioral economics: Past, present, future. In: Camerer, C.F., Loewenstein, G., Rabin, M. (eds.) Advances in Behavioral Economics, pp. 3–51. Princeton University Press (2004)Google Scholar
  29. 29.
    Sent, E.M.: Behavioral economics: How psychology made its (limited) way back into economics. History of Political Economy 36(4), 735–760 (2004)CrossRefGoogle Scholar
  30. 30.
    Hayes, B.: Computing science: A lucid interval. American Scientist 91(6), 484–488 (2003)Google Scholar
  31. 31.
    Fornell, C., Johnson, M.D., Anderson, E.W., Cha, J., Bryant, B.E.: The American Customer Satisfaction Index: Nature, purpose, and findings. Journal of Marketing 60(4), 7–18 (1996)CrossRefGoogle Scholar
  32. 32.
    Money, K., Hillenbrand, C.: Using reputation measurement to create value: An analysis and integration of existing measures. Journal of General Management 32(1) (2006)Google Scholar
  33. 33.
    Ajzen, I.: The theory of planned behaviour. Organizational Behaviour and Human Decision Processes 50, 179–211 (1991)CrossRefGoogle Scholar
  34. 34.
    Goldin, J.: Making decisions about the future: the discounted-utility model. Mind Matters: The Wesleyan Journal of Psychology 2, 49–56 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Lisa Rajbhandari
    • 1
  • Einar Snekkenes
    • 1
  1. 1.Norwegian Information Security LaboratoryGjøvik University CollegeNorway

Personalised recommendations