This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Security Risk Management Using Incentives
November/December 2011 (vol. 9 no. 6)
pp. 20-28
Debin Liu, Websense
Ninghui Li, Purdue University
XiaoFeng Wang, Indiana University
L. Jean Camp, Indiana University
The authors propose an incentive-based access control (IBAC) that uses separate mechanisms for controlling aggregated risks and incentivizing users to reduce unnecessary risks. This mechanism encourages users to make necessary accesses while discouraging them from taking unnecessary risks. To achieve this, the authors introduce novel incentive mechanism based on contract theory. They demonstrate that Nash equilibriums can be achieved in which users' optimal strategy is performing the risk-mitigation efforts to minimize their organization's risk; the authors' human-subject studies empirically confirm these theoretical results.

1. Horizontal Integration: Broader Access Models for Realizing Information Dominance, tech. report JSR-04-132, Jason Defense Advisory Panel Reports, Mitre, 2004.
2. P. Bolton and M. Dewatripont, Contract Theory, vol. 1, MIT Press, 2005.
3. M.J. Osborne and A. Rubenstein, A Course in Game Theory, MIT Press, 1994.
1. D.E. Bell and L.J. LaPadula, Secure Computer Systems: Unified Exposition and Multics Interpretation, tech. report ESD-TR-75-306, Mitre, Mar. 1976.
2. R.S. Sandhu et al., "Role-Based Access Control Models," Computer, vol. 29, no. 2, 1996, pp. 38–47.
3. D. Weirich and M.A. Sasse, "Persuasive Password Security," Proc. SIGCHI, ACM Press, 2001, pp. 139–140.
4. P.-C. Cheng et al., "Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control," IEEE Symp. Security and Privacy, IEEE CS Press, 2007, pp. 222–230.
5. Horizontal Integration: Broader Access Models for Realizing Information Dominance, tech. report JSR-04-132, Jason Defense Advisory Panel Reports, Mitre, 2004.
6. A. Yemini et al., "Marketnet: Market-Based Protection of Information Systems," 12th Int'l Symp. Dynamic Games and Applications, ACM Press, 2006, pp. 181 −190.
7. I. Molloy, P. Cheng, and P. Rohatgi, "Trading in Risk: Using Markets to Improve Access Control," New Security Paradigms Workshop, ACM Press, 2008, pp. 107 −125.

Index Terms:
Insider threat, access control, risk management, incentive engineering, human-subject experiment
Citation:
Debin Liu, Ninghui Li, XiaoFeng Wang, L. Jean Camp, "Security Risk Management Using Incentives," IEEE Security & Privacy, vol. 9, no. 6, pp. 20-28, Nov.-Dec. 2011, doi:10.1109/MSP.2011.99
Usage of this product signifies your acceptance of the Terms of Use.