Towards a game theoretic authorisation model
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Beyond risk-based access control: towards incentive-based access control
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
PeerSec: towards peer production and crowdsourcing for enhanced security
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Pools, clubs and security: designing for a party not a person
Proceedings of the 2012 workshop on New security paradigms
Hi-index | 0.00 |
Inadvertent insiders are trusted insiders who do not have malicious intent (as with malicious insiders) but do not responsibly managing security. The result is often enabling a malicious outsider to use the privileges of the inattentive insider to implement an insider attack. This risk is as old as conversion of a weak user password into root access, but the term inadvertent insider is recently coined to identify the link between the behavior and the vulnerability. In this paper, we propose to mitigate this threat using a novel risk budget mechanism that offers incentives to an insider to behave according to the risk posture set by the organization. We propose assigning an insider a risk budget, which is a specific allocation of risk points, allowing employees to take a finite number of risk-seeking choice. In this way, the employee can complete her tasks without subverting the security system, as with absolute prohibitions. In the end, the organization penalizes the insider if she fails to accomplish her task within the budget while rewards her in the presence of a surplus. Most importantly. the risk budget requires that the user make conscious visible choices to take electronic risks. We describe the theory behind the system, including specific work on the insider threats. We evaluated this approach using human-subject experiments, which demonstrate the effectiveness of our risk budget mechanism. We also present a game theoretic analysis of the mechanism.