Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2012: Information Security pp 370–386Cite as

Intended Actions: Risk Is Conflicting Incentives

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7483))

Abstract

Most methods for risk analysis take the view that risk is a combination of consequence and likelihood. Often, this is translated to an expert elicitation activity where likelihood is interpreted as (qualitative/ subjective) probabilities or rates. However, for cases where there is little data to validate probability or rate claims, this approach breaks down. In our Conflicting Incentives Risk Analysis (CIRA) method, we model risks in terms of conflicting incentives where risk analyst subjective probabilities are traded for stakeholder perceived incentives. The objective of CIRA is to provide an approach in which the input parameters can be audited more easily. The main contribution of this paper is to show how ideas from game theory, economics, psychology, and decision theory can be combined to yield a risk analysis process. In CIRA, risk magnitude is related to the magnitude of changes to perceived utility caused by potential state changes. This setting can be modeled by a one shot game where we investigate the degree of desirability the players perceive potential changes to have.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ISO: ISO/IEC 27005 Information technology -Security techniques-Information security risk management, 1st edn. (2008)

    Google Scholar 

  2. Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (2002)

    Google Scholar 

  3. IT Governance Institute: COBIT 4.1, ISA (2007)

    Google Scholar 

  4. Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)

    Article  Google Scholar 

  5. Bier, V.M.: Challenges to the acceptance of probabilistic risk analysis. Risk Analysis 19, 703–710 (1999)

    Google Scholar 

  6. Tversky, A., Kahneman, D.: Judgment under uncertainty: Heuristics and biases. Science 185(4157), 1124–1131 (1974)

    Article  Google Scholar 

  7. Shanteau, J., Stewart, T.R.: Why study expert decision making? some historical perspectives and comments. Organizational Behavior and Human Decision Processes 53(2), 95–106 (1992)

    Article  Google Scholar 

  8. Taleb, N.N.: The Black Swan: The Impact of the Highly Improbable, 2nd edn. Random House Trade Paperbacks (2010)

    Google Scholar 

  9. Clemen, R.T.: Making Hard Decision: An Introduction to Decision Analysis, 2nd edn. Duxbury (1996)

    Google Scholar 

  10. Wallenius, J., Dyer, J.S., Fishburn, P.C., Steuer, R.E., Zionts, S., Deb, K.: Multiple criteria decision making, multiattribute utility theory: Recent accomplishments and what lies ahead. Management Science 54(7), 1336–1349 (2008); INFORMS

    Article  MATH  Google Scholar 

  11. Dodgson, J.S., Spackman, M., Pearman, A., Phillips, L.D.: Multi-criteria analysis: a manual. Department for Communities and Local Government, London (2009) ISBN 9781409810230

    Google Scholar 

  12. Slovic, P., Finucane, M., Peters, E., MacGregor, D.G.: Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality. Risk Analysis 24(2), 311–322 (2004)

    Article  Google Scholar 

  13. Loewenstein, G.F., Weber, E.U., Hsee, C.K., Welch, N.: Risk as feelings. Psychological Bulletin 127(2), 267–286 (2001)

    Article  Google Scholar 

  14. ASME Innovative Technologies Institute, LLC: Risk Analysis and Management for Critical Asset Protection (RAMCAP): The Framework, Version 2.0 (2006)

    Google Scholar 

  15. Cox, J.L.: Some limitations of “Risk = Threat x Vulnerability x Consequence” for risk analysis of terrorist attacks. Risk Analysis 28(6), 1749–1761 (2008)

    Article  Google Scholar 

  16. Hausken, K.: Probabilistic risk analysis and game theory. Risk Analysis 22(1), 17–27 (2002)

    Article  MathSciNet  Google Scholar 

  17. Cox Jr., L.A.T.: Game theory and risk analysis. Risk Analysis 29(8), 1062–1068 (2009)

    Article  Google Scholar 

  18. Bier, V.M., Cox Jr., L.A.T., Azaiez, M.N.: Why both game theory and reliability theory are important in defending infrastructure against intelligent attacks. In: Game Theoretic Risk Analysis of Security Threats. International Series in Operations Research & Management Science, vol. 128, pp. 1–11. Springer US (2009)

    Google Scholar 

  19. Carin, L., Cybenko, G., Hughes, J.: Cybersecurity strategies: The QuERIES methodology. Computer 41, 20–26 (2008)

    Article  Google Scholar 

  20. Banks, D., Anderson, S.: Combining game theory and risk analysis in counterterrorism: A smallpox example. In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 9–22. Springer, New York (2006)

    Chapter  Google Scholar 

  21. Bier, V.: Game-theoretic and relaibility methods in counterterrorism and security. In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 23–40. Springer, New York (2006)

    Chapter  Google Scholar 

  22. Fricker Jr., R.D.: Game theory in an age of terrorism: How can statisticians contribute? In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 3–7. Springer, New York (2006)

    Chapter  Google Scholar 

  23. Rajbhandari, L., Snekkenes, E.A.: Mapping between Classical Risk Management and Game Theoretical Approaches. In: De Decker, B., Lapon, J., Naessens, V., Uhl, A. (eds.) CMS 2011. LNCS, vol. 7025, pp. 147–154. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  24. Liu, P., Zang, W.: Incentive-based modeling and inference of attacker intent, objectives, and strategies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 179–189. ACM, New York (2003)

    Chapter  Google Scholar 

  25. Anderson, R., Moore, T.: Information Security Economics – and Beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  26. Kristandl, G., Bontis, N.: Constructing a definition for intangibles using the resource based view of the firm. Management Decision 45(9), 1510–1524 (2007)

    Article  Google Scholar 

  27. Mullainathan, S., Thaler, R.H.: Behavioral economics. NBER Working Paper 7948 (2000)

    Google Scholar 

  28. Camerer, C.F., Lowenstein, G.: Behavioral economics: Past, present, future. In: Camerer, C.F., Loewenstein, G., Rabin, M. (eds.) Advances in Behavioral Economics, pp. 3–51. Princeton University Press (2004)

    Google Scholar 

  29. Sent, E.M.: Behavioral economics: How psychology made its (limited) way back into economics. History of Political Economy 36(4), 735–760 (2004)

    Article  Google Scholar 

  30. Hayes, B.: Computing science: A lucid interval. American Scientist 91(6), 484–488 (2003)

    Google Scholar 

  31. Fornell, C., Johnson, M.D., Anderson, E.W., Cha, J., Bryant, B.E.: The American Customer Satisfaction Index: Nature, purpose, and findings. Journal of Marketing 60(4), 7–18 (1996)

    Article  Google Scholar 

  32. Money, K., Hillenbrand, C.: Using reputation measurement to create value: An analysis and integration of existing measures. Journal of General Management 32(1) (2006)

    Google Scholar 

  33. Ajzen, I.: The theory of planned behaviour. Organizational Behaviour and Human Decision Processes 50, 179–211 (1991)

    Article  Google Scholar 

  34. Goldin, J.: Making decisions about the future: the discounted-utility model. Mind Matters: The Wesleyan Journal of Psychology 2, 49–56 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Norwegian Information Security Laboratory, Gjøvik University College, Norway

    Lisa Rajbhandari & Einar Snekkenes

Authors
  1. Lisa Rajbhandari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Einar Snekkenes
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Security in Distributed Applications, University of Technology, Harburger Schlossstrasse 20, 21073, Hamburg, Germany

    Dieter Gollmann

  2. Department of Computer Science, University of Erlangen-Nürnberg, Am Wolfsmantel 46, 91058, Erlangen, Germany

    Felix C. Freiling

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Rajbhandari, L., Snekkenes, E. (2012). Intended Actions: Risk Is Conflicting Incentives. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33383-5_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33382-8

  • Online ISBN: 978-3-642-33383-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation