Papers
Topics
Authors
Recent
Search
2000 character limit reached

ZETAR: Modeling and Computational Design of Strategic and Adaptive Compliance Policies

Published 5 Apr 2022 in cs.GT and cs.AI | (2204.02294v2)

Abstract: Compliance management plays an important role in mitigating insider threats. Incentive design is a proactive and non-invasive approach to achieving compliance by aligning an insider's incentive with the defender's security objective, which motivates (rather than commands) an insider to act in the organization's interests. Controlling insiders' incentives for population-level compliance is challenging because they are neither precisely known nor directly controllable. To this end, we develop ZETAR, a zero-trust audit and recommendation framework, to provide a quantitative approach to model insiders' incentives and design customized recommendation policies to improve their compliance. We formulate primal and dual convex programs to compute the optimal bespoke recommendation policies. We create the theoretical underpinning for understanding trust, compliance, and satisfaction, which leads to scoring mechanisms of how compliant and persuadable an insider is. After classifying insiders as malicious, self-interested, or amenable based on their incentive misalignment levels with the defender, we establish bespoke information disclosure principles for these insiders of different incentive categories. We identify the policy separability principle and the set convexity, which enable finite-step algorithms to efficiently learn the Completely Trustworthy (CT) policy set when insiders' incentives are unknown. Finally, we present a case study to corroborate the design. Our results show that ZETAR can well adapt to insiders with different risk and compliance attitudes and significantly improve compliance. Moreover, trustworthy recommendations can provably promote cyber hygiene and insiders' satisfaction.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (36)
  1. G. Bassett, D. Hylender, P. Langlois, A. Pinto, and S. Widup, “Data breach investigations report,” Verizon DBIR Team, Tech. Rep., 2021.
  2. “Why employees violate cybersecurity policies,” Harvard Business Review, Jan 2022. [Online]. Available: https://hbr.org/2022/01/research-why-employees-violate-cybersecurity-policies
  3. A. Moore, J. Savinda, E. Monaco, J. Moyes, D. Rousseau, S. Perl, J. Cowley, M. Collins, T. Cassidy, N. VanHoudnos, P. Buttles, D. Bauer, and A. Parshall, “The critical role of positive incentives for reducing insider threats,” Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, Tech. Rep. CMU/SEI-2016-TR-014, 2016.
  4. M. Theis, R. Trzeciak, D. Costa, A. Moore, S. Miller, T. Cassidy, and W. Clay, “Common sense guide to mitigating insider threats,” 2019.
  5. S. Harris, “Insider threat mitigation guide,” Cybersecurity and Infrastructure Security Agency, Tech. Rep., 2020.
  6. E. Kamenica and M. Gentzkow, “Bayesian persuasion,” American Economic Review, vol. 101, no. 6, pp. 2590–2615, 2011.
  7. L. Huang and Q. Zhu, “Duplicity games for deception design with an application to insider threat mitigation,” IEEE Transactions on Information Forensics and Security, vol. 16, p. 4843–4856, 2021.
  8. C. I. T. Team, “Unintentional insider threats: A foundational study,” cahier de recherche CMU/SEI-2013-TN-022, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, vol. 18, 2013.
  9. F. L. Greitzer, J. Strozer, S. Cohen, J. Bergey, J. Cowley, A. Moore, and D. Mundie, “Unintentional insider threat: contributing factors, observables, and mitigation strategies,” in 2014 47th Hawaii International Conference on System Sciences.   IEEE, 2014, pp. 2025–2034.
  10. R. Dhamija, J. D. Tygar, and M. Hearst, “Why phishing works,” in Proceedings of the SIGCHI conference on Human Factors in computing systems, 2006, pp. 581–590.
  11. L. Huang and Q. Zhu, “Radams: Resilient and adaptive alert and attention management strategy against informational denial-of-service (idos) attacks,” Computers & Security, vol. 121, p. 102844, Oct 2022.
  12. L. Huang, S. Jia, E. Balcetis, and Q. Zhu, “Advert: An adaptive and data-driven attention enhancement mechanism for phishing prevention,” IEEE Transactions on Information Forensics and Security, vol. 17, p. 2585–2597, 2022.
  13. S. Yuan and X. Wu, “Deep learning for insider threat detection: Review, challenges and opportunities,” Computers & Security, vol. 104, p. 102221, 2021.
  14. W. Eberle, J. Graves, and L. Holder, “Insider threat detection using a graph-based approach,” Journal of Applied Security Research, vol. 6, no. 1, pp. 32–81, 2010.
  15. W. A. Casey, Q. Zhu, J. A. Morales, and B. Mishra, “Compliance control: Managed vulnerability surface in social-technological systems via signaling games,” in Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, 2015, pp. 53–62.
  16. W. A. Cram, J. D’arcy, and J. G. Proudfoot, “Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance,” MIS quarterly, vol. 43, no. 2, pp. 525–554, 2019.
  17. J. Hunker and C. W. Probst, “Insiders and insider threats-an overview of definitions and mitigation techniques.” J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., vol. 2, no. 1, pp. 4–27, 2011.
  18. F. Greitzer and D. Frincke, “Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation,” in Insider threats in cyber security.   Springer, 2010.
  19. N. Saxena, E. Hayes, E. Bertino, P. Ojo, K.-K. R. Choo, and P. Burnap, “Impact and key challenges of insider threats on organizations and critical businesses,” Electronics, vol. 9, no. 9, p. 1460, 2020.
  20. Y. Zhang, H. Zhang, S. Tang, and S. Zhong, “Designing secure and dependable mobile sensing mechanisms with revenue guarantees,” IEEE Trans. on Inf. Forensics and Secur., vol. 11, no. 1, pp. 100–113, 2016.
  21. Q. Zhu, C. Fung, R. Boutaba, and T. Basar, “Guidex: A game-theoretic incentive-based mechanism for intrusion detection networks,” IEEE J. Sel. Areas Commun., vol. 30, no. 11, pp. 2220–2230, 2012.
  22. K. Horák, B. Bošanský, P. Tomášek, C. Kiekintveld, and C. Kamhoua, “Optimizing honeypot strategies against dynamic lateral movement using partially observable stochastic games,” Comput Secur, vol. 87, 2019.
  23. L. Huang and Q. Zhu, “A dynamic games approach to proactive defense strategies against advanced persistent threats in cyber-physical systems,” Computers & Security, vol. 89, p. 101660, 2020.
  24. ——, “A dynamic game framework for rational and persistent robot deception with an application to deceptive pursuit-evasion,” IEEE Transactions on Automation Science and Engineering, 2021.
  25. J. Xu, Y. Zhou, Y. Ding, D. Yang, and L. Xu, “Biobjective robust incentive mechanism design for mobile crowdsensing,” IEEE Internet of Things Journal, vol. 8, no. 19, pp. 14 971–14 984, 2021.
  26. P. Zou, Q. Chen, Q. Xia, C. He, and C. Kang, “Incentive compatible pool-based electricity market design and implementation: A bayesian mechanism design approach,” Applied Energy, vol. 158, 2015.
  27. Y. Zhan, Y. Xia, J. Zhang, T. Li, and Y. Wang, “An incentive mechanism design for mobile crowdsensing with demand uncertainties,” Information Sciences, vol. 528, pp. 1–16, 2020.
  28. C. Dukes, “Committee on national security systems (cnss) glossary,” CNSSI, Fort 1322 Meade, MD, USA, Tech. Rep, vol. 1323, 2015.
  29. J. N. Al-Karaki, A. Gawanmeh, and S. El-Yassami, “Gosafe: on the practical characterization of the overall security posture of an organization information system using smart auditing and ranking,” Journal of King Saud University-Computer and Information Sciences, 2020.
  30. A. Bahuguna, R. K. Bisht, and J. Pande, “Country-level cybersecurity posture assessment: study and analysis of practices,” Information Security Journal: A Global Perspective, vol. 29, no. 5, pp. 250–266, 2020.
  31. M. Zhan, Y. Li, X. Yang, W. Cui, and Y. Fan, “Nsaps: A novel scheme for network security state assessment and attack prediction,” Computers & Security, vol. 99, p. 102031, 2020.
  32. S. Rose, O. Borchert, A. Mitchell, and S. Connelly, “Zero trust architecture nist special publication 888-207,” NIST, 2020.
  33. K. R. Sarkar, “Assessing insider threats to information security using technical, behavioural and organisational measures,” information security technical report, vol. 15, no. 3, pp. 112–133, 2010.
  34. D. Spooner, G. Silowash, D. Costa, and M. Albrethsen, “Navigating the insider threat tool landscape: low cost technical solutions to jump start an insider threat program,” in 2018 IEEE Security and Privacy Workshops (SPW).   IEEE, 2018, pp. 247–257.
  35. D. Avis, D. Bremner, and R. Seidel, “How good are convex hull algorithms?” Comput Geom, vol. 7, no. 5-6, pp. 265–301, 1997.
  36. D. Kahneman and A. Tversky, “Prospect theory: An analysis of decision under risk,” Econometrica, vol. 47, no. 2, pp. 263–291, 1979.
Citations (5)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Authors (2)

  1. Linan Huang 
  2. Quanyan Zhu 

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up