NotesFAQContact Us
Search Tips
ERIC Number: ED540136
Record Type: Non-Journal
Publication Date: 2011
Pages: 128
Abstractor: As Provided
Reference Count: 0
ISBN: ISBN-978-1-2670-8068-4
Incentives, Behavior, and Risk Management
Liu, Debin
ProQuest LLC, Ph.D. Dissertation, Indiana University
Insiders are one of the most serious threats to an organization's information assets. Generally speaking, there are two types of insider threats based on the insiders' intents. Malicious Insiders are individuals with varying degrees of harmful intentions. Inadvertent Insiders are individuals without malicious intent. In this dissertation, I propose several models and mechanisms to mitigate insider threats. The Game Theoretic Modeling of Malicious Insiders is built upon a stochastic game. The model captures other key properties of a practical system, particularly the administrator's uncertainty about the system state due to the insider's hidden action. The Incentive Mechanism to Mitigate the Inadvertent Insiders offers incentives to an insider to behave according to the risk posture set by the organization. The Budget-Based Access Control Mechanism is designed to control the risk caused by insiders. This mechanism provides an order of magnitude price for every access right and assigns each individual user a risk budget. I also demonstrate our model's positive influence on the users' risk behavior. Furthermore, I focus on the majority of organizations where security is not a top priority, and security compliance cannot be constantly monitored and enforced. Employees focus on completing their tasks, and their required security behavior often presents an obstacle on the shortest path to their primary goal. Desire to bypass controls and inability to comply with security requirements result in an increase of insider threat risk. Built upon the insights from the work presented in previous chapters, I propose an Incentive-Based Access Control to manage the insider threat risk. This incentive-based access control uses separate mechanisms for controlling aggregated risks and for incentivizing users to reduce unnecessary risks. It controls the aggregated risks. It encourages users to make necessary accesses, while discouraging them from taking unnecessary risks. Another benefit of this approach is avoiding accurate estimate of the risk associated with each access. I demonstrate that Nash Equilibria can be achieved in which the user's optimal strategy is performing the risk-mitigation efforts to minimize her organization's risk, and conduct human-subject studies to empirically confirm the theoretical results. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page:]
ProQuest LLC. 789 East Eisenhower Parkway, P.O. Box 1346, Ann Arbor, MI 48106. Tel: 800-521-0600; Web site:
Publication Type: Dissertations/Theses - Doctoral Dissertations
Education Level: N/A
Audience: N/A
Language: English
Sponsor: N/A
Authoring Institution: N/A