1 Introduction
Information systems are often armed with an alerting capability to detect and notify about potential risks incurred during daily use. This entails the logging of access events, which can be compared to various rules, each of which defines a semantic type of potentially malicious situation. In mission critical systems, the access requests of authenticated users are often granted, so that notification about potential misuse is provided to administrators who perform retrospective audit investigations [Kuna et al.2014, Blocki et al.2012]. For instance, many healthcare organizations (HCOs) rely on both alert mechanisms and auditing for monitoring anomalous accesses to electronic medical records (EMRs) by their employees who may breach the privacy of patients [Hedda et al.2017]. Similarly, the providers of online services, such as banks and social media applications, often use alerts and audits to defend against attacks, such as financial fraud and compromises to computational resources. Though audits do not directly prevent attacks in their own right, they allow for the discovery of breaches that can be followed up on before they escalate to full blown exploits by attackers.
However, there are various challenges to instituting robust auditing schemes in practice. First, the volume of triggered alerts is typically far greater than the auditing capacity of an organization [Laszka et al.2017]. Second, in practice, the majority of triggered alerts correspond to false positives, which stem from an organization’s inability to define and recognize complex dynamic workflows. Third, attackers can act strategically, such that they can carefully choose the way (or target) to attack. And last, but not least, in the retrospective audit setting, attacks are not discovered until they are investigated.
The Stackelberg security game (SSG) is a natural choice for modeling such resource allocation problems in adversarial environments [Tambe2011, Fang et al.2016, Do et al.2017, Sinha et al.2018]. Here, the defender first commits to a budget allocation policy and, subsequently, the attacker responds with the optimal attack based on the defender’s strategy. The audit game is a variation of the SSG aiming to generate an efficient audit strategy [Blocki et al.2013, Blocki et al.2015, Yan et al.2018]. For strategic auditing, most research has focused on solving or approximating the Strong Stackelberg Equilibrium (SSE) to obtain the defense strategy.
Unfortunately, it was recently shown that merely applying the SSE strategy may have limited efficacy in some security settings [Xu et al.2015]. This situation may be remedied through strategic information revelation to the attacker [Xu et al.2015, Rabinovich et al.2015], a mechanism referred to as signaling (a.k.a., persuasion [Kamenica and Gentzkow2011, Dughmi and Xu2016]). The idea is to set up a signaling scheme to reveal noisy information to the attacker and thus influence the attacker’s decision towards outcomes that favor the defender. However, all previous approaches rely on the game procedure that resources are allocated before signaling and thus can serve as a source of informational advantages for signaling. Yet, in our audit setting, the decision sequence is reversed: the signal is revealed (e.g., via a warning screen) at the time of access, whereas the audit occurs after a certain period. This poses new challenges for the design of signaling.
It should be emphasized that some organizations have recognized the potential efficacy of signaling mechanisms for protecting sensitive data. For example, [BlindedforReviewPurpose], a large academic medical center, announced in 2018 a new policy to protect the privacy of patients with a “Person of Interest” designation, such as celebrities and public figures. In this policy, access to the EMRs of these individuals triggers a popup warning requesting a justification for the access. Upon seeing the warning, one can decide whether to proceed to the access or not, and each access is logged for potential auditing. However, this policy is currently implemented in a post hoc manner, without carefully optimizing the signaling and auditing.
In this paper, we propose the Signaling Audit Game (SAG), which applies signaling to alert auditing. We leverage the time gap between the access request by the attacker and the actual execution of the attack to insert the signaling mechanism. When an alert is triggered by a suspicious access request, the system can send in real time a warning to the requestor. At this point, the attacker has an opportunity to reevaluate his utility given the warning, and decides whether or not to continue his attack. Different from previous relevant models which are all offline, the SAG optimizes both the warning strategy and the audit decision in real time for each incoming alert. To assess the performance of the SAG, we evaluate the expected utility of the auditor on a real dataset of over 10 million EMR accesses and predefined alert types from a major academic medical center. The results demonstrate that the SAG outperforms stateoftheart game theoretic alternatives that lack signaling while inducing nominal increases in computational burden.
2 Online Signaling in Audit Games
In this section, we describe our model of SAG in the general context of information services. For illustration purpose, we use healthcare auditing as a running example setting.
2.1 Motivating Domain
To provide efficient healthcare service, healthcare organizations (HCOs) typically store and process each patient’s clinical, demographic, and financial information in an electronic medical record (EMR) system. EMR users, such as physicians and management staff, need to access patients’ EMRs when providing healthcare services. The routine workflow can be abstracted into two steps: 1) a user requests to access a patient’s record and 2) the system returns this record. Due to the complex, dynamic and timesensitive nature of healthcare, HCOs typically grant employees broad access privileges, which unfortunately creates an opportunity for malicious insiders to exploit patients’ records [Gunter et al.2011].
To deter malicious access, breach detection tools are commonly deployed to trigger alerts in real time for the administrator whenever suspicious events occur. Alerts are often marked with predefined types of potential violations which help streamline inspection.^{1}^{1}1Notable alert types include accessing the EMR of coworkers, neighbors, family members, and VIPs [Hedda et al.2017]. Subsequently, a subset of alerts are retrospectively audited at the end of each audit cycle, and the auditor determines which constitute actual policy violation.
2.2 Signaling Audit Games
Here, we formalize the Signaling Auditing Game (SAG) model. An SAG is played between an auditor (she) and an attacker (he) within a predefined audit cycle (e.g., one day). This game is sequential, with alerts arriving one at a time. For each alert, the auditor needs to make two decisions in real time: first, which signal to send (e.g., to warn the user/attacker, or not), and second, whether to audit the alert. Formally, let denote the event that alert will be audited, and denote that it is not audited. Further, denotes the event that a warning signal is sent for alert , while denotes the event that no warning is sent (this can be thought of as a “silent signal”). The warning is delivered privately through a dialog box on the requestor’s screen, saying “Your access may be investigated. Would you like to proceed?”.
are random variables whose probabilities are to be designed.
We assume that there is a finite set of alert types and, for each , all alerts of type are equivalent for our purposes (i.e., attacks triggering alerts of type all result in similar damages). The auditor has an auditing budget that limits the number of alerts that can be audited at the end of the cycle. For each alert type , let denote the cost (or time needed) to audit an alert of type . Thus, if is the probability of auditing alerts of type and is the number of such alerts, the budget constraint implies that .
Since the setting is online, an optimal policy for the auditor must consider all possible histories of alerts. Given that this is impractical, we consider a simpler scheme in which each alert is viewed independently of alerts that precede it, and which considers future alerts in terms of their average relative frequency. As a side effect, this considerably simplifies the model of attacks we need to consider. Specifically, we assume that each attack effectively selects an alert type , but do not need to consider the timing of attacks (we simply treat each alert as potentially adversarial). This implicitly assumes that an attack (e.g., stealing an EMR) triggers a single alert. However, this is without loss of generality, since we can define alert types which capture all realistic multialert combinations.
Now, we define the payoffs to the auditor and attacker. For convenience, we refer to the alert corresponding to an attack as the victim alert. If the auditor fails to audit a victim alert of type , the auditor and the attacker will receive utility and , respectively. On the other hand, if the auditor audits a victim alert of type , the auditor and the attacker will receive utility and , respectively. Here, the subscripts and stand for covered and uncovered, respectively. Naturally, we assume and .
A warning signaling scheme
, captured by the joint probability distribution of signaling and auditing, can be fully specified by the following four variables for each
:(1)  
Upon receiving the signal, the attacker reacts as follows:

After : the system presents two choices to the attacker: “Proceed” to access the requested record or “Quit”.

After : the attacker automatically proceeds to access the requested record (since he receives no warning).
We assume that our signaling scheme has no effect on normal behavior, so normal users always proceed. We acknowledge that this may happen, but this particular issue of usability is beyond the scope of our investigation. For convenience, when possible we omit the superscript when , i.e., the alert we are dealing with, is readily apparent from the context.
Figure 1 illustrates the temporal sequence of decisions in the SAG. Each edge in the figure is marked with the associated joint probability of a sequence of decisions up to and including that edge. Note that the two gray nodes are not extended because they do not lead to any subsequent event.^{2}^{2}2The upper gray node corresponds to the case when an access request is abandoned. The lower one represents an impossible case because the user automatically gets the requested record.
Further, observe that, , and the overall probability of auditing this alert is . Conditional on the warning signal , the probability of auditing this alert is thus .
Since the auditor has a fixed auditing budget, she will need to update the remaining budget after determining the signalconditional audit probability for the current alert. We use to denote the remaining budget before receiving alert . Let denote the type of alert and denote the next alert. After the signaling scheme for is executed, the auditor then updates for the use of the next alert as follows:

If is sampled: .

If is sampled: .
Additionally, we always ensure that . The key challenge in our model is to compute the optimal for each alert online
by accounting for remaining budget and our estimation of future alerts. This needs to be done to ensure that the auditor does not spend the budget at a rate that is excessively fast or slow.
Without signaling, our audit game can be solved offline, at the end of the audit cycle. This situation can be captured by a Stackelberg security game by viewing alerts as targets [Tambe2011]. The optimal auditing probabilities can then be determined offline by computing the SSE of this game. However, as our experiments show, this “simpler” strategy (which we refer to as offline SSE) performs substantially worse than our approach.
The SAG can be viewed as a variation on the Stackelberg game, except that it includes signaling and makes decisions about auditing online upon the arrival of each alert. Our solution concept is therefore a Strong Stackelberg equilibrium of the SAG, in which the auditor commits to a randomized joint signaling and auditing decision, the associated probability distribution is observed by the attcker, who then decides first upon the alert type to use, and subsequently whether to proceed after a warning. We will seek the optimal randomized commitment strategy for the auditor in this game.
Our SAG model exhibits two crucial differences from prior studies of signaling in security games. The first is that the signaling scheme for each alert in a SAG must be optimized one after another in real time. By contrast, previous models, such as [Xu et al.2015], decide the signaling schemes for all targets simultaneously in an offline fashion. The second is in how private information is leveraged. In previous models, the defender utilizes the informational advantage she currently has (e.g., knowledge about the realized protection status of the target) to deceive the attacker. However, in our scenario, the auditor first decides the signaling scheme, by when she has an equal amount of information as the attacker, and then implements her informational advantage after the audit cycle ends (by deciding which to audit).
3 Optimizing SAGs
In this section, we design an algorithm for solving SAGs. We will fix the alert of type ; thus the superscript will at times be omitted for notational convenience. We begin by considering the problem of computing the real time SSE of the game without signaling that transpires for a given observed alert . The solution of this game provides a crucial ingredient in computing the optimal signaling scheme, which we subsequently discuss.
3.1 Computing Marginal Auditing Probabilities
First, we need to compute the SSE of the game without signaling in which we determine the probabilities with which each alert type is to be audited, given the remaining budget.
Consider the arrival of an alert and suppose that is the remaining budget for inspecting alerts. Let be the number of future alerts of each type after alert is triggered.^{3}^{3}3The vast majority of alerts are false positives. Consequently, we can estimate from alert log data. We assume that
follows a Poisson distribution
.We can compute the SSE strategy using a multiple linear programming (LP) approach, for each possible budget
. In this approach, for each alert type , we assume that is the attacker’s best response, and then compute the optimal auditing strategy as if were the best response. Finally, we choose the best solution (in terms of the auditor’s utility) among all of the LPs as the SSE strategy.Now, let be the probability of auditing an alert of type when the attacker’s best response is . In addition to this optimal auditing policy, we will design how we plan to split the remaining budget among all alert types. This is an approximation that allows us to consider the longterm impact of our decision about auditing by assuming that the same auditing distribution will remain active for future alerts. Let the individual budgets we allocate for inspecting alerts of each type
be denoted by a vector
. Note that the longterm budget allocation decision is constrained by the remaining auditing budget: . The following LP then computes the optimal auditing strategy assuming is the best response:(2) 
The first constraint ensures that is indeed the attacker’s best response. After solving instances of LP (2), the best solution for the auditor will henceforth be referred to as the online SSE strategy (or simply, the SSE), .
3.2 Optimal Signaling
Armed with an approach for computing the online SSE, we now describe how to compute the optimal signaling scheme.
From the perspective of the attacker, whether to proceed or quit after a warning depends on his conditional expected utility:
We impose the constraint such that the attacker’s best response to is to quit, in which case both players will receive utility. We do not enforce constraints for because the potential attacker does not have any option but to proceed. In this case, the expected auditor utility is
Overall, the auditor’s expected utility for the auditor is
The optimal signaling scheme (or, more concretely, joint signaling and audit probabilities) can thus be computed via an LP:
(3)  
where is the fixed marginal auditing probability which we assume is given. The first constraint represents . We refer to the optimal solution of LP (3) as the Online Stackelberg Signaling Policy (OSSP).
LP (3) assumes that are known; however, these are endogenous to the auditor’s policy and should be designed together with the signaling scheme. Unfortunately, simultaneously designing the entire signaling scheme is challenging due to uncertainties in both signal sampling and future alerts. The following theorem shows that under mild assumptions (which are typically satisfied in our domain of interest), the marginal auditing probabilities can be computed independently. These will, in fact, be the online SSE of the SAG sans signaling.
Theorem 1.
Let be the marginal coverage probability in OSSP at any given game status and be the corresponding marginal coverage probability in the online SSE. Then, in a SAG, for each type , .
Proof.
Given any game state, the auditor has an estimate about the sets of future alerts. We prove that for any fixed set of alerts, holds for each type . As a result, in expectation over the probabilistic estimate, this still holds.
Fixing a set of alerts, the auditor’s decision is a standard Stackelberg game. We start by introducing notation for formalization. Let [] denote the attacker’s expected utility for the triggered alert of type when it is protected with probability []. Notice that [] is a strictly decreasing function of []. Let denote the attacker’s utility at the SSE and be the attacker’s utility at the OSSP. We claim that if for all , thus . Assume, for the sake of contradiction, that an alert of type with positive coverage probability is not the best response of the attacker in the SAG. Then, we can redistribute the protection resources from to the alerts of the attacker’s bestresponse type. This increases the coverage probability of these alerts and, thus, increases the auditor’s utility, which contradicts the optimality of OSSP.
Next, we prove that implies for all , thus , as desired. This is because implies (a contradiction) and implies (again, a contradiction). As a result, it must be the case that for all , and thus , as desired.
We now show that must hold true. Assume, for the sake of contradiction, that . Then for any , we must have . This is because implies that , which is a contradiction. On the other hand, for any , must be true, because implies that , which is a contradiction. As a result, it must be the case that either or for any , thus . Yet this contradicts the fact that . Similarly, can not hold true. As a result, is true. ∎
4 Theoretical Properties of SAGS
In this section, we theoretically analyze the properties of the OSSP solution (equivalently, of the SAG equilibrium). We first prove that the signaling procedure never hurts.
Theorem 2.
The expected utility of the auditor by applying the OSSP is never worse than when the online SSE is applied.
Proof.
If the attacker will complete the attack, his expected utility is .

If , then the attacker will choose to not approach any target at the beginning, regardless of if there exists a signaling mechanism. Thus, the auditor in both cases will achieve the same expected utility, which is .

If , then let and . Then, it follows that and . This solution satisfies all of the constraints in LP (3). Thus, the expected utilities of the auditor, by applying OSSP and SSE, are the same: . ∎
This begs the following question: can applying the OSSP bring strictly more benefit to the expected utility of the auditor? Our experiments lend support to an answer of YES.
Our next result shows an interesting property about the optimal signaling scheme. Interestingly, it turns out that if there is no warning sent, then the auditor will not audit the triggered alerts in their optimal strategy (i.e., ) .
Theorem 3.
In any SAG whose payoff structure satisfies for all , in its OSSP.
Proof.
First, we substitute and with and , respectively. The first constraint becomes . We set up a Cartesian coordinate system and let be the vertical axis and the horizontal one. Geometrically, the slopes of the objective function and the constraint are both positive. Note that, though we do not constrain (its slope is the same as the first constraint in LP (3)), this inequality is always true. If not the case, the attacker will not attack initially. We discuss the righthand side as follows.

. In this setting, the first constraint in LP (3) is dominated. The boundary of the dominant constraint passes the origin. The feasible region is either a right triangle or a right trapezoid with their base on the vertical axis. Thus, in both cases, if holds true (which means the slope of the objective function is greater than the boundary’s slope of the dominant constraint), then leads to the maximum of the objective function, which is 0. The OSSP, thus is .

. Thus, the first constraint in LP (3) dominates . The boundary’s intercept of the dominant constraint is . Using an analysis similar to the previous case of , only when leads to the maximum of the objective function, which is . The OSSP is ∎
Remark. In application domains, is often naturally satisfied. For the attacker, the absolute value of the penalty is often greater than the benefit from committing attacks. As for the auditor, her benefit from catching an attack is often less than the absolute value of the loss due to miss an attack.
Theorem 3 raises another question: can the attacker keep attacking until receiving no warning, in which case he can attack safely under OSSP? This approach cannot succeed because once the attacker chooses to quit, his identity is essentially revealed.^{4}^{4}4Since “Quit” is rare in practice, the auditor can easily identify illegal requests, though the auditor cannot punish the attacker yet since no evidence of attack is collected. Therefore, his “successful” attack later will only hurt him because it helps the auditor to find forensic evidence of his attack (this may require additional auditing but it is a common practice in this domain and is costeffective since such “Quit” behaviors are rare). As a result, once an attacker chooses to quit, his best response should be to not attack.
Our final theory concerns the attacker’s utility in OSSP.
Theorem 4.
The expected utility of the attacker when applying the OSSP is the same as that achieved when applying the online SSE strategy.
Proof.
In the OSSP, the expected utility for the attacker is . In the corresponding SSE strategy, his expected utility is . We divide the proof into the same two cases as shown in Theorem 3. In the first case, where , after plugging in the OSSP, we find and . Thus, the attacker will never attack. In the second case, where , we find . ∎
5 Evaluation
In this section, we evaluate the performance of the SAG on the real EMR access logs of a large academic medical center.
ID  Alert Type Description  Mean  Std 

1  Same Last Name  196.57  17.30 
2  Department Coworker  29.02  5.56 
3  Neighbor ( 0.5 miles)  140.46  23.23 
4  Same Address  10.84  3.73 
5  Last Name; Neighbor ( 0.5 miles)  25.43  4.51 
6  Last Name; Same Address  15.14  4.10 
7  Last Name; Same Address; Neighbor ( 0.5 miles)  43.27  6.45 
Dataset. The dataset consists of EMR access logs for 56 continuous working days in 2017. The total number of unique accesses Date, Employee, Patient is around . We focus on the following alerts types: employee and patient: 1) share the same last name, 2) work in the same department, 3) share the same residential address, and 4) are neighbors within a distance less than miles. When an access triggers multiple types of alerts, their combination is regarded as a new type. Table 1 lists the set of predefined alert types. For each, we provide an instance of the payoff structure in Table 2. Its magnitude is based on the input of a domain expert.
Type ID  1  2  3  4  5  6  7 

100  150  150  300  400  600  700  
400  500  600  800  1000  1500  2000  
2000  2250  2500  2500  3000  5000  6000  
400  400  450  600  650  700  800 
Performance. The audit cycle is defined to be one single day from 0:00:00 to 23:59:59. From the dataset, we construct groups, each of which contains the alert logs of continuous days as the historical data, and the alert logs of the subsequent day as the day for testing purpose. We set up a real time environment for evaluation for two situations: 1) a single type (simplified case) and 2) multiple alert types (general case). In both cases, we set the audit cost per alert in all types to . We compare the real time auditor’s expected utility for each triggered alert between the OSSP (the optimal objective value of LP (3)) and both the offline and online SSE (the optimal objective value of LP (2)).
Due to space limitations, we only show the results of the first testing days in Figures 2(a)2(d) and Figures 3(a)3(d), all of which yield similar trends.^{5}^{5}5The dashed lines linking nodes are for reading convenience only. As can be seen, the majority of alerts were triggered between 8:00 AM and 5:00 PM, which generally corresponds to changes in worker shifts. After this period, the rate of alerts slows down considerably. Imagine, for instance, an attacker who only attacks at the very end of an audit cycle. The knowledge from historical data is likely to indicate that no alerts will be realized in the future. Then, such attacks will not be covered because the available budget will have been exhausted. To mitigate this problem, when the mean of arrivals in the historical data drops under a certain threshold (which is in both cases), we apply the estimation of the number of future alerts in the time point when the last alert was triggered. We call this technique knowledge rollback. By doing so, the budget consumption in real time is more steady, such that the late attacker is not afforded an obvious extra benefit. We apply this trick in computing both online SSE and OSSP.
A. Single Type. For illustration, we consider the case where the only alert type is Same Last Name. We set the total auditing budget to . The line for offline SSE is flat because, in this method, the auditor’s expected utility is the same for each alert regardless of when it is triggered. There are several notable findings and implications from Figure 2. First, in terms of the expected utility of the auditor, OSSP outperforms offline SSE and online SSE, which suggests that the SAG increases auditing effectiveness. Second, at the end of each testing day, the auditor’s expected utility for each approach does not drop. We believe that this is an artifact of the knowledge rollback.
B. Multiple Types. Next, we considered all alert types in Table 1. We set the total auditing budget to . In the real data, the type of each alert may not be aligned with the SSE strategy. Thus, to compare the approaches, we only apply the SAG on each alert whose type is the same as the best type. For other alerts, we simply apply the online SSE. Figures 3 illustrates the realtime expected utility of the auditor. In principle, we have similar finds as in the single type scenario. This indicates that, in the cases with multiple alert types, the SAG helps the auditor lose less. In terms of the ending patterns, the expected auditor loss comes to . Thus, attacks can be deterred.
In addition, we tested the average running time for optimizing the SAG on a single alert across all the testing days. By testing on a laptop (OS: Mac OS; CPU: Intel i7 3.1GHz; Memory: 16GB), the average running time is around seconds. This indicates that the users are unlikely to perceive the extra processing time incorporated by optimizing the SAG.
6 Conclusions and Discussions
In this paper, we extend the advantages of signaling to the general audit setting. We showed that strategically warning the attacker through signaling in real time is a more effective defensive strategy than current game theoretic approaches that lack signaling. Our framework is generalizable to more powerful attackers because as long as the adversarial behavior can be represented by types, it will fit into our model. There are several limitations we wish to highlight as opportunities for future investigations. First, we assume a fixed payoff structure; however, in practice, there may exist many types of attacker. Thus, SAG can be generalized into Bayesian setting. Second, we focus on the one attacker setting as a pilot study of SAG, but it is necessary in the next step to investigate the situation of multiple attackers. Third, we assume that the attacker is perfectly rational. Such a strong assumption may lead to a unexpected loss in practice. Thus, a robust version of the SAG should be developed for deployment.
References
 [An et al.2011] Bo An, James Pita, Eric Shieh, Milind Tambe, Chris Kiekintveld, and Janusz Marecki. Guards and protect: Next generation applications of security games. ACM SIGecom Exchanges, 10(1):31–34, 2011.

[Blocki et al.2012]
Jeremiah Blocki, Nicolas Christin, Anupam Datta, and Arunesh Sinha.
Audit mechanisms for provable risk management and accountable data
governance.
In
International Conference on Decision and Game Theory for Security
, pages 38–59, 2012. 
[Blocki et al.2013]
Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D Procaccia, and Arunesh
Sinha.
Audit games.
In
Proceedings of the 22th International Joint Conference on Artificial Intelligence
, pages 41–47, 2013.  [Blocki et al.2015] Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D Procaccia, and Arunesh Sinha. Audit games with multiple defender resources. In Proceedings of the 29th AAAI Conference on Artificial Intelligence, volume 15, pages 791–797, 2015.
 [Do et al.2017] Cuong T Do, Nguyen H Tran, Choongseon Hong, Charles A Kamhoua, Kevin A Kwiat, Erik Blasch, Shaolei Ren, Niki Pissinou, and Sundaraja Sitharama Iyengar. Game theory for cyber security and privacy. ACM Computing Surveys (CSUR), 50(2):30, 2017.

[Dughmi and Xu2016]
Shaddin Dughmi and Haifeng Xu.
Algorithmic bayesian persuasion.
In
Proceedings of the fortyeighth annual ACM symposium on Theory of Computing
, pages 412–425, 2016.  [Dughmi et al.2016] Shaddin Dughmi, David Kempe, and Ruixin Qiang. Persuasion with limited communication. In Proceedings of the 2016 ACM Conference on Economics and Computation, pages 663–680, 2016.
 [Fang et al.2016] Fei Fang, Thanh Hong Nguyen, Rob Pickles, Wai Y Lam, Gopalasamy R Clements, Bo An, Amandeep Singh, Milind Tambe, Andrew Lemieux, et al. Deploying paws: Field optimization of the protection assistant for wildlife security. In Proceedings of the 30th AAAI Conference on Artificial Intelligence, 2016.
 [Gunter et al.2011] Carl A Gunter, David Liebovitz, and Bradley Malin. Experiencebased access management: A lifecycle framework for identity and access management systems. IEEE Security & Privacy, 9(5):48, 2011.
 [Hedda et al.2017] Monica Hedda, Bradley Malin, Chao Yan, and Daniel Fabbri. Evaluating the effectiveness of auditing rules for electronic health record systems. In AMIA Annual Symposium Proceedings, volume 2017, page 866, 2017.
 [Kamenica and Gentzkow2011] Emir Kamenica and Matthew Gentzkow. Bayesian persuasion. American Economic Review, 101(6):2590–2615, 2011.
 [Kolotilin et al.2017] Anton Kolotilin, Tymofiy Mylovanov, Andriy Zapechelnyuk, and Ming Li. Persuasion of a privately informed receiver. Econometrica, 85(6):1949–1964, 2017.
 [Kuna et al.2014] Horacio D Kuna, Ramón GarcíaMartinez, and Francisco R Villatoro. Outlier detection in audit logs for application systems. Information Systems, 44:22–33, 2014.
 [Laszka et al.2017] Aron Laszka, Yevgeniy Vorobeychik, Daniel Fabbri, Chao Yan, and Bradley Malin. A gametheoretic approach for alert prioritization. In Proceedings AAAI Workshop on Artificial Intelligence for Cyber Security, 2017.
 [Rabinovich et al.2015] Zinovi Rabinovich, Albert Xin Jiang, Manish Jain, and Haifeng Xu. Information disclosure as a means to security. In Proceedings of the 2015 International Conference on Autonomous Agents and Multiagent Systems, pages 645–653, 2015.
 [Sinha et al.2018] Arunesh Sinha, Fei Fang, Bo An, Christopher Kiekintveld, and Milind Tambe. Stackelberg security games: looking beyond a decade of success. In Proceedings of the 27th International Joint Conference on Artificial Intelligence, pages 5494–5501. AAAI Press, 2018.
 [Tambe2011] Milind Tambe. Security and game theory: algorithms, deployed systems, lessons learned. 2011.
 [Xu et al.2015] Haifeng Xu, Zinovi Rabinovich, Shaddin Dughmi, and Milind Tambe. Exploring information asymmetry in twostage security games. In Proceedings of the 29th AAAI Conference on Artificial Intelligence, pages 1057–1063, 2015.
 [Xu et al.2016] Haifeng Xu, Rupert Freeman, Vincent Conitzer, Shaddin Dughmi, and Milind Tambe. Signaling in bayesian stackelberg games. In Proceedings of the 2016 International Conference on Autonomous Agents Multiagent Systems, pages 150–158, 2016.
 [Yan et al.2018] Chao Yan, Bo Li, Yevgeniy Vorobeychik, Aron Laszka, Daniel Fabbri, and Bradley Malin. Get your workload in order: Game theoretic prioritization of database auditing. arXiv preprint arXiv:1801.07215, 2018.