ZETAR: Modeling and Computational Design of Strategic and Adaptive Compliance Policies

04/05/2022
by   Linan Huang, et al.
0

Security compliance management plays an important role in mitigating insider threats. Incentive design is a proactive and non-invasive approach to achieving compliance by aligning an employee's incentive with the defender's security objective. Controlling insiders' incentives to elicit proper actions is challenging because they are neither precisely known nor directly controllable. To this end, we develop ZETAR, a zero-trust audit and recommendation framework, to provide a quantitative approach to model incentives of the insiders and design customized and strategic recommendation policies to improve their compliance. We formulate primal and dual convex programs to compute the optimal bespoke recommendation policies. We create a theoretical underpinning for understanding trust and compliance, and it leads to security insights, including fundamental limits of Completely Trustworthy (CT) recommendation, the principle of compliance equivalency, and strategic information disclosure. This work proposes finite-step algorithms to efficiently learn the CT policy set when employees' incentives are unknown. Finally, we present a case study to corroborate the design and illustrate a formal way to achieve compliance for insiders with different risk attitudes. Our results show that the optimal recommendation policy leads to a significant improvement in compliance for risk-averse insiders. Moreover, CT recommendation policies promote insiders' satisfaction.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
04/13/2018

Incentive design for learning in user-recommendation systems with time-varying states

We consider the problem of how strategic users with asymmetric informati...
research
12/09/2020

PrivFramework: A System for Configurable and Automated Privacy Policy Compliance

Today's massive scale of data collection coupled with recent surges of c...
research
05/21/2020

Design Challenges for GDPR RegTech

The Accountability Principle of the GDPR requires that an organisation c...
research
03/22/2022

Mitigating Moral Hazard in Cyber Insurance Using Risk Preference Design

Cyber insurance is a risk-sharing mechanism that can improve cyber-physi...
research
07/21/2021

Incentivizing Compliance with Algorithmic Instruments

Randomized experiments can be susceptible to selection bias due to poten...
research
07/06/2023

The impact of an employee's psychological contract breach on compliance with information security policies: intrinsic and extrinsic motivation

Despite the rapid rise in social engineering attacks, not all employees ...
research
11/07/2020

Fair Machine Learning Under Partial Compliance

Typically, fair machine learning research focuses on a single decisionma...

Please sign up or login with your details

Forgot password? Click here to reset