Abstract
Supply chain security has become a growing concern in the security risk analysis of IoT systems. Their highly connected structures have significantly enlarged the attack surface, making it difficult to track the source of the risk posed by malicious or compromised suppliers. This chapter presents a system-scientific framework to study the accountability in IoT supply chains and provides a holistic risk analysis technologically and socio-economically. We develop stylized models and quantitative approaches to evaluate the accountability of the suppliers. Two case studies are used to illustrate accountability measures for scenarios with single and multiple agents. Finally, we present the contract design and cyber insurance as economic solutions to mitigate supply chain risks. They are incentive-compatible mechanisms that encourage truth-telling of the supplier and facilitate reliable accountability investigation for the buyer.
Access provided by Autonomous University of Puebla. Download chapter PDF
Similar content being viewed by others
4.1 Introduction
Supply chains play a critical role in the security and resilience of IoT systems and affect many users, including small- and medium-sized businesses and government agencies. An attacker can exploit vulnerabilities of a vendor in the supply chain to compromise the IoT system at the end-user. The recent SolarWinds attack is an example of an attack that has resulted in a series of data breaches at government agencies. One seller of the Microsoft Cloud services was compromised by the attacker, allowing the attacker to access the customer data of its re-sellers. Once the attacker established a foothold in SolarWind’s software publishing infrastructure after getting access to SolarWind’s Microsoft Office 365 account, he stealthily planted malware into software updates that were sent to the users, which include customers at US intelligence services, executive branch, and military.
The infamous Target data breach in 2013 is another example of supply-chain attacks. The attacker first broke into Target’s main data network through ill-protected HVAC systems. The attacker exploited the vulnerabilities in the monitoring software of the HVAC systems, which shared the same network with the data services. It led to a claimed total loss of $290 million to data breach-related fees [1, 2]. The supply-chain attacks would become increasingly pervasive in IoT systems. Consider a next-generation industrial manufacturing plant equipped with IoT devices that are supported by third-party vendors . The software and the hardware of these devices can be trojanized. As a result, the attacker disrupts the manufacturing plant, which can create a shortage of essential products (e.g., pharmaceutical products, COVID19 vaccines, and gasoline) and lead to grave repercussions in the nation’s supply chain. Illustrated in Fig. 4.1, the supply chain attacks can go through multiple stages of the supply chain from the source of the attack to the targeted users or systems.
Risk-based approaches presented in Chaps. 2 and 3 have been used to guide the procurement and design decision-making process [3,4,5,6,7]. This kind of approach offers risk measurement, rating tools, and compliance checking to identify and rank the vendors by their risk criticality. It is a useful preventive measure that provides a transparent understanding of the security posture in the products, systems, and services of the end-users and helps mitigate the risks prior to the procurement contracts and continuous product development. Cyber resilience complements this measure. It shifts the focus from prevention to recovery by creating a cyber-resilient mechanism to reconfigure the IoT system adaptively to the uncertainties of adversaries and maintain critical functions in the event of successful attacks.
Many private sectors have for years prioritized efficiency and low cost over security and resilience. In addition, they are agnostic to where these technologies are manufactured and where the associated supply chains and inputs originate. This common practice has resulted in enlarged attack surfaces and many unknown and unidentified threats in the IoT systems. A healthy ecosystem of vendors and suppliers is pivotal to secure and resilient IoT systems. One challenge is that the IoT supply chain is becoming globalized. Manufacturers and material suppliers are geographically diverse, thus increasing the uncertainties and the vulnerabilities of the end-user IoT systems. It is critical to check the compliance of the products from the global supply chain to determine whether they would increase the cyber risk of the IoT users.
One way to improve the health of the IoT supply chain is to design an IoT system with built-in security and resilience mechanisms. For example, the integration of cyber deception [8,9,10] into IoT systems provides a proactive way to detect and respond to advanced and persistent threats. Game-theoretic methods [11,12,13] and reinforcement learning techniques [14,15,16] have been used to provide a clean-slate approach to designing cyber resilient mechanisms in response to supply-chain attacks.
Apart from the technological solutions, accountability and insurance are the socio-economic ones that can be used to improve the cyber resilience of IoT end-users. Accountability, in general, is the ability to hold an entity, such as a person or organization, responsible for its actions. An accountable system can identify and punish the party or the system component that violates the policy or the contract. By creating accountable IoT supply chains, we create an ecosystem where each supplier invests in cybersecurity to reduce the cyber risks at each stage of the supply chain. A supplier would be held accountable if the failures of the end-user system are attributed to it. Accountability establishes a set of credible incentives for the suppliers and elicits desirable behaviors that mitigate the cyber risks. Accountability can be viewed as part of the cyber resilience solutions succeeding the technological solutions, especially when the technological resilience measures do not prevent the damages.
Insurance is another risk management tool [17] to protect the end-users from cyber attacks and failures by transferring their residual risk from an entity to a third party through an insurance contract. It is the last resort when an IoT system cannot be perfectly accountable; i.e., there is inadequate evidence to hold any one of the suppliers accountable, or when the defects in the user’s design lead to unanticipated consequences. The residual risks would be evaluated by an underwriter and the coverage can include the losses that arise from ransomware and data theft or incidents caused by failures of IoT devices. Figure 4.2 shows the relationships between preventive cyber measures and resilient cyber measures. The cyber-resilient mechanisms include the technological real-time resilience measures as well as accountability and insurance solutions. They constitute a holistic socio-technical solution to protect the IoT systems from supply-chain threats.
Both accountability and insurance provide an additional layer of protection that reduces the risks of IoT users. Accountability and insurance are system-level issues. We need to take a system-scientific and holistic approach to understand their role in IoT systems and supply chains, which would lead to an integrative socio-technical solution for supply chain security. This chapter provides a quantitative definition to measure and assess the accountability in the IoT supply chain that pertains to the system design, procurement contracts, as well as, vendor description. Despite the focus of the chapter on cybersecurity issues, the definition of accountability can be extended and used for general contexts of supply chain disruptions caused by natural disasters and the defects in the products.
Game theory naturally provides a framework that captures the incentives and penalties through utility functions for multiple interacting agents. It has been widely used in cybersecurity for the modeling between an attacker and defender in many scenarios, including intrusion detection systems [18,19,20,21], wireless communications [22,23,24,25,26,27], and cyber deception [8, 12, 28,29,30,31]. It has also been used to harden the security and resiliency of cyberphysical systems, including critical infrastructures [32,33,34,35,36], industrial control systems [11, 37,38,39,40,41], and IoTs [42,43,44,45,46].
One important branch of game theory is the mechanism design theory [47, 48] , which explicitly provides a quantitative approach to create a reward and penalty mechanism to elicit desirable behaviors at equilibrium. The violations from the desired behaviors would be disincentivized or punished, while the compliance with the rules would be incentivized or rewarded. In this chapter, we leverage these features of game theory to create computational accountability and insurance framework for IoT systems and their supply chain.
Accountability is a system-level issue that encompasses detection and attribution of the violations or anomalies, multi-agent interactions, asymmetric information, and feedback. Game-theoretic methods provide a baseline for a system-scientific view for accountability. We build a system scientific framework that bridges game theory, feedback system theory, detection theory, and network science to provide a holistic view toward accountability in IoT supply chains. The framework proposed here can be applied to understand accountability in general.
One extension of this chapter is to investigate the concept of collective accountability, where multiple agents are held accountable for the violations. One advantage of such accountability mechanisms is the convenience in identifying the entities to be held accountable and the implementation of the penalties. The disadvantage is that they are not targeted and entities that are not directly linked to the violation of the failures would be also punished.
4.2 Literature Review
Accountability has been studied in many different contexts in computer science [49,50,51]. Künnemann et al. in [52] have studied accountability in security protocols. Accountability is defined as the ability of a protocol to point to any party that causes failure with respect to a security property. Zou et al. in [53] have proposed a service contract model that formalizes the obligations of service participants in a legal contract using machine-interpretable languages. The formalism enables the checking of obligation fulfillment for each party during service delivery and holds the violating parties for the non-performance of the obligations. The definition of accountability in these works aligns with the definition in this chapter. An accountable system has the ability to check and verify compliance with the requirements in the agreement and identify the non-conforming behaviors and their parties.
There are several game-theoretic models that are closely related to accountability. For example, inspection games [54,55,56] are one class of games where the inspector determines a strategy to examine a set of sampled items from a producer to check whether the producers of the goods violated the standards. The producer aims to set a production strategy to minimize the detection probability while minimizing the cost of maintaining high standards. The inspection games have been used in many contexts such as patrolling, cybersecurity, and auditing. Blocki et al. in [57] have studied a class of audit games in which the defender first chooses a distribution over n targets to audit and the attacker then chooses one of the n targets to attack. It is better for the defender to audit the attacked target than an unattacked target, and it is better for the attacker to attack an unaudited target than an audited one. Rass et al. in [58, 59] have studied a multi-stage cyber inspection game between a network system defender and an advanced persistent threat (APT) attacker. The defender needs to choose an inspection strategy to detect anomalies at different layers of the networks. The attacker’s goal is to stay stealthy and find strategies to evade the detection and compromise the target.
Utility-theoretic approaches are useful to capture the incentives of the participants in an agreement and their punishment. In [51], Feigenbaum et al. have formalized the notion of punishment using a utility-theoretic, trace-based view of system executions. Violation is determined based on the traces of the participants. When there is a violation, the participant is punished. This punishment is captured through a decrease in the utility, relative to the one without the violation. This approach to punishment is often seen in the literature of mechanism design [48, 60]. The designer first announces a resource allocation rule and a payment or punishment rule. The participants in the mechanism know the rules and determine the messages that they send to the designer. An incentive-compatible mechanism is one in which the participants will truthfully reveal their private information through the message under the allocation and the punishment rules. In other words, no participants have incentives to lie about their private information under an incentive-compatible mechanism. Mechanism designs have been used in many disciplines to study pricing of resources [61,62,63], create security protocols [45, 64], recommend policies [10], and design services [17, 65]. The framework that we present in this chapter is built on the mechanism design approach. The utility-theoretic approach conveniently captures the incentives of the suppliers and their behaviors. Furthermore, the mechanism-design approach naturally creates a punishment mechanism to create incentives for truthful behaviors. This type of behavior can be generalized to compliant behaviors in supply chain agreements and contracts.
Our framework builds on this approach and bridges the accountability gap by incorporating the detection mechanism that enables the designer to detect and attribute the non-compliant behaviors. In addition, our framework distinguishes from prior works in accountability by focusing on accountability in system engineering. This problem is instrumental in the development of large-scale IoT systems, where the building blocks of the IoT systems are manufactured or designed by third parties. We integrate the critical component of engineering designs into the accountability problem for IoT systems. The system designs can contribute to accountability. A design is called transparent if it helps identify the cause of the accidents; otherwise, a design makes the accountability inconspicuous. Figure 4.3 illustrates the concept of accountability. A user can use his observed information to identify the immediate cause of accidents or malfunctions. The seller who has been identified as the cause can further identify the further cause of the event. In this way, the source of the attack can be sequentially identified stage-by-stage through a chain of accountability efforts.
4.3 Accountability Models in IoT Supply Chain
4.3.1 Running Examples
We introduce two running examples which will be used in later discussions for illustrations.
Example I: Uber Autonomous Vehicles
The Uber incident in Tempe, Arizona is another example of accountability of autonomous vehicles. A pedestrian was struck by an Uber self-driving vehicle with a human safety backup driver in the driving seat. The fatality is caused by the failure of the software system which fails to recognize the pedestrian. Sensor technologies, including radar and LiDAR, are sophisticated enough to recognize objects in the dark. Evidence has shown that the pedestrian was detected 1.3 s before the incident and the system determined that emergency braking was required but the emergency braking maneuvers were not enabled when the vehicle is under computer control. The design of the software system is accountable for the death of the pedestrian.
Example II: Ransomware Attack on Smart Homes
A smart home consists of many modern IoT devices, including lighting systems, surveillance cameras, autonomous appliance control systems, and home security systems. The components of each system are supplied by different entities. Smart home technology integrates the components and creates a functioning system that will sense the home environment, make online decisions, and control the system. The camera is accountable if the home security system does not respond to the burglary adequately due to a camera failure. There is an increasing concern about ransomware attacks. Accountability enables the homeowner to mitigate the impact of the ransomware by attributing the attack to a supplier of the IoT devices.
Illustrated in the two examples, IoT supply chain security has a significant impact on the private sector and its customers. Several technologies have been proposed to track the integrity of the supply chain to provide real-time monitoring and alerts of tampering and disruptions. They provide a tool to monitor, trace, and audit the activities of all participants in the supply chain and ensure that the contractually defined Service Level Agreements (SLAs) are followed. The essence of the technologies is to create transparency and situational awareness for the companies. However, the software and hardware tampering is much harder to monitor and track than the physical one. As a result, it creates information asymmetry where the buyers or the systems do not have complete information about their suppliers. As in the Target and the SolarWinds attacks, an attacker can get access to the system through a compromised third-party vendor. It would require proactive security mechanisms to detect and respond to the exploited vulnerabilities. We have seen the emerging applications of cyber deception [8, 9, 66] and moving target defense [67,68,69] in both software and hardware to reduce the information asymmetry and create proactive mechanisms for detection. They are tools that contribute to real-time resilience measures as illustrated in Fig. 4.4 and provide inputs for accountability in the next stage.
4.3.2 System Modeling
In this section, we provide a stylized model and a quantitative approach to accountability. Figure 4.4 describes three stages of interactions. At the first stage, a supplier interacts with a buyer to agree on an SLA contract. The supplier is characterized by the private information θ ∈ Θ, which is a true description of the product of the supplier. For example, the supplier is aware of the true security level and investment in the product but may not disclose the information to the buyer. The supplier sends the buyer a message m ∈ M, which is the informed description of the product. The description can prevaricate, hide, or sometimes lie about the security information that would be useful in the procurement decisions. We say that the supplier truthfully reports the product when θ = m; otherwise, we say that the supplier misinforms the buyer. This misinformation can be unintended or intentional. In the case of intentional behaviors, the supplier sends a manipulative message when he knows his true type. For example, some foreign suppliers do not fully disclose the information of their product with the aim to attract US customers due to its low cost. In the case of unintended behaviors, the supplier may not be aware of the vulnerabilities of the product and sends a description based on his perceived information. In this case, we can assume that the private information θ is a function \(\rho : \Theta \times \mathcal{W} \mapsto \Theta \) of the truth and uncertainties, i.e., θ = ρ(θt, wt), where θt ∈ Θ is the true value unobservable by the supplier and \(w_{\mathrm {t}}\in \mathcal{W}\) is the bias, modeled as a random variable, unknown to the supplier. This bias can be interpreted as the uncertainties introduced by nature or a stealthy attacker that has unknowingly changed the security attributes of the product. In both cases of unintended and intentional behaviors, it is sufficient to assume that the type known to the supplier is θ.
Based on the product description m, the buyer can make purchase decisions. Let a = 1 denote the decision of adopting the product of the vendor and a = 0 otherwise. The decision rule \(\alpha : \mathcal{M} \mapsto [0,1]\) yields the probability of purchase based on the received description, i.e. α(m) = Pr(a = 1|m). This can be interpreted as the purchase preference from historical records. If the buyer decides to adopt the product, then he determines how the product is designed and integrated into the system. Here, we assume that the user and the designer belong to the same organization and hence the procurement and design decisions are made jointly. In other words, the user and the designer can be viewed as the same decision entity who coordinates the design and procurement. In practice, the engineers design the systems and send the procurement department the specifications and requirements for the needed materials and components.
An IoT system consists of many components. We can classify the components into five major categories: sensing, computation, control, communications, and hardware. The sensing component allows the system to provide information about the environment, for example, the LiDAR and temperature sensors. The computation units provide functions and services for information processing and computations, for example, cloud services and GPUs. The control components are used to instrument and actuate the physical systems, for example, temperature adjustment and remote control. Communications provide the information and data transmission among IoT components, e.g., LoRa and ZigBee wireless communications. The hardware refers to the physical systems that underlie the IoT network, for example, the manufacturing plant and the robots.
The designer builds an IoT system using a blueprint \(\delta : \mathcal{M} \mapsto \mathcal{D}\), which yields a design \(d=\delta (m), d \in \mathcal{D}\) based on the device descriptions and specifications provided by the supplier. The system design leads to a performance \(y\in \mathcal{Y}\). For example, in Example I, the designer develops a software system that integrates sensors, control algorithms, and the car. Safety is a critical performance measure of autonomous vehicles. It can be measured by the rate of accidents experienced by vehicles as of now. Here, we model the performance as a random variable. Given α and δ, the distribution of the performance random variable is py(y;θ, α(m), δ(m)), \(p_y:\Theta \times \mathcal{M}\mapsto \Delta \mathcal{Y} \). Using Bayes’ rule, we arrive at
where pθ(⋅) ∈ Δ Θ is the prior distribution of the type of product; \(p^\theta _y(y; \alpha (m),\delta (m)| \theta )\), \(p^\theta _y:\mathcal{M}\mapsto \Delta \mathcal{Y}\), is an indication of all possible system performances given the attribute of product θ. Note that the performance implicitly depends on m. The true performance of the system is determined by the true attribute of the product and the procurement and design decisions, which are made based on m. We denote pI = py(y;θ, α(θ), δ(θ)) as the ideal system performance when the design and procurement decisions are made given a truthful supplier, i.e., m = θ.
Without knowing the true attributes of the product θ, the performance anticipated by the buyer is denoted by qy = py(y;m, α(m), δ(m)). When m ≠ θ, there is a difference between the observed performance py and the anticipated one qy. The buyer can perform hypothesis testing based on the sequence of observations y1, y2, ⋯ , by setting up H0 as the hypothesis that the observations follow the distribution qy and H1 otherwise. For example, in Example I, this decision is particularly important when yi represents malfunctions or accidents for each trial test driving. If the malfunction is not expected by the designer, then there is a need to find out which supplier is accountable for the accidents or, in the case of a single supplier, whether the supplier should be held accountable.
4.3.3 Accountability Investigation
One critical step of accountability is the ability to attribute the performance outcomes to the supplier. We start with the accountability of a single supplier with binary type Θ = {0, 1} and assume the message space is the same as type space \(\mathcal{M} = \Theta \). Consider a sequence of repeated but independent observations Yk = {y1, y2, ⋯ , yk}, \(k\in \mathbb {N}\). A binary accountability investigation is performed based on Yk. Based on the received m, hypothesis H0 is set to be the case when the observations follow the anticipated distribution qy and H1 otherwise. Depending on whether H0 or H1 holds, each observation yi admits the following distribution
The optimum Bayesian investigation rule is based on the likelihood ratio, which is denoted by
where we omit the purchase decision because the performance can only be observed when a = 1 and α(m) = Pr[a = 1|m] is the same under both hypotheses. The likelihood ratio test (LRT) provides the decision rule that H1 is established when L(Yk) exceeds a defined threshold value \(\tau _k\in \mathbb {R}\); otherwise, H0 is established. It can be formulated by the equation
One critical component in accountability investigation is the prior distribution over hypotheses, which indicates the reputation of the supplier. Without knowing the true distribution of the type, we argue that reputation is sufficient knowledge to determine the accountability of the supplier. Here, we give the definition of reputation over a binary type space, but the definition can be extended to multiple type space accordingly.
Definition 4.1 (Reputation)
The reputation of the supplier \(\pi \in \Delta \mathcal{H}\) is a prior distribution over all hypotheses. In binary case, π0 = Pr[H0] is the prior probability that the supplier truthfully report and π1 = Pr[H1] otherwise, with π0 + π1 = 1.
Assume that the cost of the investigation is symmetric and incurred only when an error occurs. In the binary case, the optimum decision rule will consequently minimize the error probability, and the threshold value τk in LRT will reduce to
Definition 4.2 (Accountability)
-
1.
Given an investigation rule, i.e., the threshold τk, the accountability PA ∈ [0, 1] is defined as the probability of correct establishment of hypothesis H1 based on the observations Yk and message m, which is given by
$$\displaystyle \begin{aligned} P_A(\tau_k)= \int_{\mathcal{Y}_1} f_m(Y^k|H_1)dy^k, \end{aligned} $$(4.7)where \(\mathcal{Y}_1\) is the observation space where \(\mathcal{Y}_1 = \{Y^k: L(Y^k)\geq \tau _k\}\).
-
2.
The wronged accountability PU ∈ [0, 1] is defined as the probability of a false alarm that H1 is established while the underlying truth is H0. Consider the threshold τk and observations Yk, PU is given by
$$\displaystyle \begin{aligned} P_U(\tau_k)= \int_{\mathcal{Y}_1} f_m(Y^k|H_0)dy^k.\end{aligned} $$(4.8)
We call a supplier η-unaccountable if PA ≤ η, for a threshold accountability η ∈ [0, 1] chosen by the investigator. In this case, the system does not have strong confidence that the observed accidents are caused by the supplier. We call a system 𝜖-nontransparent if PA ≤ 𝜖, for a given small 𝜖 ∈ [0, 1]. That is, the system is close to being unable to hold the vendor accountable for the accidents.
The performance of the accountability investigation will be evaluated in terms of PA and PU. Ideally, we would like to conduct error-free accountability testing where PA is close to one and PU is close to zero (correctly identify accountable supplier without making mistake). However, the definition above leads to a fundamental limit on the accountability of the supplier. Except for situations where the observations Yk under H0 and H1 are completely separable or the number of observations k goes to infinity, the performance of the accountability testing will be restricted within a feasible region.
Definition 4.3 (Accountability Receiver Operating Characteristic)
Accountability Receiver Operating Characteristic (AROC) is a plot which describes the relationship between achievable accountability PA and wronged accountability PU in the square [0, 1] × [0, 1].
As shown in Fig. 4.5, if we conduct LRT in accountability investigation, the AROC curve depicts the testing performance with respect to different threshold values τk. Similar to traditional binary hypothesis testing, the AROC curve under proper design preserves the following properties [70].
Property 4.1 (AROC)
AROC curve under proper design has the following properties:
-
(1)
(PU, PA) = (0, 0) and (1, 1) belong to the AROC.
-
(2)
The slope of the AROC curve dPA(τk)∕dPU(τk) is equal to the threshold τk.
-
(3)
The AROC curve is concave and the feasible domain of (PU, PA) is convex.
-
(4)
PA(τk) ≥ PU(τk), ∀τk ∈ [0, +∞).
Remark 4.1
The likelihood ratio lies in the region between zero and infinity. If we set the threshold τk in LRT to zero, investigator will classify any performance results into hypothesis H1 (misinformation). Both accountability PA and wronged accountability PU will approach to one, as (PU, PA) = (1, 1). Similarly, if we set τk in LRT to infinity, investigator will classify any performance into hypothesis H0 (truthfully report), resulting in (PU, PA) = (0, 0).
Remark 4.2
Property (3) and (4) are satisfied under the proper design; i.e., the test is “good” when PA ≥ PU. For a “bad” test when PA < PU. As the hypothesis refers to a specific context of applications, we cannot simply reverse the performance distribution as in traditional hypothesis testing. Instead, we need to re-construct the investigation and find another performance metric that can properly distinguish the misinformation between suppliers and buyers.
It is worth noting that as the threshold τk increases, the accountability of the supplier PA increases. However, according to the aforementioned properties, it would also increase wronged accountability PU when the accidents are not caused by the vendor. There is a fundamental trade-off between accountability PA and wronged accountability PU depending on the accountability investigation. One way to evaluate the investigation performance is the area under the AROC curve (AUC). AUC is a measure of investigation capability [71], which provides a simple figure of merit to represent the degree of separability between two hypotheses.
This value varies from 0.5 to 1. When AUC equals 0.5, the designed investigation has no separation capability, which means the performance of the test is no better than flipping a coin. This corresponds to the case when PA(τk) = PU(τk) for all possible threshold τk. Ideally, an excellent test will produce an AUC equal to one. In this situation, the accountability investigation can completely distinguish between two hypotheses, thus correctly identifying the supplier who should be accountable for the accidents.
Unfortunately, in realistic investigation tasks, it is hard to obtain the exact computation of AUC. Analyzing the upper and lower bounds of AUC helps the investigator describe the performance of the designed test. Shapiro in [72] provides an upper bound and lower bound on binary testing. Consider equally likely hypotheses with τ = 1, the probability of error Pe ∈ [0, 1] is defined as
Due to the convexity of the AROC curve, the bounds of the AUC can be described as
4.3.4 Model Extensions
This framework can be extended to multiple product types and multiple suppliers. Accountability needs to point to varied suppliers that cause failures under the hypothesis. In this section, we provide several testing frameworks and the definition of accountability accordingly.
4.3.4.1 Single Supplier with Multiple Types
Consider the product from the supplier with \(T\in \mathbb {N}\) possible types, Θ = {θ1, θ2, …, θT}. Based on the received message m = θm, hypotheses {H1, H2, …, HT} can be constructed by the investigator such that the performance observation y under each hypothesis Ht admits
for 1 ≤ t ≤ T. The distribution under hypothesis Ht describes the system performance if the buyer makes purchase and designs based on the message θm while the underlying true product type is θt. In this case, the only anticipated performance by the buyer follows Hm. Any other observation distribution Ht ≠ m will attribute to the accountability of the supplier. Investigation could be conducted through M-ary hypothesis testing. For a single supplier with multiple product types, we can define the accountability as follows.
Definition 4.4 (Accountability with Multiple Types)
Given a detection rule λ, received message m and observations Yk, the accountability for a single supplier with multiple product types is defined as
where \(\mathcal{Y}_t\) is the observation space we classify the observations as Ht.
If we assume that the investigation cost is symmetric and depends only on the error, it leads an MAP decision rule and the performance of the accountability testing can be evaluated through the error probability as
where E denotes the error event, and π(⋅) ∈ Δ Θ is the prior probability that Ht is true, which represents the reputation of the supplier.
4.3.4.2 Multiple Suppliers
In IoT system design with multiple suppliers, accountability testing needs to point to varied suppliers that cause failures under the hypothesis. To simplify the illustration, we consider the case where the component from each supplier may have binary types \(\theta _i\in \{0,1\},\forall i\in \mathcal{I}\). Consider the problem with N vendors in the supply chain. Each supplier \(i\in \mathcal{I} = \{1,2,\dots ,N\}\) with true product type θi will send a message \(m_i\in \mathcal{M}_i\) to the buyer to make purchase decision ai ∈{0, 1} and determine the overall design \(d\in \mathcal{D}\). The process is illustrated in Fig. 4.6. We can construct hypotheses as a vector
where each element hi is an indicator of whether supplier i truthfully reports or not, and the subscript 0 ≤ j ≤ 2N − 1 is the decimal number of the binary combination in the vector. The hypothesis vector indicates which supplier(s) should be accountable for the accident. When the performance distribution under each hypothesis is distinguishable, the investigation could be conducted through M-ary hypothesis testing. Otherwise, we can consider decentralized investigation as described in the sequel.
Consider a decentralized accountability investigation with 2N hypothesis \(H_0,..,H_{2^N-1}\) and prior reputation \(\pi (H_0),\dots , \pi (H_{2^N-1})\), respectively. Suppose that we have N suppliers providing components to the system. Each component investigator λi is inspecting the performance related to the product provided from the vendor i. In practice, we can design the independent tests for each component to determine the accountability of supplier i. We can control the other parts (j ≠ i) to be known and fixed products in test design and focus on the binary hypothesis testing with respect to component i.
Illustrated in Fig. 4.7, each component investigator receives observations yi, which is a random variable taking values in a set \(\mathcal{Y}_i\). The local investigator will conduct accountability testing through \(\lambda _i:\mathcal{Y}_i\mapsto \{0,1\}\) and output a binary decision variable hi = λi(yi), which indicates whether supplier i should be held accountable for the accident. This reduces the problem to N parallel binary hypothesis testing with each supplier, and the accountability of each supplier then will be the same as defined in Definition 4.2. The final investigator determines which hypothesis is established based on received information, λ0 : {0, 1}N →{0, 1, …, 2N − 1}. It has been shown in [73] and [74] that there exists an optimal detection rule if each testing observations are independent or conditionally correlated under each hypothesis.
4.4 Case Study 1: Autonomous Truck Platooning
In the following section, we will provide a detailed case study in autonomous truck platooning with adaptive cruise control (ACC) system. This case study illustrates the scenario where the true performance is unknown to the investigator. We will discuss the accountability of the ranging sensor supplier in the case of a collision.
4.4.1 Background
With the rapid development of autonomous vehicles, safety is one of the main priorities for manufacturers. As estimated by the World Health Organization (WHO), the number of annual road deaths with collision has reached 1.35 million worldwide [75]. The recent incident in Tempe, Arizona, has thrown a spotlight on the safety of autonomous vehicles. The Uber self-driving test car caused the death of the pedestrian because of the failure of braking control by the autonomous driving system. The investigation of accountability is crucial to determine the cause of the collision and provides insights for future car design.
In this case study, we consider the task of autonomous truck platooning with ACC system. Adaptive cruise control is a driver assistance technology that maintains a safe following distance between the vehicle and traffic ahead without any intervention by the driver. If the preceding truck is detected traveling too slowly or too close, the ACC system will react by automatically activating the brakes and mitigating potential collisions. Brake control is determined based on the relative distance, relative velocity, and the acceleration of leading and the following truck. The speed and acceleration of both vehicles can be measured by built-in speed sensors and accelerometers. Ranging sensors, including radar and LiDAR, are used for distance detection in the ACC system. The upper-level control system uses the measurements of the sensors to interpret the driving environment, and trigger appropriate brake actions to mitigate collision [76]. Thus, the detection range and precision of the ranging sensor are critical in ACC design. Defective ranging sensors could cause severe consequences and should be held accountable in case of such a collision.
4.4.2 Vehicle Dynamics Model
To illustrate the accountability of the ranging sensor in this framework, we first introduce the dynamics model of the problem. Consider the testing scenario in Fig. 4.8, where the host truck equipped with ACC system approaches the preceding vehicle. The control goal of the ACC system is to maintain the desired safe distance from the leading vehicle. The desired distance L is normally determined by Constant time gap spacing policy in ACC systems, which guarantees the individual vehicle stability and string stability [76].
where vh is the speed of the host vehicle and tgap is the constant desired time gap.
Denote xi, vi, ai as the position, velocity, and acceleration of the leading (i = l) or host (i = h) vehicle, respectively. We assume that the leading vehicle is at constant speed vl(t) = v0. The system state vector x(t) and control vector u(t) are defined as follows [77].
where Δx(t) = xl(t) − xh(t) is the current distance and Δv(t) = vl(t) − vh(t) is the relative speed between the leading and following vehicles. The state space representation of the system can be written as
The matrices are given by
where y(t) = Δx(t) − L + w(t) is the noisy control error between the desired distance and current distance; w(t) is the observation noise. We assume that the observation disturbance is modeled by an additive white Gaussian noise,
The variance σ2 indicates the influence of the measurement environment. The intuition behind using the Gaussian noise model is that it gives a good approximation of the natural processes. If a specific distribution of measurement error is given, the noise model can be changed accordingly and the accountability testing framework will still work.
The optimal control can be achieved through linear quadratic regulator (LQR) control. We define the cost function with zero terminal cost as
where the diagonal weights
The goal of the controller is to regulate the state towards (0, 0)T. The optimal feedback control law is given as
where P is the solution to the following associated algebraic Riccati equation:
The aforementioned vehicle dynamics model and optimal control describe the system design δ of the final ACC system based on the information provided by the supplier. Different control methods and system design can be implemented to achieve the same goal. In the following section, we assume that this system design is not the cause of the collision and purely focuses on the accountability of the sensor supplier.
4.4.3 Accountability Testing
The true product attributes play an important role in control system design. From the previous section, the optimal control of the system depends on the correct distance detection between the two objectives. Thus, the sensor with degraded detection result should hold accountable if the ACC system fails to maintain the safety distance and causes a collision. To attribute the ACC system performance to the ranging sensor supplier, we conduct the following accountability testing with respect to the ranging sensor.
For the simplicity of the model, we consider two types of ranging sensor θ ∈ Θ = {0, 1}, which differ in the detection precision. We assume the sensor with type θ = 1 is functioning normally, as the detection result r1(t) = Δx(t); while the sensor with type θ = 0 is malfunctioning with detection result r0(t) = Δx(t) + ed. The value ed is the detection error of the ranging sensor. The damaged sensor will put the host vehicle at risk of collision, since the actual distance is closer to the detection result.
The true property of the sensor is private information to the supplier, which is not revealed to the system designer. The supplier should hold accountable for a collision if there exists misinformation between the product description m and true product property θ. Note that the misinformation can be unintended or intentional. We would like to determine whether the ranging sensor supplier should be accountable for such an accident.
Consider the testing scenario in Fig. 4.9. The distance detection result from the sensor will be the input of the state vector as
We use the final distance control error as the performance y of the ACC system when testing. Suppose that the supplier reports m = 1 when signing the contract. Consider a noisy observation results y as described in (4.19), then the performance should follow
It is the anticipated distribution of the observations when the supplier truthfully report the product type (m = θ = 1). On the other hand, if the supplier misinforms the buyer (m ≠ θ = 0), the performance should follow
The negative distance control error suggests that the distance between two vehicles is smaller than the desired safety distance requirement L, which can lead to a potential collision.
We set up the following hypotheses to quantify the accountability of the supplier who reports m = 1. Let \(\mathbf{Y}=[y_1,y_2,\dots ,y_N]\in \mathbb{R}^N \) be a vector of independent identically distributed observations yk (1 ≤ k ≤ N) of the aforementioned testing scenarios.
where IN is the identity matrix of size N. To keep the consistency with other studies, we let H1 represent the case that the supplier truthfully report and H0 mean that there exists misinformation between the reported product description m and true product type θ. The supplier is accountable if the investigator correctly determines that hypothesis H0 should be established.
Assume that the cost of the decision is symmetric and incurred only when an error occurs. The reputation of the supplier follows [π0, π1]. In Bayesian binary hypothesis testing, LRT compares the likelihood ratio to threshold τ = π0∕π1. The result suggests that the hypothesis H0 be established if the sample mean S is smaller than the testing threshold η, as shown in the following
where
Given the decision rule and supplier’s reputation ratio τ, the accountability and wronged accountability of the sensor supplier who reported m = 1 is
where Q(x) is the Gaussian Q function and d = N1∕2ed∕σ [70].
4.4.4 Parameter Analysis
The accountability of the sensor supplier helps the investigator determine whether the failure of the ACC system should be attributed to the sensor. Since the accountability depends on parameters such as sampling size N, environmental observation noise variance σ2 and sensor range difference ed. In this section, we discuss several numerical results under different cases.
Figure 4.10 depicts the influence of the number of tests N and sensor detection error ed on the accountability. First, we notice that the PA → 1 and PU → 0 as the number of tests N increases. This phenomenon indicates more testing will produce a more accurate detection of the supplier’s accountability. From Eq. (4.27), we note that the observation means S converges almost surely to the expected mean of each hypothesis as N →∞. Besides, the second term in the testing threshold η vanishes, and we end up comparing the expected mean of Y to the middle point ed∕2 of two hypothesis means.
The influences of sensor detection error ed is also illustrated in Fig. 4.10. The prior is set to π0 = π1 = 0.5, which means that we do not favor any hypothesis before testing. From Fig. 4.10, as the range difference between two types increases, the PA and PD curves are associated with a more rapid change with respect to N. It suggests that if the qualities of the two types of sensors have a significant difference, it be easier for the investigator to determine the accountability of the supplier within a fewer number of tests.
Figure 4.11 displays the impact of supplier’s reputation on the accountability estimation. The ratio τ = π0∕π1 represents the reputation of the supplier. A larger value of τ indicates that we have a strong belief the supplier is dishonest. Normally, we incline to expect that the supplier with a bad reputation would be accountable for the incidents. As shown in Fig. 4.11, when we fix the testing environment, the accountability of supplier PA increases as τ increases. However, it should be noted that the wronged accountability PU increases as well. This is because the increase of τ will cause the testing threshold η in LTR will increase, leading to a larger observation space \(\mathcal{Y}_0\), where we classify the observations as H0. Thus, both PA and PU will increase according to the definition. The wronged accountability misattributes the incident to the supplier when they should not be accountable. We will discuss the trade-off between PA and PU in the following section.
4.4.5 Investigation Performance
4.4.5.1 Accountability Receiver Operating Characteristic
In the context of this ACC case study, we are interested in the relationship between accountability PA and wronged accountability PU. as
Because of the symmetric property of the Gaussian Q function, the AROC curve is invariant under this transformation. From Eqs. (4.29) and (4.30), if we eliminate the parameter τ, the relationship between PA and PU can be written as
The relationship between PA and PU is traced out as the threshold τ in LRT varies from 0 to ∞. Note that this relationship depends on the variable d = N1∕2ed∕σ. We plot the AROC curve under different d values in Fig. 4.12.
The slope of the AROC at point \(\left (P_A(\tau ),P_U(\tau )\right )\) is equal to the supplier’s reputation τ[70]. Ideally, we would like to conduct a hypothesis test such that PA is close to one and PU is close to zero. As we can see from the figure, the AROC curve approached the ideal test point when the value of d increases. This result coincides with our aforementioned analyses. Increasing the number of test N, comparing sensor with larger sensor error ed, and reducing the observation variance σ can all increase the value of d, leading to a more reliable accountability test result.
4.4.5.2 Area Under the AROC Curve
In the ACC sensor accountability testing case, the exact AUC value and its bounds with respect to d are shown in Fig. 4.13. From the figure, we can see that the performance of the hypothesis testing increases along with the value d. In fact, in testing with the Gaussian hypothesis, the value d indicates the Chernoff distance between the two Gaussian distributions [70]. A larger value of d means the distribution of H0 and H1 have less overlap, thus it is easier to separate between them. Since we have the exact expression of Pe, the bounds of AUC can be expressed as
4.5 Case Study 2: Ransomware in IoT Supply Chain
In this section, we provide a second case study of supplier accountability in smart home IoT under ransomware attacks. This example illustrates how we determine accountability in a supply chain and sophisticated systems involving varied components.
4.5.1 Background
Ransomware is a type of malware that infects particular network entities to demand ransom. This kind of attack is becoming more prevalent nowadays with the fast development of IoT systems. The broad connections for IoT devices provide more security threats and vulnerabilities. Besides, the massive number of IoT devices increases the risk of getting infected by ransomware since any device could be the target. Indeed, the ransomware attack has caused significant economic losses in industrial domains. The estimated global damage from ransomware reaches $20 billion in 2021 [78].
Smart home technologies integrate different IoT-enabled components to provide advanced services within the home environment. The components from different suppliers contribute to addressing various challenges to improve the quality of human life. However, their limited processing capabilities make them vulnerable to security threats [79], including ransomware. If the component in the home security system is taken controlled by the attacker, the end-user may face serious economic loss and privacy leakage. The user needs to determine which part of the IoT system should hold accountable for the accident. Our framework provides a way to mitigate the impact of ransomware by attributing the accident to a supplier of IoT devices.
4.5.2 Smart Lock and Ransomware Attack
Nowadays, smart home technologies have been widely accepted by individuals and organizations to improve home security. With the development of IoT and machine learning, the number of smart lock users are increasing in recent decades. Instead of physical keys, smart lock utilizes face recognition and/or fingerprint verification to achieve digital authentication. Most smart locks also are equipped with intruder alert and remote control when you are physically away from home. This innovation avoids the threats with cloneable physical keys and provides a front-line deterrent against potential intruders.
While the smart lock offers convenience to homeowners, the transition towards digital control brings concerns over security in cyberspace. One potential threat is the ransomware attack. This type of attacks belongs to the family of Advanced Persistent Threats (APTs). A malicious attacker attack your smart home IoT system, lock the front door of your house, and request a ransom. The highly-connected feature of IoT provides the attacker multiple vulnerabilities as the entry point into the network. Once building a foothold in the network, the attacker moves laterally towards the target to achieve his goal, in this case, locking the door and denying legitimate access. Once compromised by ransomware, the dangling participle would be huge if someone under medical conditions is locked and requires immediate treatment. We may be discouraged by the fact that victims simply pay the ransom in many cases, and even the FBI has inadvertently mentioned paying ransom if the network device is infected [80].
Accountability investigation provides a way to check the responsibility of the IoT device supplier(s) regarding the attack to mitigate the loss under such ransomware attacks. It is important for the investigator to find out the initial attack entry that poses a risk to the whole system. Due to the tiered structure of the supply chain, the accountability investigation needs to be constructed through a top-down layered tree analysis as shown in Fig. 4.14. This structure helps the investigator narrow down the search scope and determine the accountability of the suppliers among multiple supply chain tiers. More details are provided in the following section.
4.5.3 Accountability Investigation
4.5.3.1 Tier-1 Investigation
Face recognition and fingerprint verification are two critical parts of smart lock authentication. The failure of the smart lock could be caused by the failure of one or both of the functions. In this case, the first step in accountability investigation is to determine whether the tier-1 suppliers of these two parts need to be accountable for the ransomware attack.
Denote the supplier of face recognition technology as i = 1 and the supplier of fingerprint verification technique as i = 2. We assume that each supplier has binary types θi ∈{0, 1}. θi = 0 means that the provided product operates normally and θi = 1 stands for malfunctioning. By default, each supplier sends a message mi = 0 and guarantees the product functionality when signing the contract with the buyer. Thus, we can construct the following hypotheses as in Table 4.1. Denote hi, i = {1, 2}, as the accountability of supplier i. \(\hat {H}_0\) indicates that both parts operate normally as reported; \(\hat {H}_1/\hat {H}_2\) suggests that there be misinformation from one of the suppliers; \(\hat {H}_3\) means both suppliers need to be held accountable for the ransomware attack.
Instead of looking into the joint performance of the two components, we conduct independent decentralized investigations into each of the suppliers as shown in Fig. 4.15. We take the face recognition system h1 for example. The investigation of the fingerprint verification h2 can be conducted in the same manner. Suppose that the normal operating face recognition system can correctly detect the registered identity with μ0 = 9% accuracy. If this system is destructed by the ransomware attacker, we would expect a lower identification accuracy, i.e. μ1 < μ0. To investigate the accountability of the face recognition system, we design the following testing scenarios. On each trial, different photos of registered faces are displayed randomly in front of the device. The performance yi ∈{0, 1} at each trial is an indicator of the testing results, where yi = 1 represents correct identification and yi = 0 otherwise. Let YN = {y1, y2, …, yN} be a sequence of independent and identically distributed trials, we consider the following hypotheses for accountability testing. For each trail 1 ≤ i ≤ N,
where μ1 < μ0 = 0.95. Bernoulli distribution is a natural model to describe events with Boolean-valued outcomes under certain success probability. In this hypothesis model, H0 indicates that the face recognition system operates normally with 90% detection accuracy on average. H1 suggests a degraded identification accuracy. This investigation aims to find out whether hypothesis H1 should be established based on the system performance.
One limitation of Bayesian tests as described in Sect. 4.4 is their reliance on the prior knowledge π, i.e., the reputation of the supplier, and costs assigned to different decision errors. The choice of decision cost depends on the nature of the problem, but the prior probabilities must be known. In many applications, the prior knowledge may not be obtained precisely; thus, the correct value of the threshold in LRT is unknown. In the ransomware case study, the misinformation between the supplier and buyer may be unintended. It is challenging to determine the probability π1 that the supplier is compromised by the attacker. It is natural to consider alternative tests that can achieve desired detection results without such prior knowledge.
Neyman and Pearson [81] formulated a test λ that maximizes the correct detection probability PA(λ) (accountability) while ensuring the false-alarm probability PU(λ) (wronged accountability) is subject to an upper bound constraint α. This can be formulated as
This constrained optimization problem requires no prior knowledge about reputation and decision cost function. The only parameter that needs specification is the maximum acceptable wronged accountability α. A classic result due to Neyman and Pearson shows that the optimal solution to this type of investigation is a likelihood ratio test (LRT).
Lemma 4.1 (Neyman-Pearson Lemma)
Consider the likelihood ratio test in (4.5) with τk > 0 chosen so that PU(τk) = α. There does not exist another test λ such that PU(λ) ≤ α and PA(λ) ≥ PA(τk). Hence, the LRT is the most powerful test with false-alarm probability PU(λ) less than or equal to α.
In the accountability investigation of the face recognition system, both hypotheses admit a Bernoulli distribution. The likelihood ratio is given by
The sufficient statistics of such testing will be the sum of all performance results \(S = \sum _{i=1}^N y_i\). According to Neyman-Pearson lemma, the most powerful test will hold the supplier accountable if S < λ for a constant threshold λ.
Under H0, the detection accuracy is on average μ0, and S admits to a binomial distribution, S ∼ Binomial(N, μ0). Illustrated in Fig. 4.16, to ensure PU(λ) = α, the threshold λ is chosen to be the α-quantile of the Binomial(N, μ0) distribution.
where FS(x) is the cumulative distribution function of random variable S. Note that as this is a discrete distribution, it may not be possible to get the exact α and λ desired. One way to address this problem is to increase the total number of trials N and approximate the binomial with a Gaussian distribution according to the central limit theorem (Fig. 4.16).
In the IoT ransomware attack case, the changes made by the stealthy attacker often remains unknown even after investigations. Thus, it is hard to determine identification accuracy μ1 after the attack and find the exact performance distribution under hypothesis H1. We can only assume that the attack results in a degraded identification accuracy as μ1 < μ0. Neyman-Pearson test provides a way to investigate the accountability of the supplier with limited prior knowledge. It guarantees that the correct detection probability PA is maximized under the false-alarm constraint PU ≤ α. In the context of the IoT supply chain attack, Neyman-Pearson test paves the way for the buyer to investigate the accountability of the supplier with limited information.
4.5.3.2 Multi-Stage Accountability Investigation
The tier-1 investigation examines the accountability of each tier-1 supplier. However, due to the layered structure of the IoT supply chain and the sophisticated feature of the ransomware attack, the true cause of the attack may lie in the suppliers at the subordinate tiers. Tier-1 suppliers can further attribute the malfunction to their suppliers following a similar fashion. A top-down layered investigation is needed if we would find out the origin of the attack and obtain a holistic view of the entire supply chain. This is called a multi-stage accountability investigation.
For instance, if the face recognition system should be held accountable for the attack after the tier-1 investigation, the supplier could further investigate the components that the system consists of. There may exist different types of vulnerabilities in the components that are provided by tier-2 suppliers. The attacker could break into the system by compromising the ill-protected camera and further penetrating into the system. Another possibility is that adversaries against face recognition are performed at the detection software. If the latter case holds true, the detection software provider can further check which part of the software is malfunctioning. Face recognition attacks can be performed at the database, the predefined algorithm parameters, the communication channels, etc. The multi-stage accountability investigation aims to further figure out which among the vulnerabilities is the underlying cause of the attack (Fig. 4.17).
To analyze the accountability of the involved suppliers at each tier, we view the supply chain as a directed graph as shown in Fig. 4.19. The arrows in the graph indicate the procurement relationship. Multi-stage accountability starts from the top tier node, the final product. The accountability investigation on each supplier i produces accountability \(P_A^i\) subject to an investigation cost Ci. Whether a supplier is accountable depends on the comparison between \(P_A^i\) and selected threshold 𝜖 ∈ (0, 1). We call a supplier accountable if \(P_A^i>\epsilon \).
If the current supplier is determined to be non-accountable (\(P_A^i<\epsilon \)), there is no need to continue investigation among its suppliers. In the ransomware case study, if we determine that the face recognition system solely should be accountable after the tier-1 investigation, there is no need to conduct an accountability check for the suppliers related to the fingerprint verification system. Deductive reasoning helps reduce the investigation efforts on unrelated system components and focus on the ones that the accident is attributed to. It provides a way to prioritize the factors leading to the top event.
It should be noted that the product design of each sub-system can also be the cause of the vulnerability that exposes the system to threats. This brings up the question of how deep we should investigate during the process. Suppose the total investigation budget is B. The investigator needs to decide whether to continue the investigation or simply stop and replace the component. Replacement is a better choice if the remaining budget cannot support further investigation as
where \(\mathcal{I}\) is the set of investigated suppliers and Cnext is the investigation cost of the next supplier. The trade-off between investigation and replacement can be another dimension for consideration when conducting multi-stage accountability investigations.
Multi-stage accountability investigation is an iterative analysis process to find the cause of the accident. The layered approach provides a way to understand how the system fails, identify the vulnerabilities in the IoT supply chain, and determine the accountability of any supplier. It also creates the foundation for any further analysis and evaluation. If the structure of the supply chain has been upgraded (e.g., component replacement), it can provide a set of steps to design quality tests and maintenance procedures.
4.6 Compliance and Cyber Insurance
4.6.1 Compliance Modeling
The description m ∈ M from the supplier to the buyer is a self-reporting mechanism that requires the vendors to disclose information about their products so that the buyers can use the NIST standards to check their compliance before they are integrated into IoT systems. The procured products have to comply with the business or mission, organization-specific requirements, the operational environment, risk appetite, and risk tolerance [82]. Security requirements are an important component of compliance. They are imposed by not only the developers in the private sectors to provide information and quality assurance but also the law, which aims to protect the nation from cyber-attacks.
Recent legislation has been signed into law requiring IoT devices purchased with government money to comply with security standards [83]. The Internet of Things Cybersecurity Act of 2020 [84] requires NIST to “develop and publish under section 20 of NIST Act (15 U.S.C. 278g-3) standards and guidelines for the federal government on the appropriate use and management of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such device.” All IoT devices connected to IT systems owned or controlled by a federal agency must conform to NIST standards by September 4, 2021.
The Biden executive order of May 12, 2021 [85] demands that “the federal government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).” The executive order requires full NIST compliance. The focus of the new rules is on IoT systems that support information technologies, e.g., the power and cooling systems, such as uninterruptible power supplies (UPSs), power distribution units (PDUs), and computer room air conditioners and air handlers (CRAC & CRAH) that support networks, servers, and data centers on the property of federal agencies, building management systems (BMS), and data center infrastructure management systems (DCIM).
Besides the federal regulations, supply contracts are also useful to secure systems installed by suppliers. The suppliers need to be informed of your security requirements and standards. You can check whether the proposed or delivered products or services comply with them. The contracts also play an important role in accountability. The penalty can be enforced by contracts once non-compliance of the services is found by the buyer, which has been discussed in the earlier section.
We can use formal methods to check whether the attributes in m satisfy the requirements that are coded into logical formulae f. The product is compliant if m⊧p, the description satisfies the specifications; otherwise, it is not. There are well-established tools that can be used to efficiently solve this satisfiability problem. For example, the compliance problem can be formulated as a satisfiability modulo theories (SMT) problem, which can be solved using a formalized approach and many solvers. PRISM is another tool that enables probabilistic modeling and checking of systems. Under the assumption that the reporting of m truthfully describes the product, i.e., m = θ, a compliant buyer or system will not acquire from suppliers that do not satisfy the requirement. In other words, a = 0 if m⊭p.
4.6.2 Contract Design
There are two economic-level solutions. One is the mechanism design between the buyer and the supplier to induce m = θ. To achieve this, we would need to create incentives for the supplier to truthfully reveal θ. This would rely on the design of a certain form of penalty as a credible threat. One of such penalties is through the contract. The contract between the supplier and the buyer would include a penalty once the supplier is accountable. The contract will be effective only when the buyer decides to purchase the product a = 1, which happens with probability α(m) = Pr(a = 1|m). We consider the following utility function of the supplier, \(U_S:\Theta \times \mathcal{M}\mapsto \mathbb {R}\), given by
Here, \(J_S:\Theta \times \mathcal{M}\mapsto \mathbb {R}\) is the profit of the supplier if he reports \(m\in \mathcal{M}\) when the true type is θ ∈ Θ and under the procurement decision. The second term in the utility function is the average penalty \(C_S:\Theta \times \mathcal{M}\mapsto \mathbb {R}\) for the supplier if he is held accountable. The probability of being accountable is given by \(P^m_A\) in Definition 4.2 based on the received message m. It is clear that the penalty depends on θ and m.
We call a supplier is incentive-compatible if
An incentive-compatible supplier does not have incentives to misreport what he knows when he is held accountable for his actions. Note that to achieve this, we assume that the purchase rule and accountability testing scheme are revealed to the supplier through the contract. The (ICS) condition gives a natural constraint when designing a procurement contract. However, the challenge is that the profit function JS and the type space of the suppliers are often unknown to the acquirer and they need to be conjectured or learned from experience or data.
We call a supplier is individually rational if
The (IRS) constraint ensures that the supplier benefits from participating in the contract. It requires the buyer to design the penalty carefully so that the expected profit of the supplier is non-negative.
Example: Autonomous Truck Platooning
The utility function of the supplier can be further expressed as
The goal of contract design is to assign an appropriate penalty CS for the supplier if they need to be held accountable for the accident. The first consideration comes from the (IRs) constraints. This set of constraints suggests that we should not assign a penalty that exceeds the expected profit.
The (ICS) constraints are automatically satisfied when the supplier truthfully reports m = θ. Consider the autonomous truck platooning example as described in Sect. 4.4 with the binary sensor type space, i.e., Θ = M = {0, 1}. The contract designer needs to meet the following constraints
where we denote the profit of supplier with true type θ who sends message m as \(J_S^{\theta ,m}\), and the penalty for such supplier as \(C_S^{\theta ,m}\).
From the contract designer’s viewpoint, the profit of the supplier \(J_S^{\theta ,m}\) is beyond his control. This value is determined by the production cost and economic nature of the system. In the ACC system, θ = 1 is the product type corresponding to the system design. It is natural to assume that the sensor supplier with true type θ = 1 makes more profit when he truthfully reports, as \(J_S^{11}>J_S^{10}\). Similarly, we can assume that misinformation brings a higher profit for the supplier with θ = 0, as \(J_S^{00}<J_S^{01}\).
In terms of misinformation penalty, it is incentive to penalize more on the supplier who fails to truthfully report, as \(C_S^{\theta ,\theta }<C_S^{\theta , m}\), for every m ≠ θ. If we expect the same procurement policy α(m) and accountability \(P_A^m = P_A\) are the same for both messages m ∈{0, 1}, constraint (4.38) will be automatically satisfied and constraint (4.39) will be reduced to
This indicates for the supplier θ = 0 who has the incentive to misinform the buyer, the expected extra penalties brings to the supplier through contract need to exceed the extra profit generated from the untruthful report. The result coincides with the intuition that the contract needs to be designed with incentive compatibility.
For automakers looking at production, the prices of LiDAR sensors need to be cost-effective for automotive ACC use. Ranging sensors with greater abilities will be sold for higher prices. It is reported that LiDAR suppliers manage to reduce the single-unit samples price to $250 in large volumes [86]. In the ACC supplier example, consider the following values:
We arrive at the following constraints for the contract penalty design for the supplier:
By solving the feasible region of penalty under constraints as in Fig. 4.18, the contract designer can select the proper penalties for the supplier and help avoid misinformation.
4.6.3 Cyber Insurance
4.6.3.1 Background Introduction
In spite of the wide applications of cyber-physical systems, the cyber risks within the IoT supply chain are considered to be the most challenging problem to handle. Cyber insurance is the last resort for resilience to mitigate the loss of performance. It is an important risk management tool that transfers the risks of the buyer to a third party, i.e., an insurer. Victims of a cyber attack can reduce their financial losses and quickly recover to restore their business operations. According to the cyber insurance report released by the National Association of Insurance Commissioners (NAIC) [87], the cybersecurity insurance market in 2020 is roughly $4.1 billion reflecting an increase of 29.1% from the prior year. This scheme particularly benefits small and medium-size businesses that cannot afford a major investment in cyber protection.
Unlike traditional insurance policies, cyber insurance compensates the buyer for the loss incurred by data breaches, malware infections, or other cyberattacks in which the insured entity was at fault. An incentive-compatible cyber insurance policy could help reduce the number of successful cyber attacks by incentivizing the adoption of preventative measures in return for more coverage [88, 89]. It can be served as an indicator of the quality of security protection. Besides, it is believed that cyber insurance can induce greater social welfare and encourage more comprehensive policies regarding cyber security[90].
Various frameworks have been proposed to study cyber insurance from different perspectives, including [17, 65, 91, 92]. Pal et al. have studied the economic impact of cyber insurance by proposing a supply-demand model. Their work showed that cyber insurance with client contract discrimination can improve network security [93]. Böhme et al. have proposed several market models to understand the information asymmetries between defenders and insurers [94]. Radanliev et al. have built an impact assessment model of IoT cyber risk to better estimate cyber insurance [95]. In our framework, we focus on the cyber insurance policy within the IoT supply chain and understand the impact of accountability investigation on cyber insurance.
4.6.3.2 Insurance Policy Design
Typically, the cyber insurance contract consists of the premium price and the coverage rate. The key challenge in insurance policy design lies in the difficulty of risk evaluation due to the complex structure of the cyber-physical systems. An insurer can make two separate contracts with the supplier or/and the buyer. The loss of the buyer would be compensated by the insurer when an accident or a disruption occurs. The loss of the supplier due to accountability could be insured as well. In this section, we focus on the insurance contract between an insurer and a buyer (Fig. 4.19).
The contract is composed of the premium and the coverage of the losses. Let \(C_I\in \mathbb {R}\) be the premium charged by an insurer and the coverage is modeled by the percentage r ∈ (0, 1]. They are decision variables that are determined by the insurer. A buyer has incentives to participate in the insurance if the average utility under the coverage is higher than the one without coverage. To quantitatively capture it, we specify the loss or payoff function of the buyer JB, given by
Here, the first term \(\hat {L}_B\) is the average loss of performance, which is the difference between the true and the anticipated performances. The cyber insurance will cover the r portion of the risk. Hence the residual loss is (1 − r) of the losses. The insurance can completely compensate for the loss of the performance when r = 1. The second term is CB(m) is the cost of procurement of the product and CI is the premium paid by the buyer.
In this framework, we focus on the potential loss due to the misinformation from the supplier who cannot be held accountable due to the limitation of accountability investigation. According to the investigation, if the supplier should be held accountable for the malfunctioning of the system, the loss of performance should be compensated by the supplier. However, if the investigation cannot hold the supplier accountable, the risk will be transferred to the third party under the insurance contract. The latter case occurs with probability \(1-P_A^m\), the probability of unaccountable. Thus, the loss of performance can be viewed as a random variable lB
where UB(θ, δ(m)) is the performance utility measure under the design δ(m) and the true product quality θ. We assume that the true performance UB(θ, δ(m)) is at best the same as the anticipated performance when m = θ, i.e. UB(m, δ(m)). When misinformation occurs, there will be a positive loss of performance; when the supplier reports truthfully, the true performance coincides with anticipated one and the loss is zero; in other words, the expected loss of performance
where we denote the difference in performance measure as ΔUB.
One critical aspect of cyber insurance is the bias from insurance buyers. Humans will hold biased perception concerning losses and risks, which can lead to different decisions compared to completely rational ones. Agents are often risk-averse; i.e., they prefer lower returns with known risks rather than higher returns with unknown risks. In terms of the expected losses \(\hat {L}_B\), economic literature commonly imposes the following functions for a risk-averse agent.
-
Constant Absolute Risk Aversion (CARA) [94]:
$$\displaystyle \begin{aligned} \phi(x) = \frac{e^{\beta x}}{\beta}, \end{aligned} $$(4.44)where the parameter β ≤ 1 is the absolute risk aversion coefficient, measuring the degree of risk aversion that is implicit in the utility function. The biased expected loss in this case is
$$\displaystyle \begin{aligned} \Phi(\hat{L}_B) = (1 - P_A^m) \phi(\Delta U_B), \end{aligned} $$(4.45) -
Prospect Theory (PT) [96]:
$$\displaystyle \begin{aligned} \phi(x) = \begin{cases} x^\beta & x \geq 0 \\ -\lambda (-x)^\beta & x < 0 \end{cases}, \quad w(p) = \frac{p^\zeta}{p^\zeta + (1-p)^\zeta}, \end{aligned} $$(4.46)where ϕ(x) and w(p) are biased utility and weighted probability, respectively, and λ, β, ζ are prospect parameters with loss aversion implying λ > 1. In general, PT shows that people are more averse to losses and less sensitive to gains; people inflate the belief for rare events and deflate for high-probability ones. The biased expected loss in this case is
$$\displaystyle \begin{aligned} \Phi(\hat{L}_B) = w(1 - P_A^m) \phi(\Delta U_B), \end{aligned} $$(4.47)
For these types of buyer, we should replace the average loss \(\hat {L}_B\) in Eq. (4.41) with the biased expectation \(\Phi (\hat {L}_B)\). The risk-averse buyer has an incentive to purchase cyber insurance if the expected cost under insurance is lower than the one without insurance:
Note that we assume that the utility of the buyer does not include the penalty payment from the procurement contract and assume that the procurement does not involve an accountability contract. If so, we need to design the procurement contract and the insurance contract jointly as they are interdependent.
The mechanism design problem of the insurer is to determine the optimal premium rate CI and the coverage r to maximize his profit. The insurer provides insurance only when the profit is non-negative. Thus, we have the following constraint.
We assume that the insurer is rational and risk-neutral so that they use the accurate value of the expected loss of the system when making decisions. The insurer solves the following optimization problem:
Combining the individual rationality constraints (IRB) and (IRI) with the biased utility function, we arrive at the following proposition.
Proposition 4.1
The insurance contract is established between the insurer and the buyer if the premium \(C_I\in \mathbb {R}^+\) and the coverage level r ∈ (0, 1] satisfy
This result shows that the ratio between the coverage level r and premium value CI depends on the average loss of performance of the system and the risk aversion of the pursuer. Under this constraint, a risk-averse buyer will have the incentive to purchase the insurance. This provides a fundamental principle for designing the insurance policy.
4.6.3.3 Maximum Premium with Full Coverage
In this section, we discuss the maximum acceptable premium the risk-averse buyer is willing to pay. According to Proposition 4.1, the ratio between the coverage level and the premium CI∕r is bounded by the expected and biased loss of performance of the system. The maximum premium value can be achieved when the insurer is providing full coverage as r = 1.
Proposition 4.2
The maximum acceptable premium for the buyer is achieved under the following insurance policy:
Consider the PT risk aversion in (4.46). The maximum acceptable premium can be expressed as
Proposition 4.3
With full coverage r = 1, the maximum acceptable premium is higher than the unbiased expected loss when the performance difference is relatively small, as
We first set \(P_A^m=0.8\), apply β = 0.88, ζ = 0.69 in behavioral science literature and discuss the influence of loss aversion level λ on the maximum acceptable premium \(C^*_I\), which is depicted in Fig. 4.20. The dotted line served as the baseline of the risk-neutral buyer, which represents the unbiased expected loss of performance. A larger value of λ indicates that the buyer is more risk-averse against the losses. The biased loss function is concave in ΔUB because when the ΔUB in performance is too high, a small increase in losses has little influence on the buyer’s recognition.
Risk-averse buyers are sensitive to small losses, which provides the insurer an opportunity to take advantage of the risk aversion and charge for a higher premium. From the Fig. 4.21, the biased expected loss is greater than the unbiased one when ΔUB is within the tolerable range for the buyer. This range coincides with the insurance purchase constraint in Proposition 4.1. If \(\Delta U_B > \lambda ^{\frac {1}{1-\beta }}\), we have \(\Phi (\hat {L}_B)>\hat {L}_B\) and the buyer would not have the incentive to purchase cyber insurance anymore. This indicates that the insurer can increase the premium to its maximum acceptable value if the buyer participates in the insurance.
Proposition 4.4
Cyber insurance is an incentive mechanism that encourages the buyer to have a more reliable accountability investigation.
Another key result is that cyber insurance can increase the buyer’s incentive to establish a more valid accountability investigation method. As described in (4.51), the maximum acceptable premium \(C_I^*\) has a negative correlation with respect to the accountability \(P_A^m\). Let β = 0.88, λ = 2.25 and ζ = 0.69 as the typical values in prospect theory, the influence of accountability investigation on the maximum acceptable premium is depicted in the following figure.
Figure 4.21 illustrates that a more reliable accountability investigation (larger \(P_A^m\)) can reduce the maximum premium of the insurance. The amount of reduction is higher if the performance differs more within two product types. If we consider the payoff function of the buyer under full insurance coverage. If the insurance company charges the maximum acceptable premium, we have
The decrease in CI will reduce the total payoff JB of the buyer, resulting in a higher profit. In other words, cyber insurance provides incentives for the buyer to invest more in accountability investigation and establish a more reliable examination method to determine whether the supplier should be accountable for the incident.
4.6.3.4 Coverage Level with Given Premium
In this section, we discuss the coverage level r when the premium CI is given. As demonstrated in Proposition 4.1, given a premium CI, the insurance contract is established if
This can be regarded as a constraint in the optimization problems for the buyer and the insurer.
Given CI, the buyer’s problem is to find the optimal coverage level that minimizes the total payoff under insurance.
Note that the buyer makes decision under biased expected loss, thus we use \(\Phi (\hat {L}_B)\) in the objective function to represent her recognition. On the other hand, the insurer’s problem is to find the optimal coverage level that maximizes his profit.
We assume that the insurer is rational and the expected loss in the objective function is unbiased.
By solving these two optimization problems (OPB) and (OPI), we find the optimal coverage levels for the buyer and the insurer as follows:
The buyer prefers a larger coverage level achieved at the upper bound under the constraints, while the insurer favors a lower coverage level achieved at the lower bound. The result coincides with the fact that the insurance company and the buyer have a conflict of incentives in terms of the overall payoff. However, the individual preferences of both sides need to satisfy the constraint in (4.53) in order to establish the insurance contract in the first place.
Proposition 4.5
Given the insurance premium CI, the acceptable range of coverage level r will shift in the buyer’s favor with more accountability \(P_A^m\).
Figure 4.22 illustrates the acceptable coverage level r when the performance difference ΔUB = 6 and given premium value CI = 2. From the figure, both bounds of the coverage level increase with respect to the accountability \(P_A^m\). This is because both \(\hat {L}_B\) and \(\Phi (\hat {L}_B)\) are decreasing functions in \(P_A^m\). The phenomenon shows that a more reliable accountability investigation (larger \(P_A^m\)) benefits the buyer when he participates in cyber insurance. Since the insurance contract is only established under the constraint, the acceptable range of coverage level closer to 1 covers more portion of the losses in the system, thus reducing the payoff that the buyer needs to pay after a system malfunction.
4.6.3.5 Trade-Off Between Accountability Investment and Cyber Insurance
Lastly, we discuss the trade-off between the investment in accountability investigation and cyber insurance. From the previous discussion, a more reliable accountability investigation method (larger \(P_A^m\)) reduces the maximum acceptable premium CI and increases the coverage level r. They result in a more favorable insurance plan for the buyer that mitigates the losses of performance due to the supplier. However, usually, the increase in \(P_A^m\) comes with a cost. It brings up the question: how much should we invest in accountability?
Suppose the cost to increase the accountability from \(P_A^m\) to \(P_A^{m'}\) is Cn. This value represents the extra funding on accountability investigation. The total payoff of the buyer before (JB) and after (\(J_B^{\prime }\)) accountability investment are
where r′ and \(C^{\prime }_I\) are the modified insurance plan. From previous discussions, we have arrived at \(P_A^{m'}>P_A^m\), r′ > r and \(C_I^{\prime }<C_I\). The problem is to find the optimal investment such that
The optimal investment depends on various factors such as the cost Cn, expected loss \(\hat {L}_B\), the buyer’s risk aversion, etc. We illustrate the trade-off between accountability investment and cyber insurance in the following example.
Example: Autonomous Truck Platooning
Consider the autonomous truck platooning example in Sect. 4.4.3. The accountability of the supplier takes the form
where d = N1∕2ed∕σ. Normally, the sensor difference ed, supplier’s reputation ratio τ and observation variance σ2 are already given. The only variable that is completely controlled by the investigator is the number of test N. From the analysis in the previous section, we know that \(dP_A^m/dN\geq 0\). In order to reach a higher value of \(P_A^m\), the buyer needs to increase the number of tests during the investigation, which is costly in general.
Consider the insurance plan with full coverage r = 1 and maximum premium \(C_I^*\) as described in Proposition 4.2. We assume the buyer obeys CARA risk aversion for the expected loss. Suppose the cost to conduct one test is cn. The buyer would like to find out the optimal number of tests N that can minimize her payoff, which is
Figure 4.23 shows the optimal number of accountability tests with different test costs. When there is no cost to conduct one accountability test (cn = 0), more tests are better for the buyer. Increasing the number of tests, in general, increases the accountability \(P_A^m\). As N →∞, the accountability investigation can identify the untruthful supplier almost surely with \(P_A^m\to 1\). In this case, the supplier will be penalized for the misinformation, and the payoff of the buyer will be close to zero. When the cost of each test cn increases, the optimal number of test N∗ decreases. This illustrates the trade-off between accountability investigation and cyber insurance. Even though increasing the number of tests provides a more reliable test and reduce the insurance premium, the total investment would exceed the benefit after some point, causing unnecessary payoff for the buyer. Finally, if the investigation is too costly as cn = 100, the buyer will never benefit from conducting an accountability investigation. It is better for the buyer to change to other comparatively low-cost investigation methods. By decreasing cn, the buyer can find the optimal number of tests and achieve a lower payoff.
4.7 Conclusion
In this chapter, we have proposed a system-scientific framework to study the accountability in IoT supply chains and provided a holistic risk analysis technologically and socio-economically. We have developed stylized models and quantitative approaches to evaluate the accountability of the supplier. Two case studies have been used to demonstrate the model of accountability in the setting of autonomous truck platooning and ransomware in IoT supply chain.
We discuss the accountability investigation performance and design with a single supplier in the autonomous truck platooning case. From the parameter analysis, the reliability of the investigation can be improved with larger sensor error, more number of tests, and less observation variance. We have also showed the impact of the supplier’s reputation on accountability investigation. A bad reputation will increase both accountability and wronged accountability during the investigation.
Using the smart lock case study, we have illustrated how to determine the accountability of the supplier in the IoT supply chain under a ransomware attack. A Neyman-Pearson test has been used to deal with suppliers with limited prior information. We have presented the model of the multi-stage accountability investigation with multiple suppliers in the supply chain and discussed the trade-off between detailed investigation and product replacement.
Contract design and cyber insurance are used as economic solutions to improve the cyber resilience in IoT supply chains. By designing contracts under incentive-compatibility and individual rationality constraints, the IoT end-user can penalize the accountable supplier and reduce his incentive of providing misinformation in the first place. Cyber insurance mitigates the loss of performance by transferring the risks to a third party. We have shown that cyber insurance is an incentive-compatible mechanism that facilitates a more reliable accountability investigation from the buyer side. However, the investigator needs to balance between the accountability investment and cyber insurance to achieve a higher payoff.
References
D.L. Farris, Target to pay nearly $40 million to settle with banks over data breach; total costs reach $290 million (2015). [Online]. Available: https://www.natlawreview.com/article/target-to-pay-nearly-40-million-to-settle-banks-over-data-breach-total-costs-reach
N. Manworren, J. Letwat, O. Daily, Why you should care about the target data breach. Bus. Horiz. 59(3), 257–266 (2016)
T. Kieras, M.J. Farooq, Q. Zhu, Modeling and assessment of IoT supply chain security risks: the role of structural and parametric uncertainties, in 2020 IEEE Security and Privacy Workshops (SPW) (IEEE, 2020), pp. 163–170
T. Kieras, M.J. Farooq, Q. Zhu, RIoTS: Risk analysis of IoT supply chain threats, in 2020 IEEE 6th World Forum on Internet of Things (WF-IoT) (IEEE, 2020), pp. 1–6
T. Kieras, J. Farooq, Q. Zhu, I-SCRAM: A framework for IoT supply chain risk analysis and mitigation decisions. IEEE Access 9, 29827–29840 (2021)
M.J. Farooq, Cyber-physical dynamic decision mechanisms for large scale Internet of things systems & networks, Ph.D. dissertation, New York University Tandon School of Engineering, 2020
L. Huang, Q. Zhu, Farsighted risk mitigation of lateral movement using dynamic cognitive honeypots, in International Conference on Decision and Game Theory for Security (Springer, 2020), pp. 125–146
J. Pawlick, E. Colbert, Q. Zhu, A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy. ACM Comput. Surv. (CSUR) 52(4), 82 (2019)
J. Pawlick, Q. Zhu, Game Theory for Cyber Deception: From Theory to Applications (Springer Nature, 2021)
L. Huang, Q. Zhu, Duplicity games for deception design with an application to insider threat mitigation. IEEE Trans. Inf. Forens. Secur. 16, 4843–4856 (2021)
Q. Zhu, T. Başar, Game-theoretic methods for robustness, security, and resilience of cyberphysical control systems: games-in-games principle for optimal cross-layer resilient control systems. Control Syst. IEEE 35(1), 46–65 (2015)
L. Huang, Q. Zhu, A dynamic games approach to proactive defense strategies against advanced persistent threats in cyber-physical systems. Comput. Secur. 89, 101660 (2020)
Q. Zhu, Z. Xu, Cross-layer Design for Secure and Resilient Cyber-physical Systems (Springer, 2020)
Y. Huang, L. Huang, Q. Zhu, Reinforcement learning for feedback-enabled cyber resilience. Preprint. arXiv:2107.00783 (2021)
C.A. Kamhoua, C.D. Kiekintveld, F. Fang, Q. Zhu, Game Theory and Machine Learning for Cyber Security (Wiley, 2021)
L. Huang, Q. Zhu, Adaptive honeypot engagement through reinforcement learning of semi-Markov decision processes, in International Conference on Decision and Game Theory for Security (Springer, 2019), pp. 196–216
R. Zhang, Q. Zhu, Y. Hayel, A bi-level game approach to attack-aware cyber insurance of computer networks. IEEE J. Sel. Areas Commun. 35(3), 779–794 (2017)
C.J. Fung, Q. Zhu, FACID: A trust-based collaborative decision framework for intrusion detection networks. Ad Hoc Netw. 53, 17–31 (2016). [Online]. Available: http://www.sciencedirect.com/science/article/pii/S1570870516302062
M.H. Manshaei, Q. Zhu, T. Alpcan, T. Bacşar, J.P. Hubaux, Game theory meets network security and privacy. ACM Comput. Surv. (CSUR) 45(3), 25 (2013)
Q. Zhu, C. Fung, R. Boutaba, T. Başar, GUIDEX: A game-theoretic incentive-based mechanism for intrusion detection networks. IEEE J. Sel. Areas Commun. 30(11), 2220–2230 (2012)
Q. Zhu, H. Tembine, T. Başar, Network security configurations: A nonzero-sum stochastic game approach, in Proceedings of the 2010 American Control Conference (IEEE, 2010), pp. 1059–1064
T. Zhang, Q. Zhu, Strategic defense against deceptive civilian GPS spoofing of unmanned aerial vehicles, in International Conference on Decision and Game Theory for Security (Springer, 2017), pp. 213–233
Q. Zhu, Z. Yuan, J.B. Song, Z. Han, T. Başar, Interference aware routing game for cognitive radio multi-hop networks. IEEE J. Sel. Areas Commun. 30(10), 2006–2015 (2012)
Q. Zhu, J.B. Song, T. Başar, Dynamic secure routing game in distributed cognitive radio networks, in Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE (IEEE, 2011), pp. 1–6
Q. Zhu, H. Li, Z. Han, T. Başar, A stochastic game model for jamming in multi-channel cognitive radio systems, in ICC (2010), pp. 1–6
Q. Zhu, W. Saad, Z. Han, H.V. Poor, T. Başar, Eavesdropping and jamming in next-generation wireless networks: A game-theoretic approach, in Military Communications Conference (MILCOM), 2011 (IEEE, 2011), pp. 119–124
Q. Zhu, Z. Yuan, J.B. Song, Z. Han, T. Başar, Dynamic interference minimization routing game for on-demand cognitive pilot channel, in Global Telecommunications Conference (GLOBECOM 2010), 2010 IEEE (IEEE, 2010), pp. 1–6
J. Pawlick, E. Colbert, Q. Zhu, Modeling and analysis of leaky deception using signaling games with evidence. IEEE Trans. Inf. Forens. Secur. 14(7), 1871–1886 (2018)
J. Zheng, D.A. Castañón, Dynamic network interdiction games with imperfect information and deception, in 2012 IEEE 51st IEEE Conference on Decision and Control (CDC) (IEEE, 2012), pp. 7758–7763
Q. Zhu, A. Clark, R. Poovendran, T. Başar, Deceptive routing games, in 2012 IEEE 51st IEEE Conference on Decision and Control (CDC) (IEEE, 2012), pp. 2704–2711
K. Horák, Q. Zhu, B. Bošanskỳ, Manipulating adversary’s belief: A dynamic game approach to deception by design for proactive network security, in International Conference on Decision and Game Theory for Security (Springer, 2017), pp. 273–294
L. Huang, Q. Zhu, A dynamic games approach to proactive defense strategies against advanced persistent threats in cyber-physical systems. CoRR, vol. abs/1906.09687 (2019). [Online]. Available: http://arxiv.org/abs/1906.09687
Q. Zhu, S. Rass, On multi-phase and multi-stage game-theoretic modeling of advanced persistent threats. IEEE Access 6, 13958–13971 (2018)
J. Chen, C. Touati, Q. Zhu, A dynamic game analysis and design of infrastructure network protection and recovery. ACM SIGMETRICS Perform. Eval. Rev. 45(2), 128 (2017)
J. Chen, Q. Zhu, Interdependent strategic cyber defense and robust switching control design for wind energy systems, in Power & Energy Society General Meeting, 2017 IEEE (IEEE, 2017), pp. 1–5
S. Rass, S. Schauer, S. König, Q. Zhu, Cyber-Security in Critical Infrastructures: A Game-Theoretic Approach. Advanced Sciences and Technologies for Security Applications (Springer, 2020)
C. Rieger, I. Ray, Q. Zhu, M. Haney, Industrial Control Systems Security and Resiliency: Practice and Theory. Advances in Information Security (Springer, 2019)
Q. Zhu, T. Başar, Robust and resilient control design for cyber-physical systems with an application to power systems, in 2011 50th IEEE Conference on Decision and Control and European Control Conference (IEEE, 2011), pp. 4066–4071
Q. Zhu, L. Bushnell, T. Başar, Resilient distributed control of multi-agent cyber-physical systems, in Control of Cyber-Physical Systems (Springer, 2013), pp. 301–316
F. Miao, Q. Zhu, M. Pajic, G.J. Pappas, A hybrid stochastic game for secure control of cyber-physical systems. Automatica 93, 55–63 (2018)
Z. Xu, Q. Zhu, A cyber-physical game framework for secure and resilient multi-agent autonomous systems, in 2015 IEEE 54th Annual Conference on Decision and Control (CDC) (IEEE, 2015), pp. 5156–5161
J. Chen, C. Touati, Q. Zhu, Optimal secure two-layer IoT network design. IEEE Trans. Control Netw. Syst. 7(1), 398–409 (2019)
Q.D. La, T.Q. Quek, J. Lee, A game theoretic model for enabling honeypots in IoT networks, in 2016 IEEE International Conference on Communications (ICC) (IEEE, 2016), pp. 1–6
J. Chen, Q. Zhu, Interdependent strategic security risk management with bounded rationality in the Internet of things. IEEE Trans. Inf. Forens. Secur. 14(11), 2958–2971 (2019)
J. Chen, C. Touati, Q. Zhu, A dynamic game approach to designing secure interdependent IoT-enabled infrastructure network. IEEE Trans. Netw. Sci. Eng. 8(3), 2601–2612 (2021)
J. Chen, Q. Zhu, A Game-and Decision-Theoretic Approach to Resilient Interdependent Network Analysis and Design (Springer, 2019)
T. Börgers, D. Krahmer, An Introduction to the Theory of Mechanism Design (Oxford University Press, USA, 2015)
R.B. Myerson, Perspectives on mechanism design in economic theory. Am. Econ. Rev. 98(3), 586–603 (2008)
H. Nissenbaum, Computing and accountability. Commun. ACM 37(1), 72–81 (1994)
J. Feigenbaum, A.D. Jaggard, R.N. Wright et al., Accountability in Computing: Concepts and Mechanisms (Now Publishers, 2020)
J. Feigenbaum, A.D. Jaggard, R.N. Wright, Open vs. closed systems for accountability, in Proceedings of the 2014 Symposium and Bootcamp on the Science of Security (2014), pp. 1–11
R. Künnemann, I. Esiyok, M. Backes, Automated verification of accountability in security protocols, in 2019 IEEE 32nd Computer Security Foundations Symposium (CSF) (IEEE, 2019), pp. 397–39716
J. Zou, Y. Wang, K.J. Lin, A formal service contract model for accountable SAAS and cloud services, in 2010 IEEE International Conference on Services Computing (IEEE, 2010), pp. 73–80
R. Avenhaus, B. Von Stengel, and S. Zamir, Inspection games, Handbook of game theory with economic applications 3, pp. 1947–1987, 2002.
T. Zhang, Q. Zhu, Hypothesis testing game for cyber deception, in International Conference on Decision and Game Theory for Security (Springer, 2018), pp. 540–555
G. Peng, Q. Zhu, Sequential hypothesis testing game, in 2020 54th Annual Conference on Information Sciences and Systems (CISS) (IEEE, 2020), pp. 1–6
J. Blocki, N. Christin, A. Datta, A.D. Procaccia, A. Sinha, Audit games, in Twenty-Third International Joint Conference on Artificial Intelligence (2013)
S. Rass, S. Schauer, S. König, Q. Zhu, Optimal inspection plans, in Cyber-Security in Critical Infrastructures (Springer, 2020), pp. 179–209
S. Rass, Q. Zhu, GADAPT: a sequential game-theoretic framework for designing defense-in-depth strategies against advanced persistent threats, in International Conference on Decision and Game Theory for Security (Springer, 2016), pp. 314–326
R.B. Myerson, Optimal auction design. Math. Oper. Res. 6(1), 58–73 (1981)
M.J. Farooq, Q. Zhu, Optimal dynamic contract for spectrum reservation in mission-critical UNB-IoT systems, in 2018 16th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt) (IEEE, 2018), pp. 1–6
T. Zhang, Q. Zhu, Optimal two-sided market mechanism design for large-scale data sharing and trading in massive IoT networks. Preprint. arXiv:1912.06229 (2019)
T. Zhang, Q. Zhu, On incentive compatibility in dynamic mechanism design with exit option in a Markovian environment. Dyn. Games Appl. 12, 701–745 (2022)
J. Chen, Q. Zhu, Security as a service for cloud-enabled Internet of controlled things under advanced persistent threats: a contract design approach. IEEE Trans. Inf. Forens. Secur. 12(11), 2736–2750 (2017)
R. Zhang, Q. Zhu, FlipIn:a game-theoretic cyber insurance framework for incentive-compatible cyber risk management of internet of things. IEEE Trans. Inf. Forens. Secur. 15, 2026–2041 (2019)
L. Huang, Q. Zhu, Dynamic bayesian games for adversarial and defensive cyber deception, in Autonomous Cyber Deception (Springer, 2019), pp. 75–97
S. Jajodia, A.K. Ghosh, V. Swarup, C. Wang, X.S. Wang, Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54 (Springer Science & Business Media, 2011)
Q. Zhu, T. Başar, Game-theoretic approach to feedback-driven multi-stage moving target defense, in International Conference on Decision and Game Theory for Security (Springer, 2013), pp. 246–263
Z. Qian, J. Fu, Q. Zhu, A receding-horizon MDP approach for performance evaluation of moving target defense in networks, in 2020 IEEE Conference on Control Technology and Applications (CCTA) (IEEE, 2020), pp. 1–7
B.C. Levy, Binary and Mary hypothesis testing, in Principles of Signal Detection and Parameter Estimation (Springer, 2008), pp. 1–57
T.D. Wickens, Elementary Signal Detection Theory (Oxford University Press, 2001)
J.H. Shapiro, Bounds on the area under the ROC curve. JOSA A 16(1), 53–57 (1999)
J.N. Tsitsiklis, Decentralized detection, in Advances in Statistical Signal Processing, Signal Detection, ed. by Poor, Thomas, vol. 2, (JAI Press, 1990)
K. C. Nguyen, T. Alpcan, and T. Basar, Distributed hypothesis testing with a fusion center: The conditionally dependent case, in 2008 47th IEEE Conference on Decision and Control (IEEE, 2008), pp. 4164–4169
W.H. Organization et al., Global status report on road safety 2018: summary, World Health Organization, Tech. Rep. (2018)
C. Stöckle, W. Utschick, S. Herrmann, T. Dirndorfer, Robust design of an automatic emergency braking system considering sensor measurement errors, in 2018 21st International Conference on Intelligent Transportation Systems (ITSC) (IEEE, 2018)
M. Wang, W. Daamen, S.P. Hoogendoorn, B. van Arem, Rolling horizon control framework for driver assistance systems. part I: Mathematical formulation and non-cooperative systems. Transp. Res. Part C Emerg. Technol. 40, 271–289 (2014)
D. Braue, Global ransomware damage costs predicted to exceed $265 billion by 2031, 2021, accessed: July 20, 2021. [Online]. Available: https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/
D. Geneiatakis, I. Kounelis, R. Neisse, I. Nai-Fovino, G. Steri, G. Baldini, Security and privacy issues for an IoT based smart home, in 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (IEEE, 2017), pp. 1292–1297
E. Cartwright, J. Hernandez Castro, A. Cartwright, To pay or not: game theoretic models of ransomware. J. Cybersecur. 5(1), tyz009 (2019)
J. Neyman, E.S. Pearson, IX. On the problem of the most efficient tests of statistical hypotheses. Philos. Trans. R. Soc. Lond. A 231(694–706), 289–337 (1933). Containing Papers of a Mathematical or Physical Character
J. Boyens, C. Paulsen, R. Moorthy, N. Bartol, Supply chain risk management practices for federal information systems and organizations (2015). [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf
D. Kovaleski, Bill that requires security standards for government purchases of iot devices signed into law (2020). [Online]. Available: https://homelandprepnews.com/stories/58555-bill-that-requires-security-standards-for-government-purchases-of-iot-devices-signed-into-law/
R.L. Kelly, Text - h.r.1668 - 116th congress (2019-2020): Internet of things cybersecurity improvement act of 2020 (2020). [Online]. Available: https://www.congress.gov/bill/116th-congress/house-bill/1668/text
Executive order on improving the nation’s cybersecurity, May (2021). [Online]. Available: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
J. Hecht, Lidar for self-driving cars. Opt. Photonics News 29(1), 26–33 (2018)
N.A. of Insurance Commissioners (NAIC), Report on the cybersecurity insurance market (2021). Accessed 20 Oct 2021. [Online]. Available: https://content.naic.org/sites/default/files/index-cmte-c-Cyber_Supplement_2020_Report.pdf
B. Cashell, W.D. Jackson, M. Jickling, B. Webel, The economic impact of cyber-attacks, Congressional research service documents, CRS RL32331 (Washington DC), 2 (2004)
R.P. Majuca, W. Yurcik, J.P. Kesan, The evolution of cyberinsurance. Preprint. cs/0601020 (2006)
A. Marotta, F. Martinelli, S. Nanni, A. Orlando, A. Yautsiukhin, Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017)
R. Zhang, Q. Zhu, Optimal cyber-insurance contract design for dynamic risk management and mitigation. IEEE Trans. Comput. Soc. Syst. (2021)
R. Zhang, Strategic cyber data risk management over networks: from proactive defense to cyber insurance, Ph.D. dissertation, New York University Tandon School of Engineering, 2020
R. Pal, L. Golubchik, K. Psounis, P. Hui, Will cyber-insurance improve network security? a market analysis, in IEEE INFOCOM 2014-IEEE Conference on Computer Communications (IEEE, 2014), pp. 235–243
R. Böhme, G. Schwartz et al., Modeling cyber-insurance: Towards a unifying framework, in WEIS (2010)
P. Radanliev, D. De Roure, S. Cannady, R. Mantilla Montalvo, R. Nicolescu, M. Huth, Analysing IoT cyber risk for estimating IoT cyber insurance, in Living in the Internet of Things: Cybersecurity of the IoT-2018. IET Conference Proceedings (The Institution of Engineering and Technology, London, 2018), pp. 1–9
D. Kahneman, A. Tversky, Prospect theory: An analysis of decision under risk, in Handbook of the Fundamentals of Financial Decision Making: Part I (World Scientific, 2013), pp. 99–127
Author information
Authors and Affiliations
Corresponding authors
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kieras, T., Farooq, J., Zhu, Q. (2022). Policy Management. In: IoT Supply Chain Security Risk Analysis and Mitigation. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-031-08480-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-08480-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08479-9
Online ISBN: 978-3-031-08480-5
eBook Packages: Computer ScienceComputer Science (R0)