Abstract
We introduce a two-player stochastic game for modeling secure team selection to add resilience against insider threats. A project manager, Alice, has a secret she wants to protect but must share with a team of individuals selected from within her organization; while an adversary, Eve, wants to learn this secret by bribing one potential team member. Eve does not know which individuals will be chosen by Alice, but both players have information about the bribeability of each potential team member. Specifically, the amount required to successfully bribe each such individual is given by a random variable with a known distribution but an unknown realization.
We characterize best-response strategies for both players, and give necessary conditions for determining the game’s equilibria. We find that Alice’s best strategy involves minimizing the information available to Eve about the team composition. In particular, she should select each potential team member with a non-zero probability, unless she has a perfectly secure strategy. In the special case where the bribeability of each employee is given by a uniformly-distributed random variable, the equilibria can be divided into two outcomes – either Alice is perfectly secure, or her protection is based only on the randomness of her selection.
Chapter PDF
Similar content being viewed by others
References
Anderson, R.: Security engineering - A guide to building dependable distributed systems, 2nd edn. Wiley (2008)
Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: WEIS (2012)
Band, S., Cappelli, D., Fischer, L., Moore, A., Shaw, E., Trzeciak, R.: Comparing insider IT sabotage and espionage: A model-based analysis. Technical Report CMU/SEI-2006-TR-026, Carnegie Mellon University (2006)
Bontis, N.: Assessing knowledge assets: A review of the models used to measure intellectual capital. International Journal of Management Reviews 3(1), 41–60 (2001)
Colwill, C.: Human factors in information security: The insider threat – Who can you trust these days? Information Security Technical Report 14(4), 186–196 (2009)
Corporate Trust (Business Risk & Crisis Mgmt. GmbH). Studie: Industriespionage 2012 - Aktuelle Risiken für die deutsche Wirtschaft durch Cyberwar (2012)
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20(1), 79–98 (2009)
FBI. The insider threat (April 2013), http://www.fbi.gov/about-us/investigate/counterintelligence/insider_threat_brochure
Federal Bureau of Investigation. Economic espionage, http://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage
Finn, P.: Chinese citizen sentenced in military data-theft case. Washington Post (March 2013)
Johnson, B., Schöttle, P., Böhme, R.: Where to hide the bits? In: Grossklags, J., Walrand, J. (eds.) GameSec 2012. LNCS, vol. 7638, pp. 1–17. Springer, Heidelberg (2012)
Liu, D., Wang, X.F., Jean Camp, L.: Game theoretic modeling and analysis of insider threats. International Journal of Critical Infrastructure Protection 1, 75–80 (2008)
Moore, A., Cappelli, D., Caron, T., Shaw, E., Spooner, D., Trzeciak, R.: A preliminary model of insider theft of intellectual property. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 2(1), 28–49 (2011)
Munshi, A., Dell, P., Armstrong, H.: Insider threat behavior factors: A comparison of theory with reported incidents. In: IEEE HICSS 2012, pp. 2402–2411 (2012)
Nelder, J., Mead, R.: A simplex method for function minimization. Computer Journal 7, 308–313 (1965)
Randazzo, M., Keeney, M., Kowalski, E., Cappelli, D., Moore, A.: Insider threat study: Illicit cyber activity in the banking and finance sector. Technical Report CMU/SEI-2004-TR-021, Carnegie Mellon University (June 2005)
Ronde, T.: Trade secrets and information sharing. Journal of Economics and Management Strategy 10, 391–417 (2001)
Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Sandhu, R., Samarati, P.: Access control: Principles and practice. IEEE Communications Magazine 32, 40–48 (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Laszka, A., Johnson, B., Schöttle, P., Grossklags, J., Böhme, R. (2013). Managing the Weakest Link. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)