Lisa Rajbhandari

Mapping between classical risk management and game theoretical approaches

In a typical classical risk assessment approach, the probabilities are usually guessed and not much guidance is provided on how to get the probabilities right. When coming up with probabilities, people are generally not well calibrated. History may not always be a very good teacher. Hence, in this paper, we explain how game theory can be integrated into classical risk management. Game theory puts emphasis on collecting representative data on how stakeholders assess the values of the outcomes of incidents rather than collecting the likelihood or probability of incident scenarios for future events that may not be stochastic. We describe how it can be mapped and utilized for risk management by relating a game theoretically inspired risk management process to ISO/IEC 27005. This shows how all the steps of classical risk management can be mapped to steps in the game theoretical model, however, some of the game theoretical steps at best have a very limited existence in ISO/IEC 27005.

Using the Conflicting Incentives Risk Analysis Method

Risk is usually expressed as a combination of likelihood and consequence but obtaining credible likelihood estimates is difficult. The Conflicting Incentives Risk Analysis (CIRA) method uses an alternative notion of risk. In CIRA, risk is modeled in terms of conflicting incentives between the risk owner and other stakeholders in regards to the execution of actions. However, very little has been published regarding how CIRA performs in non-trivial settings. This paper addresses this issue by applying CIRA to an Identity Management System (IdMS) similar to the eGovernment IdMS of Norway. To reduce sensitivity and confidentiality issues the study uses the Case Study Role Play (CSRP) method. In CSRP, data is collected from the individuals playing the role of fictitious characters rather than from an operational setting. The study highlights several risk issues and has helped in identifying areas where CIRA can be improved.

Intended actions: risk is conflicting incentives

Most methods for risk analysis take the view that risk is a combination of consequence and likelihood. Often, this is translated to an expert elicitation activity where likelihood is interpreted as (qualitative/ subjective) probabilities or rates. However, for cases where there is little data to validate probability or rate claims, this approach breaks down. In our Conflicting Incentives Risk Analysis (CIRA) method, we model risks in terms of conflicting incentives where risk analyst subjective probabilities are traded for stakeholder perceived incentives. The objective of CIRA is to provide an approach in which the input parameters can be audited more easily. The main contribution of this paper is to show how ideas from game theory, economics, psychology, and decision theory can be combined to yield a risk analysis process. In CIRA, risk magnitude is related to the magnitude of changes to perceived utility caused by potential state changes. This setting can be modeled by a one shot game where we investigate the degree of desirability the players perceive potential changes to have.

Using Game Theory to Analyze Risk to Privacy: An Initial Insight

Today, with the advancement of information technology, there is a growing risk to privacy as identity information is being used widely. This paper discusses some of the key issues related to the use of game theory in privacy risk analysis. Using game theory, risk analysis can be based on preferences or values of benefit which the subjects can provide rather than subjective probability. In addition, it can also be used in settings where no actuarial data is available. This may increase the quality and appropriateness of the overall risk analysis process. A simple privacy scenario between a user and an online bookstore is presented to provide an initial understanding of the concept.

An approach to measure effectiveness of control for risk analysis with game theory

Security managers are facing problems choosing effective controls (countermeasures), as there is large number of controls at their disposal. Although the existing standards and methods provide guidance, they are not sufficiently comprehensive when it comes to deciding what attributes to look for and how to use them for determining the effectiveness of controls. The purpose of this paper is twofold: first we determine the attributes of controls and its measurement functions, in order to measure its effectiveness by means of Analytic Hierarchy Process (AHP). Secondly, we show how control metrics can be used by the analyst to make deployment decisions by means of Risk Analysis Using Game Theory (RAUGT). The approach is further validated by using a case study between a system owner who wants to determine the effectiveness of using the Password Testing System (PTS) to raise the bar for the attacker.

Risk Acceptance and Rejection for Threat and Opportunity Risks in Conflicting Incentives Risk Analysis

Classical methods for risk analysis usually rely on probability estimates that are sometimes difficult to verify. In particular, this is the case when the system in question is non-stationary or does not have a history for which reliable statistics is available. These methods focus on risks in relation to threats failing to consider risks in relation to opportunity. The Conflicting Incentives Risk Analysis CIRA addresses both these issues. Previously, CIRA has been investigated in analyzing threat risks. The paper contributes by illustrating the concept of opportunity risk in the context of CIRA. We give some theoretical underpinnings of risk acceptance and rejection of CIRA, addressing both risks. Furthermore, the paper explains the extension of CIRA to risk management by outlining the risk treatment response measures for threat opportunity risks.

Flexible Regulation with Privacy Points

We propose a utilitarian approach to a uniform regulatory framework to assess privacy impact and to establish compensatory actions. “Privacy points” gauge the effect of measures on people’s privacy. Privacy points are exchangeable and, hence, give companies room for innovation in how they improve people’s privacy. Regulators lose control on details while getting the opportunity to extend their power to a larger portion of the market.

Utilizing Game Theory for Security Risk Assessment

Security risk assessment provides valuable insights about potential security risks to an organization to protect their critical information assets. With an ability to comprehend security risks, organizations can make effective decision to allocate their budget to mitigate or treat those risks (often based on the severity of the risk). Thus, it is paramount to identify and assess risk scenarios properly to manage those risks. Subjective judgment due to the lack of statistical data and the adaptive nature of the adversary may affect the credibility of the assessments when using classical risk assessment methods. Even though game theoretical approach formulates robust mathematical models for risk assessment without the reliance on subjective probabilities, it is seldom used in organizations. Thus, this chapter expands on the existing mapping between game theory and risk assessment process and terminology to provide further insight into how game theory can be utilized for risk assessment. In addition, we provide our view on how cooperative game theoretical model may be used to capture opportunity risk, which is usually overlooked in many classical risk assessment methods.

Consideration of Opportunity and Human Factor: Required Paradigm Shift for Information Security Risk Management

Most of the existing Risk Analysis and Management Methods (RAMMs) focus on threat without taking account of the available opportunity to an entity. Besides, human aspects are not often given much importance in these methods. These issues create a considerable drawback as the available opportunities to an entity (organization, system, etc.) might go unnoticed which might hamper the entity from achieving its objectives. Moreover, understanding the motives of humans play an important role in guiding the risk analysis. This paper reviews several existing RAMMs to highlight the above issues and provides reasoning as to emphasize the importance of these two issues in information security management. From the analysis of the selected methods, we identified that a majority of the methods acknowledge only threat and the consideration of human factors have not been reflected. Although, the issues are not new, these still remain open and the field of risk management needs to be directed towards addressing them. The review is expected to be helpful both to the researchers and practitioners in providing relevant information to consider these issues for further improving the existing RAMMs or when developing new methods.