05570269

a

05570269 Camp, L.Jean Hardening the network from the friend within. Boyd, Colin (ed.) et al., Information security and privacy. 14th Australasian conference, ACISP 2009, Brisbane, Australia, July 1--3, 2009. Proceedings. Berlin: Springer (ISBN 978-3-642-02619-5/pbk). Lecture Notes in Computer Science 5594, 249 (2009). 2009 Berlin: Springer EN

doi:10.1007/978-3-642-02620-1_17

Summary: The insider threat in the networked world is distinct from the insider threat in the traditional physical business realm in that the most dangerous networked insider may be the least intentionally malicious. This inadvertent enemy within enables access by malicious outsiders through technologically nave or risk-seeking behavior. These behaviors include consistent choices (e.g., permission configurations, monotonically increasing access control rights) and specific behaviors (e.g., opening email attachments, clicking on video links). The risks of these actions are invisible to the individual, and the risks are borne at least in part by the organization. Any change in this insider behavior must include incentives for risk-avoidance, risk communication, and enable risk-mitigating choices. By developing incentive mechanisms and interactions that communicate these incentives, the risk behavior of the authorized insider can be aligned with the risk posture of the organization. We have combined game theory for incentive design, risk parameterization for pricing, and risk communication to create risk-based access control. The presentation will include the game formulation, presentation of the mechanism for pricing behaviors, and the remarkable results of initial human subjects experimentation.