Abstract
Most methods for risk analysis take the view that risk is a combination of consequence and likelihood. Often, this is translated to an expert elicitation activity where likelihood is interpreted as (qualitative/ subjective) probabilities or rates. However, for cases where there is little data to validate probability or rate claims, this approach breaks down. In our Conflicting Incentives Risk Analysis (CIRA) method, we model risks in terms of conflicting incentives where risk analyst subjective probabilities are traded for stakeholder perceived incentives. The objective of CIRA is to provide an approach in which the input parameters can be audited more easily. The main contribution of this paper is to show how ideas from game theory, economics, psychology, and decision theory can be combined to yield a risk analysis process. In CIRA, risk magnitude is related to the magnitude of changes to perceived utility caused by potential state changes. This setting can be modeled by a one shot game where we investigate the degree of desirability the players perceive potential changes to have.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
ISO: ISO/IEC 27005 Information technology -Security techniques-Information security risk management, 1st edn. (2008)
Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (2002)
IT Governance Institute: COBIT 4.1, ISA (2007)
Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)
Bier, V.M.: Challenges to the acceptance of probabilistic risk analysis. Risk Analysis 19, 703–710 (1999)
Tversky, A., Kahneman, D.: Judgment under uncertainty: Heuristics and biases. Science 185(4157), 1124–1131 (1974)
Shanteau, J., Stewart, T.R.: Why study expert decision making? some historical perspectives and comments. Organizational Behavior and Human Decision Processes 53(2), 95–106 (1992)
Taleb, N.N.: The Black Swan: The Impact of the Highly Improbable, 2nd edn. Random House Trade Paperbacks (2010)
Clemen, R.T.: Making Hard Decision: An Introduction to Decision Analysis, 2nd edn. Duxbury (1996)
Wallenius, J., Dyer, J.S., Fishburn, P.C., Steuer, R.E., Zionts, S., Deb, K.: Multiple criteria decision making, multiattribute utility theory: Recent accomplishments and what lies ahead. Management Science 54(7), 1336–1349 (2008); INFORMS
Dodgson, J.S., Spackman, M., Pearman, A., Phillips, L.D.: Multi-criteria analysis: a manual. Department for Communities and Local Government, London (2009) ISBN 9781409810230
Slovic, P., Finucane, M., Peters, E., MacGregor, D.G.: Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality. Risk Analysis 24(2), 311–322 (2004)
Loewenstein, G.F., Weber, E.U., Hsee, C.K., Welch, N.: Risk as feelings. Psychological Bulletin 127(2), 267–286 (2001)
ASME Innovative Technologies Institute, LLC: Risk Analysis and Management for Critical Asset Protection (RAMCAP): The Framework, Version 2.0 (2006)
Cox, J.L.: Some limitations of “Risk = Threat x Vulnerability x Consequence” for risk analysis of terrorist attacks. Risk Analysis 28(6), 1749–1761 (2008)
Hausken, K.: Probabilistic risk analysis and game theory. Risk Analysis 22(1), 17–27 (2002)
Cox Jr., L.A.T.: Game theory and risk analysis. Risk Analysis 29(8), 1062–1068 (2009)
Bier, V.M., Cox Jr., L.A.T., Azaiez, M.N.: Why both game theory and reliability theory are important in defending infrastructure against intelligent attacks. In: Game Theoretic Risk Analysis of Security Threats. International Series in Operations Research & Management Science, vol. 128, pp. 1–11. Springer US (2009)
Carin, L., Cybenko, G., Hughes, J.: Cybersecurity strategies: The QuERIES methodology. Computer 41, 20–26 (2008)
Banks, D., Anderson, S.: Combining game theory and risk analysis in counterterrorism: A smallpox example. In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 9–22. Springer, New York (2006)
Bier, V.: Game-theoretic and relaibility methods in counterterrorism and security. In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 23–40. Springer, New York (2006)
Fricker Jr., R.D.: Game theory in an age of terrorism: How can statisticians contribute? In: Wilson, A., Wilson, G., Olwell, D. (eds.) Statistical Methods in Counterterrorism, pp. 3–7. Springer, New York (2006)
Rajbhandari, L., Snekkenes, E.A.: Mapping between Classical Risk Management and Game Theoretical Approaches. In: De Decker, B., Lapon, J., Naessens, V., Uhl, A. (eds.) CMS 2011. LNCS, vol. 7025, pp. 147–154. Springer, Heidelberg (2011)
Liu, P., Zang, W.: Incentive-based modeling and inference of attacker intent, objectives, and strategies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 179–189. ACM, New York (2003)
Anderson, R., Moore, T.: Information Security Economics – and Beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007)
Kristandl, G., Bontis, N.: Constructing a definition for intangibles using the resource based view of the firm. Management Decision 45(9), 1510–1524 (2007)
Mullainathan, S., Thaler, R.H.: Behavioral economics. NBER Working Paper 7948 (2000)
Camerer, C.F., Lowenstein, G.: Behavioral economics: Past, present, future. In: Camerer, C.F., Loewenstein, G., Rabin, M. (eds.) Advances in Behavioral Economics, pp. 3–51. Princeton University Press (2004)
Sent, E.M.: Behavioral economics: How psychology made its (limited) way back into economics. History of Political Economy 36(4), 735–760 (2004)
Hayes, B.: Computing science: A lucid interval. American Scientist 91(6), 484–488 (2003)
Fornell, C., Johnson, M.D., Anderson, E.W., Cha, J., Bryant, B.E.: The American Customer Satisfaction Index: Nature, purpose, and findings. Journal of Marketing 60(4), 7–18 (1996)
Money, K., Hillenbrand, C.: Using reputation measurement to create value: An analysis and integration of existing measures. Journal of General Management 32(1) (2006)
Ajzen, I.: The theory of planned behaviour. Organizational Behaviour and Human Decision Processes 50, 179–211 (1991)
Goldin, J.: Making decisions about the future: the discounted-utility model. Mind Matters: The Wesleyan Journal of Psychology 2, 49–56 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rajbhandari, L., Snekkenes, E. (2012). Intended Actions: Risk Is Conflicting Incentives. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-33383-5_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33382-8
Online ISBN: 978-3-642-33383-5
eBook Packages: Computer ScienceComputer Science (R0)