Team for Research in
Ubiquitous Secure Technology

Security Decision-Making Among Interdependent Organizations
Ann Miura-Ko

Citation
Ann Miura-Ko. "Security Decision-Making Among Interdependent Organizations". Talk or presentation, 11, November, 2010.

Abstract
In various settings, such as when customers use the same passwords at several independent web sites, security decisions by one organization may have a significant impact on the security of another. We develop a model for security decision-making in such settings, using a variation of linear influence networks. The linear influence model uses a matrix to represent linear dependence between security investment at one organization and resulting security at another, and utility functions to measure the overall benefit to each organization. A simple matrix condition implies the existence and uniqueness of Nash equilibria, which can be reached by a natural iterative algorithm. A free-riding index, expressible using quantities computed in this model, measure the degree to which one organization can potentially reduce its security investment and benefit from investments of others. We apply this framework to investigate three examples: web site security with shared passwords, customer education against phishing and identity theft, and anti-spam email filters. While we do not have sufficient quantitative data to draw quantitative conclusions about any of these situations, the model provides qualitative information about each example.

Electronic downloads

Citation formats  
  • HTML
    Ann Miura-Ko. <a
    href="http://www.truststc.org/pubs/774.html"
    ><i>Security Decision-Making Among Interdependent
    Organizations</i></a>, Talk or presentation, 
    11, November, 2010.
  • Plain text
    Ann Miura-Ko. "Security Decision-Making Among
    Interdependent Organizations". Talk or presentation, 
    11, November, 2010.
  • BibTeX
    @presentation{MiuraKo10_SecurityDecisionMakingAmongInterdependentOrganizations,
        author = {Ann Miura-Ko},
        title = {Security Decision-Making Among Interdependent
                  Organizations},
        day = {11},
        month = {November},
        year = {2010},
        abstract = {In various settings, such as when customers use
                  the same passwords at several independent web
                  sites, security decisions by one organization may
                  have a significant impact on the security of
                  another. We develop a model for security
                  decision-making in such settings, using a
                  variation of linear influence networks. The linear
                  influence model uses a matrix to represent linear
                  dependence between security investment at one
                  organization and resulting security at another,
                  and utility functions to measure the overall
                  benefit to each organization. A simple matrix
                  condition implies the existence and uniqueness of
                  Nash equilibria, which can be reached by a natural
                  iterative algorithm. A free-riding index,
                  expressible using quantities computed in this
                  model, measure the degree to which one
                  organization can potentially reduce its security
                  investment and benefit from investments of others.
                  We apply this framework to investigate three
                  examples: web site security with shared passwords,
                  customer education against phishing and identity
                  theft, and anti-spam email filters. While we do
                  not have sufficient quantitative data to draw
                  quantitative conclusions about any of these
                  situations, the model provides qualitative
                  information about each example.},
        URL = {http://www.truststc.org/pubs/774.html}
    }
    

Posted by Larry Rohrbough on 7 Dec 2010.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.