Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity. Keywords: Cybersecurity; Decision-making; Simulation; Capability developmen

네트워크 기반 가상 사회의 신뢰 구축 법칙과 신뢰 관리

학위논문 (박사)-- 서울대학교 대학원 : 협동과정 기술경영·경제·정책전공, 2012. 8. 황준석.가상 사회에서 참여자가 입을 수 있는 손실은 크게 가상 커뮤니티의 일원으로 여겨지는 참여자로부터 입을 수 있는 피해와 커뮤니티 외부의 상대로부터 입을 수 있는 피해로 나뉜다. 다시, 커뮤니티 참여자들에 의해 발생하는 위험과 불확실성은 상대방의 유형이 감추어져 있거나 행동이 감추어져 있는 정보비대칭으로 인해 발생한다. 가상커뮤니티의 일원으로부터 입을 수 있는 피해는 일차적으로 구성원들 간의 자율적인 반복 소통과 학습을 통한 상대 선별 기준의 업데이트를 통해 점차 양질의 거래 상대를 선별하는 것으로 완화할 수 있다. 그러나, 한번 선별과정을 통해 커뮤니티에 진입한 구성원도 다시 배신할 유인은 있으며, 이는 평판 등 지속적인 구성원 간 반복 소통 혹은 이차적 수단인 신뢰할 수 있는 제3자의 개입을 통해 완화가 가능하다. 그러나 커뮤니티 외부의 상대로부터 입을 수 있는 피해는 커뮤니티 전체 수준에서 기술적으로 방어하거나, 혹은 동시에 개인이 피해를 예방할 수 있는 투자를 선행함으로써 완화해야 한다. 본 연구는 가상 사회에서 참여자의 손실 완화와 예방, 그리고 방어를 위한 커뮤니티의 구성 기준, 커뮤니티의 관리 방법, 그리고 외부로부터의 방어를 위한 투자를 사회와 개인의 효율성 확보라는 측면에서 접근하여 최선의 정책을 제안하고자 하였다. 우선 인터넷 기반의 가상 사회에서 참여자들이 상대를 선별하여 커뮤니티를 구성하는 기준으로 신뢰 신호 게임 모델을 구성하고, 신호만으로 신뢰성 있는 상대를 판별할 수 하기 위한 신호비용 기반 시스템을 제시하였다. 이렇게 신호를 통해 상대를 판별하여 거래하는 방법은 일부 조건에서는 사회적으로 최적은 아니며, 사회 후생 관점에서 효율적이기 위해서는 신호체계의 설계 혹은 신뢰성 낮은 사용자에 대한 규제라는 두 정책 중에서 선택해야 함을 제시하였다. 전통적으로 상대를 선택하기 위해 사용되어 온 방법인 평판은 일종의 신호체계라고 할 수 있는데, 우선 신호 체계를 통해 커뮤니티에 진입한 이후에는 이를 관리하는 것이 필요해진다. 이 과정에서 집합적인 신뢰의 보장과 개인의 프라이버시 보호 간의 긴장관계가 발생한다. 이를 해결하기 위한 모니터링과 처벌이라는 정책 변수를 제안하고, 최적 수준을 제시하였다. 따라서 거래 혹은 소통하는 전체 커뮤니티의 건전성 유지를 위해서 도입되는 신뢰받는 제3자의 정책이 중요하다. 마지막으로, 개인이 자신의 프라이버시를 지키기 위한 투자를 하는 상황에서 서로 거래할 때에, 방어자의 입장에서 전략을 세울 필요가 있다. 본 연구에서는 공격자 또한 하나의 게임 참여자라는 입장에서 이들의 유인을 고려한 의사결정 모델을 제안한다. 게임의 분석적 모델과 실험 모델을 통해 얻어진 결과에 따르면, 손실에 대한 공격자의 이익 비율이 상대적으로 클 수록 보안투자에 대한 기대이익이 줄어든다. 보안 투자를 통한 기대 이익을 극대화하는 최적 투자량과 투자 시점을 또한 제시하였다. 그리고 예상되는 공격의 종류와 확률에 따라 적절한 보안투자 포트폴리오를 구성하는 것이 필요하다는 결론을 제시하고, 몇 가지 사례에 대해 가상 포트폴리오를 제시하였다.The uncertainties and risks in a virtual society can be divided into those posed by a member of the community and those posed by an outsider of the community. The uncertainties and risks from a member of the community can be further divided into those stemming from the hidden type problem and those stemming from the hidden action problem in the context of information asymmetry. These uncertainties and risks posed by community members can be alleviated by a prudently designed selection mechanism that uses repeated communication and learning. Nevertheless, there exists an incentive to commit a violation for a community member who is selected by the selection mechanism. A complementary mechanism such as reputation or third party intervention is therefore required to resolve this problem. On the other hand, the alleviation of the uncertainty or risk posed by an outsider of the community requires the effort of the entire community and individual investment by each community member to protect their information and systems. Enhancing trust is a critical factor in the development of virtual and offline societies. Just as various policy tools have been used continuously to build trust in the real society, various policy guidelines also need to be suggested to build trust in the virtual society. Although previous studies have focused on suggesting policy guidelines based on observed phenomena, this study provides the theoretical foundation for analyzing the process of trust building in various environments of virtual society using the game theory approach. The theoretical analysis in this research suggests that the most critical task is to make a pool of trustworthy providers to establish an efficient market. Prudent policies also need to be designed to differentiate the signaling costs for different types of providers. The trusted third party method can be one of the possible alternatives. As this study suggests, even in a trustworthy market, minimum monitoring and penalty contracts are necessary and individual users need to invest in optimal security. This research also contributes to the development of a new trust-management mechanism that is not only more objective and robust but also has a simple structure that can be easily understood by users in the virtual society. Existing studies have merely focused on one of the two conflicting values or indicated the limitations of pervasive reputation mechanisms. Moreover, flexible-monitoring levels cannot be chosen when the service participants are highly concerned about their privacy or when the expected loss from the invasion of privacy is high. In such cases, the level of punishment is inevitably highlegal enforcement is therefore required to complement the voluntary punishment scheme for virtual society models such as the utility-computing service market. Finally, this research contributes to the decision-making process of the defender. The proposed model gives a defender more practical instruments to decide the optimal level of security investment through consideration of the attackers strategic decisions. The majority of existing studies have considered only the defenders perspective and have regarded the actions of attackers as a given. The last analysis suggested a model of interdependent decision-making processes of two players behaving strategically. The strategic attacker bases its strategies such as attack frequency on the actions of the defender, whereas the strategic defender bases its strategies such as the level of security investment on the actions of the attacker. The model used in this study aims to provide the defender more practical instruments to determine the optimal level of security investment through the consideration of the attackers decision-making process.Chapter 1. Introduction 1 1.1 Research Background 1 1.1.1 The characteristics of a virtual society 1 1.1.2 Approaches to investigation of virtual society 3 1.2 Problem Statement 6 1.3 Approach and Conceptual Framework 10 1.4 Research Questions 15 1.5 Outlines of the study 17 Chapter 2. Literature Review 21 2.1 Research on the trust building in various context 21 2.1.1 Social dilemmas and the trust 21 2.1.2 Traditional and behavioral approaches of game theory 22 2.1.3 Trust concepts in various contexts 23 2.2 Mechanisms to develop trustworthy environment 26 2.2.1 Signaling game approaches 28 2.2.2 Prisoners dilemma game approaches 30 2.2.3 Trusted third party interventions 34 2.2.4 Private solutions by individual dimension 36 2.2.5 Other game theoretical approaches 38 2.3 Agent based simulation 38 Chapter 3. Trust Signaling Game as a Fundamental Rule of Transactions on the Internet Based Virtual Society 40 3.1 Introduction 40 3.2 Model Description 41 3.3 Equilibrium Analysis 45 3.3.1 Separating equilibrium 45 3.3.2 Pooling equilibrium 47 3.3.3 The existence condition of the equilibrium 50 3.3.4 The social optimality of the equilibrium 51 3.3.5 The continuous needs of costly signals 53 3.3.6 The dynamics of the trust equilibrium shifts 53 3.4 The Simulation and Results 54 3.4.1 The simulation overview 54 3.4.2 The simulation description 56 3.4.3 The simulation results 60 3.4.4 The comparison with equilibrium analysis 63 3.5 Conclusion and Discussion 63 Chapter 4. Balancing between Privacy Protection and Security Robustness 66 4.1 Introduction 66 4.2 Motivation and Related Works 68 4.2.1 Prisoners dilemma 68 4.2.2 Demerits of the reputation mechanism 70 4.3 Model Description 75 4.3.1 Game Design 78 4.3.2 Investment in privacy protection 82 4.3.3 Implications 85 4.4 Simulation 85 4.4.1 Simulation Architecture 86 4.4.2 Simulation Results 89 4.5 Model Validation and Adaptation 93 4.5.1 Robustness against unfair or biased ratings 93 4.5.2 Long-term accuracy of the trust level 94 4.5.3 Validation and Sensitivity test 98 4.6 Conclusion and Discussion 100 Chapter 5. Modeling the Defenders Strategic Decision Process in Security Investment 102 5.1 Introduction 102 5.2 Model 103 5.2.1 Motivation 103 5.2.2 Attackers behavior 106 5.2.3 Defenders behavior 110 5.3 Equilibrium Analysis 112 5.3.1 Simultaneous game 113 5.3.2 Sequential game 116 5.3.3 Comparison of the equilibriums 119 5.4 Comparative Static 120 5.5 Conclusion and Discussion 126 Chapter 6. Discussion and Policy Implication 131 6.1 Results Summary and Discussion 131 6.2 Contributions and Policy Implications 133 6.3 Future Research 136Docto

Exploring the influence of organisational, environmental, and technological factors on information security policies and compliance at South African higher education institutions: Implications for biomedical research.

>Magister Scientiae - MScHeadline reports on data breaches worldwide have resulted in heightened concerns about information security vulnerability. In Africa, South Africa is ranked among the top ‘at-risk’ countries with information security vulnerabilities and is the most the most cybercrime-targeted country. Globally, such cyber vulnerability incidents greatly affect the education sector, due, in part, to the fact that it holds more Personal Identifiable Information (PII) than other sectors. PII refers to (but is not limited to) ID numbers, financial account numbers, and biomedical research data. In response to rising threats, South Africa has implemented a regulation called the Protection of Personal Information Act (POPIA), similar to the European Union General Data Protection Regulation (GDPR), which seeks to mitigate cybercrime and information security vulnerabilities. The extent to which African institutions, especially in South Africa, have embraced and responded to these two information security regulations remains vague, making it a crucial matter for biomedical researchers. This study aimed to assess whether the participating universities have proper and reliable information security practices, measures and management in place and whether they fall in line with both national (POPIA) and international (GDPR) regulations. In order to achieve this aim, the study undertook a qualitative exploratory analysis of information security management across three universities in South Africa. A Technology, Organizational, and Environmental (TOE) model was employed to investigate factors that may influence effective information security measures. A Purposeful sampling method was employed to interview participants from each university. From the technological standpoint, Bring Your Own Device (BYOD) policy, whereby on average, a student owns and connects between three to four internet-enabled devices to the network, has created difficulties for IT teams, particularly in the areas of authentication, explosive growth in bandwidth, and access control to security university servers. In order to develop robust solutions to mitigate these concerns, and which are not perceived by users as overly prohibitive, executive management should acknowledge that security and privacy issues are a universal problem and not solely an IT problem and equip the IT teams with the necessary tools and mechanisms to allow them to overcome commonplace challenges. At an organisational level, information security awareness training of all users within the university setting was identified as a key factor in protecting the integrity, confidentiality, and availability of information in highly networked environments. Furthermore, the University’s information security mission must not simply be a link on a website, it should be constantly re-enforced by informing users during, and after, the awareness training. In terms of environmental factors, specifically the GDPR and POPIA legislations, one of the most practical and cost-effective ways universities can achieve data compliance requirements is to help staff (both teaching and non-teaching), students, and other employees understand the business value of all information. Users which are more aware of sensitivity of data, risks to the data, and their responsibilities when handling, storing, processing, and distributing data during their day to day activities will behave in a manner that would makes compliance easier at the institutional level. Results obtained in this study helped to elucidate the current status, issues, and challenges which universities are facing in the area of information security management and compliance, particularly in the South African context. Findings from this study point to organizational factors being the most critical when compared to the technological and environmental contexts examined. Furthermore, several proposed information security policies were developed with a view to assist biomedical practitioners within the institutional setting in protecting sensitive biomedical data