Investing in Prevention or Paying for Recovery - Attitudes to Cyber Risk

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Broadly speaking an individual can invest time and effort to avoid becoming victim to a cyber attack and/or they can invest resource in recovering from any attack. We introduce a new game called the pre-vention and recovery game to study this trade-off. We report results from the experimental lab that allow us to categorize different approaches to risk taking. We show that many individuals appear relatively risk loving in that they invest in recovery rather than prevention. We find little difference in behavior between a gain and loss framing

The power of indirect social ties

While direct social ties have been intensely studied in the context of computer-mediated social networks, indirect ties (e.g., friends of friends) have seen little attention. Yet in real life, we often rely on friends of our friends for recommendations (of good doctors, good schools, or good babysitters), for introduction to a new job opportunity, and for many other occasional needs. In this work we attempt to 1) quantify the strength of indirect social ties, 2) validate it, and 3) empirically demonstrate its usefulness for distributed applications on two examples. We quantify social strength of indirect ties using a(ny) measure of the strength of the direct ties that connect two people and the intuition provided by the sociology literature. We validate the proposed metric experimentally by comparing correlations with other direct social tie evaluators. We show via data-driven experiments that the proposed metric for social strength can be used successfully for social applications. Specifically, we show that it alleviates known problems in friend-to-friend storage systems by addressing two previously documented shortcomings: reduced set of storage candidates and data availability correlations. We also show that it can be used for predicting the effects of a social diffusion with an accuracy of up to 93.5%.Comment: Technical Repor

A Case of Sesame Seeds: Growing and Nurturing Credentials in the Face of Mimicry

The purpose of this paper is to put the study of mimicry on the information security research map. Mimicry in humans has received little scholarly attention. Sociologist Diego Gambetta has constructed a framework that enables reasoning about episodes of mimicry based on trust in signs. By looking at the problem of phishing the applicability of this framework to problems of mimicry in information security system was tested. It was found that while the framework offers valuable insights, it needs to be updated since the assumptions that it makes do not hold in practice. A new framework is proposed, built on the core ideas of Gambetta’s framework, and extended with results from a literature study of phishing and other sources. This framework has been used for finding possible solutions to problems in web browser interface design. Because the nature of authentication was found to be the observation of discriminatory signals the paper also discusses the ethical issues surrounding the use of credentials. We hope that this paper will help system designers in finding and choosing appropriate credentials for authentication. By using the proposed framework a system can be analysed for the presence of credentials that enable the discrimination between genuine users and impostors. The framework can also serve as a method for identifying the dynamics behind user verification of credentials. The two problems that the framework can help address are the impersonation of providers and the impersonation of users. Like much other security research the results of this paper can be misused by attackers. It is expected that the framework will be more useful for defenders than attackers, as it is of an analytical nature, and cannot be used directly in any attacks. Since this study is of an exploratory nature the findings of the study need to be verified through research with greater validity. The paper contains directions for further research

An Experimental Investigation of Simultaneous Multi-battle Contests with Complementarities

This paper reports the results of laboratory experiments that are designed to test theoretical predictions in a multi-battle contest with value complementarities among the battles. The specific setting is a game of Hex where control of each region is determined by a Tullock contest and the overall winner is determined by the combination of claimed regions. We find that in a game with only a few regions, aggregate behavior across regions is largely consistent with the theoretical predictions. However, examining individual level behavior suggests that bidders are not behaving in accordance with the model, but often pursue specific winning combinations. This intuitive behavioral approach is also found to occur in larger games where the theory is undeveloped

Data Science Solution for User Authentication

User authentication is considered a key factor in almost any software system and is often the first layer of security in the digital world. Authentication methods utilize one, or a combination of up to two, of the following factors: something you know, something you have and something you are. To prevent serious data breaches that have occurred using the traditional authentication methods, a fourth factor, something you do, that is being discussed among researchers; unfortunately, methods that rely on this fourth factor have problems of their own. This thesis addresses the issues of the fourth authentication factor and proposes a data science solution for user authentication. The new solution is based on something you do and relies on analytic techniques to transfer Big data characteristics (volume, velocity and variety) into relevant security user profiles. Users’ information will be analyzed to create behavioral profiles. Just-in-time challenging questions are generated by these behavioral profiles, allowing an authentication on demand feature to be obtained. The proposed model assumes that the data is received from different sources. This data is analyzed using collaborative filtering (CF), a learning technique, that builds up knowledge by aggregating the collected users’ transaction data to identify information of security potential. Four use case scenarios were evaluated regarding the proposed model’s proof of concept. Additionally, a web based case study using MovieLens public dataset was implemented. Results show that the proposed model is successful as a proof of concept. The experiment confirms the potential of applying the proposed approach in real life as a new authentication method, leveraging the characteristics of Big data: volume, velocity and variety

On the Provision of Public Goods on Networks: Incentives, Exit Equilibrium, and Applications to Cyber .

Attempts to improve the state of cyber-security have been on the rise over the past years. The importance of incentivizing better security decisions by users in the current landscape is two-fold: it not only helps users protect themselves against attacks, but also provides positive externalities to others interacting with them, as a protected user is less likely to become compromised and be used to propagate attacks against other entities. Therefore, security can be viewed as a public good. This thesis takes a game-theoretic approach to understanding the theoretical underpinnings of users' incentives in the provision of public goods, and in particular, cyber-security. We analyze the strategic interactions of users in the provision of security as a non-excludable public good. We propose the notion of exit equilibrium to describe users' outside options from mechanisms for incentivizing the adoption of better security decisions, and use it to highlight the crucial effect of outside options on the design of incentive mechanisms for improving the state of cyber-security. We further focus on the general problem of public good provision games on networks. We identify necessary and sufficient conditions on the structure of the network for the existence and uniqueness of the Nash equilibrium in these games. We show that previous results in the literature can be recovered as special cases of our result. We provide a graph-theoretical interpretation of users' efforts at the Nash equilibria, Pareto efficient outcomes, and semi-cooperative equilibria of these games, by linking users' effort decisions to their centralities in the interaction network. Using this characterization, we separate the effects of users' dependencies and influences (outgoing and incoming edges, respectively) on their effort levels, and uncover an alternating effect over walks of different length in the network. We also propose the design of inter-temporal incentives in a particular type of security games, namely, security information sharing agreement. We show that either public or private assessments can be used in designing incentives for participants to disclose their information in these agreements. Finally, we present a method for crowdsourcing reputation that can be useful in attaining assessments of users' efforts in security games.PhDElectrical Engineering: SystemsUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/133328/1/naghizad_1.pd

AN INVESTIGATION OF DECISION-MAKING AND THE TRADEOFFS INVOLVING COMPUTER SECURITY RISK

Individual decision making in computer security risk plays a critical role in successful information security management. This paper describes a study that investigated how individuals make tradeoffs regarding computer security risk. The study asked subjects to make decisions on two hypothetical scenarios in which subjects were asked to choose between avoiding computer security risk and accepting a reward. We found that individual computer security risk perception, culture and security skills have an impact on their decisions regarding trading off computer security with rewards

Proceedings of the CUNY Games Conference 6.0

The CUNY Games Network is an organization dedicated to encouraging research, scholarship and teaching in the developing field of games-based learning. We connect educators from every campus and discipline at CUNY and beyond who are interested in digital and non-digital games, simulations, and other forms of interactive teaching and inquiry-based learning. These proceedings summarize the CUNY Games Conference 6.0, where scholars shared research findings at a three-day event to promote and discuss game-based pedagogy in higher education. Presenters could share findings in oral presentations, posters, demos, or play testing sessions. The conference also included workshops on how to modify existing games for the classroom, how to incorporate elements of play into simulations and critical thinking activities, math games, and how to create computer games