83 research outputs found
ZETAR: Modeling and Computational Design of Strategic and Adaptive Compliance Policies
Security compliance management plays an important role in mitigating insider
threats. Incentive design is a proactive and non-invasive approach to achieving
compliance by aligning an employee's incentive with the defender's security
objective. Controlling insiders' incentives to elicit proper actions is
challenging because they are neither precisely known nor directly controllable.
To this end, we develop ZETAR, a zero-trust audit and recommendation framework,
to provide a quantitative approach to model incentives of the insiders and
design customized and strategic recommendation policies to improve their
compliance. We formulate primal and dual convex programs to compute the optimal
bespoke recommendation policies. We create a theoretical underpinning for
understanding trust and compliance, and it leads to security insights,
including fundamental limits of Completely Trustworthy (CT) recommendation, the
principle of compliance equivalency, and strategic information disclosure. This
work proposes finite-step algorithms to efficiently learn the CT policy set
when employees' incentives are unknown. Finally, we present a case study to
corroborate the design and illustrate a formal way to achieve compliance for
insiders with different risk attitudes. Our results show that the optimal
recommendation policy leads to a significant improvement in compliance for
risk-averse insiders. Moreover, CT recommendation policies promote insiders'
satisfaction
- …