A Prospect Theory approach to Security

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions. We discuss and examine how Prospect Theory, the major descriptive theory of risky decisions, predicts such decisions will go wrong and if such problems may be corrected.

[1]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[2]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[3]  S. Hora Advances in Decision Analysis: Eliciting Probabilities from Experts , 2007 .

[4]  A. Tversky,et al.  Prospect Theory : An Analysis of Decision under Risk Author ( s ) : , 2007 .

[5]  Barry W. Johnson,et al.  Dependability metrics to assess safety-critical systems , 2005, IEEE Transactions on Reliability.

[6]  L. Jean Camp,et al.  Mental Models of Computer Security Risks , 2007, WEIS.

[7]  Eliezer Yudkowsky Cognitive biases potentially affecting judgement of global risks , 2008 .

[8]  Mario Piattini,et al.  Towards a Classification of Security Metrics , 2004, WOSIS.

[9]  D. Bernoulli Exposition of a New Theory on the Measurement of Risk , 1954 .

[10]  J. Neumann,et al.  Theory of games and economic behavior , 1945, 100 Years of Math Milestones.

[11]  Mario Piattini,et al.  Analysis of ISO/IEC 17799: 2000 to be Used in Security Metrics , 2004, Security and Management.

[12]  John R. Hauser,et al.  Metrics: you are what you measure! , 1998 .

[13]  Elisabeth Paté-Cornell,et al.  Probabilistic Risk Analysis Versus Decision Analysis: Similarities, Differences and Illustrations , 2007 .

[14]  Detlof von Winterfeldt,et al.  Advances in decision analysis : from foundations to applications , 2007 .

[15]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[16]  Philippe Jorion Value at Risk , 2001 .

[17]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[18]  Howard Raiffa,et al.  Decision analysis: introductory lectures on choices under uncertainty. 1968. , 1969, M.D.Computing.

[19]  D. Prelec,et al.  Compound Invariant Weighting Functions in Prospect Theory , 2000 .

[20]  David Wright,et al.  Confidence: Its Role in Dependability Cases for Risk Assessment , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[21]  A. Tversky,et al.  Advances in prospect theory: Cumulative representation of uncertainty , 1992 .

[22]  Maurizio Sebastianis,et al.  Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[23]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[24]  D. Kahneman Maps of Bounded Rationality: Psychology for Behavioral Economics , 2003 .

[25]  Lorenzo Strigini,et al.  Engineering judgement in reliability and safety and its limits: what can we learn from research in psychology , 1996 .

[26]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[27]  Rolf Hulthén,et al.  Communicating the Economic Value of Security Investments; Value at Security Risk , 2008, WEIS.

[28]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[29]  Vicki M. Bier,et al.  Advances in Decision Analysis: Probabilistic Risk Analysis for Engineered Systems , 2007 .

[30]  A. Tversky,et al.  Choices, Values, and Frames , 2000 .

[31]  M. Bazerman Judgement in Managerial Decision Making , 2003 .

[32]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[33]  H. Simon,et al.  A Behavioral Model of Rational Choice , 1955 .