Compliance signaling games: toward modeling the deterrence of insider threats

In a typical workplace, organizational policies and their compliance requirements set the stage upon which the behavioral patterns of individual agents evolve. The agents’ personal utilities, access to information, and strategic deceptions shape the signaling systems of an intricate information-asymmetric game, thus mystifying assessment and management of organizational risks, which are primarily due to unintentional insider threats. Compliance games, as discussed here, model a rudimentary version of this signaling game between a sender (employee) and a receiver (organization). The analysis of these games’ equilibria as well as their dynamics in repeated game settings illuminate the effectiveness or risks of an organizational policy. These questions are explored via a repeated and agent-based simulation of compliance signaling games, leading to the following: (1) a simple but broadly applicable model for interactions between sender agents (employees) and receiver agents (principals in the organization), (2) an investigation of how the game theoretic approach yields the plausible dynamics of compliance, and (3) design of experiments to estimate parameters of the systems: evolutionary learning rates of agents, the efficacy of auditing using a trembling hand strategy, effects of non-stationary and multiple principal agents, and ultimately, the robustness of the system under perturbation of various related parameters (costs, penalties, benefits, etc.). The paper concludes with a number of empirical studies, illustrating a battery of compliance games under varying environments designed to investigate agent based learning, system control, and optimization. The studies indicate how agents through limited interactions described by behavior traces may learn and optimize responses to a stationary defense, expose sensitive parameters and emergent properties and indicate the possibility of controlling interventions which actuate game parameters. We believe that the work is of practical importance—for example, in constraining the vulnerability surfaces arising from compliance games.

[1]  David Lewis Convention: A Philosophical Study , 1986 .

[2]  Brian Skyrms,et al.  Emergence of Information Transfer by Inductive Learning , 2008, Stud Logica.

[3]  W. Hamilton,et al.  The evolution of cooperation. , 1984, Science.

[4]  Johnny Long,et al.  No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing , 2008 .

[5]  Martin A. Nowak,et al.  Chromodynamics of Cooperation in Finite Populations , 2007, PloS one.

[6]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[7]  R. Axelrod The Complexity of Cooperation: Agent-Based Models of Competition and Collaboration , 1997, Canadian Journal of Political Science.

[8]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[9]  Quanyan Zhu,et al.  Deceptive routing games , 2012, 2012 IEEE 51st IEEE Conference on Decision and Control (CDC).

[10]  Sholom Cohen,et al.  Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits , 2014, 2014 IEEE Security and Privacy Workshops.

[11]  Quanyan Zhu,et al.  Deployment and exploitation of deceptive honeybots in social networks , 2012, 52nd IEEE Conference on Decision and Control.

[12]  Ken Binmore,et al.  Evolution and Mixed Strategies , 2001, Games Econ. Behav..

[13]  Brian Skyrms,et al.  Signals: Evolution, Learning, and Information , 2010 .

[14]  W. Hamilton,et al.  The Evolution of Cooperation , 1984 .

[15]  David G. Rand,et al.  Direct reciprocity in structured populations , 2012, Proceedings of the National Academy of Sciences.

[16]  Jonathan M. Spring,et al.  Cyber Security via Signaling Games: Toward a Science of Cyber Security , 2014, ICDCIT.

[17]  Michael J. Graetz,et al.  The Tax Compliance Game: Toward an Interactive Theory of Law Enforcement , 1986 .

[18]  Quanyan Zhu,et al.  Game Theory Meets Network Security: A Tutorial , 2018, CCS.

[19]  Kevin J. S. Zollman,et al.  Evolutionary Dynamics of Lewis Signaling Games: , 2007 .

[20]  Simon M. Huttegger Signals: Evolution, Learning and InformationBy Brian Skyrms , 2011 .

[21]  M. Spence Job Market Signaling , 1973 .

[22]  L. Samuelson,et al.  Evolutionary stability in repeated games played by finite automata , 1992 .

[23]  Bud Mishra,et al.  What can information-asymmetric games tell us about the context of Crick's ‘frozen accident’? , 2013, Journal of The Royal Society Interface.

[24]  Christopher Hadnagy,et al.  Unmasking the Social Engineer: The Human Element of Security , 2014 .

[25]  Kevin J. S. Zollman,et al.  Evolutionary dynamics of Lewis signaling games: signaling systems vs. partial pooling , 2007, Synthese.

[26]  Robert Jervis,et al.  System Effects: Complexity in Political and Social Life , 1997 .

[27]  V. Jansen,et al.  Altruism through beard chromodynamics , 2006, Nature.

[28]  F. Fukuyama,et al.  The End of History, or a New Crisis?@@@The End of History and the Last Man. , 1993 .

[29]  R. Axelrod Reviews book & software , 2022 .

[30]  Salvatore J. Stolfo,et al.  Software decoys for insider threat , 2012, ASIACCS '12.