Intended Actions: Risk Is Conflicting Incentives

Most methods for risk analysis take the view that risk is a combination of consequence and likelihood. Often, this is translated to an expert elicitation activity where likelihood is interpreted as (qualitative/ subjective) probabilities or rates. However, for cases where there is little data to validate probability or rate claims, this approach breaks down. In our Conflicting Incentives Risk Analysis (CIRA) method, we model risks in terms of conflicting incentives where risk analyst subjective probabilities are traded for stakeholder perceived incentives. The objective of CIRA is to provide an approach in which the input parameters can be audited more easily. The main contribution of this paper is to show how ideas from game theory, economics, psychology, and decision theory can be combined to yield a risk analysis process. In CIRA, risk magnitude is related to the magnitude of changes to perceived utility caused by potential state changes. This setting can be modeled by a one shot game where we investigate the degree of desirability the players perceive potential changes to have.

[1]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[2]  P. Dent The Black Swan: The Impact of the Highly Improbable (2nd edition) , 2010 .

[3]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[4]  Alyson G. Wilson,et al.  Statistical Methods in Counterterrorism , 2006 .

[5]  Esther-Mirjam Sent,et al.  Behavioral Economics: How Psychology Made Its (Limited) Way Back into Economics , 2004 .

[6]  Lawrence Carin,et al.  Cybersecurity Strategies: The QuERIES Methodology , 2008, Computer.

[7]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[8]  Colin Camerer,et al.  Behavioral Economics: Past, Present, Future , 2003 .

[9]  N. Bontis,et al.  Constructing a definition for intangibles using the resource based view of the firm , 2007 .

[10]  Vicki M. Bier,et al.  Game-Theoretic and Reliability Methods in Counterterrorism and Security , 2006 .

[11]  David L. Banks,et al.  Combining Game Theory and Risk Analysis in Counterterrorism: A Smallpox Example , 2006 .

[12]  Lisa Rajbhandari,et al.  Mapping between Classical Risk Management and Game Theoretical Approaches , 2011, Communications and Multimedia Security.

[13]  I. Ajzen The theory of planned behavior , 1991 .

[14]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[15]  B. Hayes,et al.  A Lucid Interval , 2003, American Scientist.

[16]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[17]  L. Phillips,et al.  Multi-criteria analysis: a manual , 2009 .

[18]  Jr. Louis Anthony Cox,et al.  Game Theory and Risk Analysis , 2009 .

[19]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2003, CCS '03.

[20]  Christopher K. Hsee,et al.  Risk as Feelings , 2001, Psychological bulletin.

[21]  Vicki M. Bier Challenges to the Acceptance of Probabilistic Risk Analysis , 1999 .

[22]  K. Hausken Probabilistic Risk Analysis and Game Theory , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[23]  Bart De Decker,et al.  Communications and Multimedia Security , 2013, Lecture Notes in Computer Science.

[24]  M. Conner,et al.  The Theory of Planned Behaviour , 2004 .

[25]  M. Naceur Azaiez,et al.  Why Both Game Theory and Reliability Theory Are Important in Defending Infrastructure against Intelligent Attacks , 2009 .

[26]  Colin Camerer,et al.  Advances in behavioral economics , 2004 .

[27]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[28]  James Shanteau,et al.  Why study expert decision making? Some historical perspectives and comments. , 1992 .

[29]  Robert T. Clemen,et al.  Making Hard Decisions: An Introduction to Decision Analysis , 1997 .

[30]  Kalyanmoy Deb,et al.  Multiple Criteria Decision Making, Multiattribute Utility Theory: Recent Accomplishments and What Lies Ahead , 2008, Manag. Sci..

[31]  Kevin Money,et al.  Using Reputation Measurement to Create Value: An Analysis and Integration of Existing Measures , 2006 .

[32]  C. Fornell,et al.  The American Customer Satisfaction Index: Nature, Purpose, and Findings , 1996 .

[33]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[34]  Ronald D. Fricker,et al.  Game Theory in an Age of Terrorism: How Can Statisticians Contribute? , 2006 .

[35]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .