Risk Analysis Using "Conflicting Incentives" as an Alternative Notion of Risk

Today, with the advancement of information technology, there is a growing risk to privacy as identity information is being used widely. This paper discusses some of the key issues related to the use of game theory in privacy risk analysis. Using game theory, risk analysis can be based on preferences or values of benefit which the subjects can provide rather than subjective probability. In addition, it can also be used in settings where no actuarial data is available. This may increase the quality and appropriateness of the overall risk analysis process. A simple privacy scenario between a user and an online bookstore is presented to provide an initial understanding of the concept.

[1]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[2]  C. Fornell,et al.  The American Customer Satisfaction Index: Nature, Purpose, and Findings , 1996 .

[3]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[4]  Robert T. Clemen,et al.  Making Hard Decisions: An Introduction to Decision Analysis , 1997 .

[5]  R. Hall,et al.  Survey of Literature on Strategic Decision Making in the Presence of Adversaries Survey of Literature on Strategic Decision Making in the Presence of Adversaries Create Interim Report , 2005 .

[6]  N. Bontis,et al.  Constructing a definition for intangibles using the resource based view of the firm , 2007 .

[7]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[8]  Jason Edwin Stamp,et al.  A classification scheme for risk assessment methods. , 2004 .

[9]  Lene Nielsen,et al.  From user to character: an investigation into user-descriptions in scenarios , 2002, DIS '02.

[10]  Stephen N. Luko,et al.  Risk Management Principles and Guidelines , 2013 .

[11]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[12]  David L. Banks,et al.  Combining Game Theory and Risk Analysis in Counterterrorism: A Smallpox Example , 2006 .

[13]  K. Hausken Probabilistic Risk Analysis and Game Theory , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[14]  M. Naceur Azaiez,et al.  Why Both Game Theory and Reliability Theory Are Important in Defending Infrastructure against Intelligent Attacks , 2009 .

[15]  J. Nash Equilibrium Points in N-Person Games. , 1950, Proceedings of the National Academy of Sciences of the United States of America.

[16]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[17]  Jerald Greenberg,et al.  The Role of Role Playing in Organizational Research , 1993 .

[18]  D.J. Auda,et al.  Game Theory in Strategy Development of Reliability and Risk Management , 2007, 2007 Annual Reliability and Maintainability Symposium.

[19]  Brian White Enterprise Opportunity and Risk , 2011 .

[20]  廣瀬 勝一,et al.  NIST SP 800-90の擬似乱数生成アルゴリズムの安全性解析(情報通信基礎サブソサイエティ合同研究会) , 2008, ISEC 2008.

[21]  Vicki M. Bier Challenges to the Acceptance of Probabilistic Risk Analysis , 1999 .

[22]  Krysia M. Yardley-Matwiejczuk,et al.  Role Play: Theory and Practice , 1997 .

[23]  Lisa Rajbhandari,et al.  Using the Conflicting Incentives Risk Analysis Method , 2013, SEC.

[24]  S. Read,et al.  A Hierarchical Taxonomy of Human Goals , 2001 .

[25]  Kalyanmoy Deb,et al.  Multiple Criteria Decision Making, Multiattribute Utility Theory: Recent Accomplishments and What Lies Ahead , 2008, Manag. Sci..

[26]  I. Ajzen The theory of planned behavior , 1991 .

[27]  Colin Camerer,et al.  Behavioral Economics: Past, Present, Future , 2003 .

[28]  Horace E. Anderson,et al.  The Privacy Gambit: Toward a Game Theoretic Approach to International Data Protection , 2009 .

[29]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[30]  Daniël Wedema Games And Information An Introduction To Game Theory 3rd Edition , 2011 .

[31]  Jonathan Grudin,et al.  Personas: practice and theory , 2003, DUX '03.

[32]  Rosa Gudjonsdottir,et al.  Personas and Scenarios in Use , 2010 .

[33]  Alan Cooper,et al.  The Inmates are Running the Asylum , 1999, Software-Ergonomie.

[34]  James Shanteau,et al.  Why study expert decision making? Some historical perspectives and comments. , 1992 .

[35]  Chris Chapman,et al.  Transforming project risk management into project uncertainty management , 2003 .

[36]  P. Dent The Black Swan: The Impact of the Highly Improbable (2nd edition) , 2010 .

[37]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[38]  R. Yin,et al.  Case Study Research: Design and Methods (4th ed. , 2009 .

[39]  Yoav Shoham,et al.  Computer science and game theory , 2008, CACM.

[40]  Ronald D. Fricker,et al.  Game Theory in an Age of Terrorism: How Can Statisticians Contribute? , 2006 .

[41]  B. Flyvbjerg Five Misunderstandings About Case-Study Research , 2006, 1304.1186.

[42]  Shamal Faily,et al.  Here's Johnny: A Methodology for Developing Attacker Personas , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[43]  Vicki M. Bier,et al.  Game-Theoretic and Reliability Methods in Counterterrorism and Security , 2006 .

[44]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2003, CCS '03.

[45]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[46]  Lisa Rajbhandari,et al.  Mapping between Classical Risk Management and Game Theoretical Approaches , 2011, Communications and Multimedia Security.

[47]  Kevin Money,et al.  Using Reputation Measurement to Create Value: An Analysis and Integration of Existing Measures , 2006 .

[48]  Joel Watson,et al.  Strategy : An Introduction to Game Theory , 2001 .

[49]  Lisa Rajbhandari,et al.  Intended Actions: Risk Is Conflicting Incentives , 2012, ISC.

[50]  Lawrence Carin,et al.  Cybersecurity The QuERIES Methodology , 2008 .

[51]  Ketil Stølen,et al.  A Guided Tour of the CORAS Method , 2011 .

[52]  Les Labuschagne,et al.  A framework for comparing different information security risk analysis methodologies , 2005 .

[53]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[54]  Esther-Mirjam Sent,et al.  Behavioral Economics: How Psychology Made Its (Limited) Way Back into Economics , 2004 .

[55]  Jorma Jormakka,et al.  Modelling Information Warfare as a Game , 2005 .

[56]  Lawrence Carin,et al.  Cybersecurity Strategies: The QuERIES Methodology , 2008, Computer.

[57]  Rolf Olsson,et al.  In search of opportunity management: Is the risk management process enough? , 2007 .

[58]  David Wright,et al.  Should privacy impact assessments be mandatory? , 2011, Commun. ACM.

[59]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[60]  J. Neumann,et al.  Theory of games and economic behavior , 1945, 100 Years of Math Milestones.

[61]  David Hillson,et al.  Extending the risk process to manage opportunities , 2002 .