Audit Games

Effective enforcement of laws and policies requires expending resources to prevent and detect offenders, as well as appropriate punishment schemes to deter violators. In particular, enforcement of privacy laws and policies in modern organizations that hold large volumes of personal information (e.g., hospitals, banks) relies heavily on internal audit mechanisms. We study economic considerations in the design of these mechanisms, focusing in particular on effective resource allocation and appropriate punishment schemes. We present an audit game model that is a natural generalization of a standard security game model for resource allocation with an additional punishment parameter. Computing the Stackelberg equilibrium for this game is challenging because it involves solving an optimization problem with non-convex quadratic constraints. We present an additive FPTAS that efficiently computes the solution.

[1]  W. G. Horner,et al.  A new method of solving numerical equations of all orders, by continuous approximation , 1815 .

[2]  Baruch Awerbuch,et al.  Online linear optimization and adaptive routing , 2008, J. Comput. Syst. Sci..

[3]  Dawn M. Cappelli,et al.  Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis , 2006 .

[4]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  Michael I. Jordan,et al.  Statistical debugging: simultaneous identification of multiple bugs , 2006, ICML '06.

[6]  J. M. Bilbao,et al.  Contributions to the Theory of Games , 2005 .

[7]  Vincent Conitzer,et al.  Computing the optimal strategy to commit to , 2006, EC '06.

[8]  D. Blackwell An analog of the minimax theorem for vector payoffs. , 1956 .

[9]  Vincent Conitzer,et al.  Approximation Algorithm for Security Games with Costly Resources , 2011, WINE.

[10]  Michael H. Bowling,et al.  Regret Minimization in Games with Incomplete Information , 2007, NIPS.

[11]  Sajal K. Das,et al.  Towards Effective Defense Against Insider Attacks: The Establishment of Defender's Reputation , 2008, 2008 14th IEEE International Conference on Parallel and Distributed Systems.

[12]  Sarit Kraus,et al.  ARMOR Security for Los Angeles International Airport , 2008, AAAI.

[13]  Michael Carl Tschantz,et al.  Formalizing and Enforcing Purpose Restrictions in Privacy Policies , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  Milind Tambe,et al.  GUARDS - Innovative Application of Game Theory for National Airport Security , 2011, IJCAI.

[15]  Manish Jain,et al.  Computing optimal randomized resource allocations for massive security games , 2009, AAMAS.

[16]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[17]  Pau-Chen Cheng,et al.  IBM Research Report IT Security as Risk Management: A Research Perspective , 2008 .

[18]  Jean-Pierre Bourguignon,et al.  Mathematische Annalen , 1893 .

[19]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[20]  A. Neumaier Complete search in continuous global optimization and constraint satisfaction , 2004, Acta Numerica.

[21]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[22]  Claudio Gentile,et al.  Adaptive and Self-Confident On-Line Learning Algorithms , 2000, J. Comput. Syst. Sci..

[23]  Milind Tambe,et al.  Security and Game Theory - Algorithms, Deployed Systems, Lessons Learned , 2011 .

[24]  Vincent Conitzer,et al.  Complexity of Computing Optimal Stackelberg Strategies in Security Resource Allocation Games , 2010, AAAI.

[25]  Andreas S. Schulz,et al.  An FPTAS for optimizing a class of low-rank functions over a polytope , 2013, Math. Program..

[26]  Manish Jain,et al.  Computing optimal randomized resource allocations for massive security games , 2009, AAMAS 2009.

[27]  Xia Zhao,et al.  Access Governance: Flexibility with Escalation and Audit , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[28]  M. Dufwenberg Game theory. , 2011, Wiley interdisciplinary reviews. Cognitive science.

[29]  K ReiterMichael,et al.  Detecting and resolving policy misconfigurations in access-control systems , 2011 .

[30]  Nicolas Christin,et al.  Audit Mechanisms for Provable Risk Management and Accountable Data Governance , 2012, GameSec.

[31]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.

[32]  H. Stackelberg,et al.  Marktform und Gleichgewicht , 1935 .

[33]  Carl A. Gunter,et al.  Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems , 2011, IEEE Security & Privacy.

[34]  Armando Fox,et al.  Fingerprinting the datacenter: automated classification of performance crises , 2010, EuroSys '10.

[35]  Arnold Schönhage,et al.  The fundamental theorem of algebra in terms of computational complexity - preliminary report , 1982 .

[36]  Dilsun Kirli Kaynar,et al.  Experiences in the logical specification of the HIPAA and GLBA privacy laws , 2010, WPES '10.

[37]  Alessandro Acquisti,et al.  Empirical Analysis of Data Breach Litigation , 2013, WEIS.

[38]  Peter Auer,et al.  The Nonstochastic Multiarmed Bandit Problem , 2002, SIAM J. Comput..

[39]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[40]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.

[41]  Stephen P. Boyd,et al.  Convex Optimization , 2004, Algorithms and Theory of Computation Handbook.

[42]  Limin Jia,et al.  Evidence-Based Audit , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[43]  Milind Tambe,et al.  TRUSTS: Scheduling Randomized Patrols for Fare Inspection in Transit Systems , 2012, IAAI.

[44]  Joan Feigenbaum,et al.  Towards a formal model of accountability , 2011, NSPW '11.

[45]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[46]  B. M. Fulk MATH , 1992 .

[47]  Thomas P. Hayes,et al.  Robbing the bandit: less regret in online geometric optimization against an adaptive adversary , 2006, SODA '06.

[48]  Xia Zhao,et al.  Information Governance: Flexibility and Control through Escalation and Incentives , 2008, WEIS.

[49]  Jerry den Hartog,et al.  Audit-based compliance control , 2007, International Journal of Information Security.

[50]  Vincent Conitzer,et al.  Security Games with Multiple Attacker Resources , 2011, IJCAI.

[51]  J. Neumann,et al.  Theory of Games and Economic Behavior. , 1945 .

[52]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[53]  Narendra Karmarkar,et al.  A new polynomial-time algorithm for linear programming , 1984, Comb..