sushmita - Incentives and Information Security R. Anderson,...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Incentives and Information Security R. Anderson, T. Moore, S. Nagaraja and A. Ozment November 24, 2009 R. Anderson, T. Moore, S. Nagaraja and A. Ozment Incentives and Information Security Motivation Many systems fail not ultimately for technical reasons but because incentives are wrong. When crucial information is missing or withheld from one of the principal players. Measuring information security poses additional challenges. The principals want to both optimize the security level as well as the investment associated in securing a software and the entire system. 1. Misaligned Incentives 2. Informational Asymmetries R. Anderson, T. Moore, S. Nagaraja and A. Ozment Incentives and Information Security Economics of Information Security : Misaligned Incentives Bank Frauds : U.S banks are liable for costs of card fraud. U.K, banks could often get away with lot less. Yet, UK banks spent more on security and suffered more fraud. Privacy failures in health care: Hospital directors and insurance agencies interests not aligned with those of the patients. R. Anderson, T. Moore, S. Nagaraja and A. Ozment Incentives and Information Security Economics of Information Security : Informational Asymmetries Games where one player has more information of the game state than the opponent or games where one player can make moves that become known only with a certain probability. Types of informational asymmetries relevant to information security : 1. Hidden Action Attacks : Difficulty of observing others activities facilitates some attacks. 2. Hidden Information Attacks : Caused by our inability to effectively measure the security of software. R. Anderson, T. Moore, S. Nagaraja and A. Ozment Incentives and Information Security Hidden-Action Attacks Examples : Insurance - Reckless behavior on the part of the insured. Computer networks are naturally susceptible to hidden-action attacks : Routers drop packets or falsify responses to routing requests, redirect traffic to eavesdrop etc. Peer-to-peer networks : node can join, transact with any other and leave rapidly making observation and penalty unlikely....
View Full Document

This note was uploaded on 12/08/2011 for the course CIS 677 taught by Professor Michaelkearns during the Fall '09 term at Pennsylvania State University, University Park.

Page1 / 20

sushmita - Incentives and Information Security R. Anderson,...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online