1 / 24


Advertisement. Audit Mechanisms for Provable Risk Management and Accountable Data Governance. Jeremiah Blocki , Nicolas Christin , Anupam Datta, Arunesh Sinha Carnegie Mellon University. Motivation. Breach. Goal: treatment Rigid access control hinders treatment

Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Advertisement

  2. Audit Mechanisms for Provable Risk Management and Accountable Data Governance Jeremiah Blocki, Nicolas Christin, Anupam Datta, Arunesh Sinha Carnegie Mellon University

  3. Motivation Breach • Goal: treatment • Rigid access control hinders treatment • Permissive access control ⇒ privacy violations

  4. A real problem

  5. Auditing • Audit – instead of rigid access control • Have a permissive access control regime • Inspect accesses later to find violations • Punish violators • Repetitive process • Audits - Why Cry Over Spilt Milk? • deters (near) rational employees

  6. Audit Challenges • How much and what to audit? • Within budgetary constraints • How much to punish? • Without de-motivating employees • Human in the loop • Realistic model of human behavior

  7. Contribution • A formal repeated game model of the audit process • An asymmetric equilibrium concept for games • An audit mechanism that is an equilibrium • Demonstrate usefulness of the model and equilibrium • Predicts commonly observed phenomenon • Predicts interesting results that calls for empirical analysis “essentially, all models are wrong, but some are useful” - George Box

  8. Outline • Game Model • Equilibrium concepts • Equilibrium of Audit game • Predictions • Budget allocation and Fairness 1 2 3 4 5

  9. 1 Game Model Repeated Game Model • The interaction repeats for each audit cycle (rounds of repeated game) • Typical actions in one round • Emp action: (a, v) = (30, 2) • Org action: (α, P) = (0.33, $100) Inspect Access, Violate One audit cycle (round) Punishment rate J. Blocki, N. Christin, A. Datta, A. Sinha, Regret Minimizing Audits: A Learning-Theoretic Basis for Privacy Protection, IEEE Computer Security Foundations, 2011

  10. 1 Game Model Abstractions • Independence assumptions • K types of violations (and accesses) • Each employee acts independently for each type • One repeated game for each type and employee • Parameters of the model known through studies[P][V] • Risk factors (cost of violations) • Audit cost • Employee benefit in violating • …. • Infinite horizon audit interaction for fixed parameters [Game Theory, Fudenberg and Tirole] [P] Ponemon Institute Studies, [V}Verizon Data Breach Studies

  11. 1 Game Model Violation detection • Given v violations and αfraction inspection • Expected number of violations caught internally - v. f(α) • Violations caught externally • Assume fixed probability p of external detection • Expected number – p.v.(1 – f(α))

  12. 1 Game Model Payoffs • Organization’s payoff • Employee’s payoff Audit Cost ∝ α.a High Punishment Rate Loss ∝ p.v.(1 – f(α)) Reputation Loss ∝ P • ∝ v.f(α) PB.v P.v.(p.(1 – f(α)) + f(α)) Personal Benefit Punishment

  13. 1 Game Model Additional Considerations • Employees likely to not act rationally • Computationally constrained, Wrong beliefs • ϵprobability of arbitrary behavior • Org’s expected payoff for fixed P, α and employee action (a,v) • (1 - ϵ).(expected payoff with (a,v)) + ϵ.(expected payoff with (a,a)) Worst Case

  14. 1 Game Model Graphical View of Payoffs • Different employee best response partitions organization’s action space • Best response: v = 0 in deterred, v = a in un-deterred • More generally with non-linear payoff, a best response of k number of violations defines a partition 2 a 3 Deterred P Punishment Rate (P) PB 0 1 Un-Deterred Fraction of accesses inspected (α) α

  15. 2 Equilibrium concepts Subgame Perfect Equilibrium • Strategy σ: nodes → actions • Pay(σ1,σ2) = δ-discounted sum of round payoffs • (σ1,σ2) is NE if no unilateral profitable deviation • Node N defines a subgame GN with restricted strategy σ1N • (σ1,σ2) is SPE if (σ1N,σ2N) is NE for GN Action of P1 = {a, b} Action of P2 = {a,’ b’} {} aa’ ab’ ba’ bb’ ab’; aa’

  16. 2 Equilibrium concepts Asymmetric approximate equilibrium • Any SPE has the single stage deviation property • Pay(σ1sd,σ2) ≤ Pay(σ1,σ2) • Pay(σ1,σ2sd) ≤ Pay(σ1,σ2) • ϵ-SPE allows ϵ deviation by either player • (ϵ1, ϵ2)-SPE allows ϵ1, ϵ2 deviation by player P1, player P2 • Special relevant case for security: (ϵ1, 0)-SPE • Attacker (player P2) has no incentive to deviate • Deviations by attacker may be costly for defender

  17. 3 Equilibrium Proposed equilibrium • Organization: maximize utility subject to best response of employee (Stackelberg games) • Commitment by organization • Employee plays best response PB The equilibrium attained is an (ϵ1, 0) SPE Deterred P ϵ1 is the sum of a) difference from optimum due to uncertainty in PB b) ϵ . maximum loss in reputation Un-Deterred α

  18. 3 Equilibrium Advantages of commitment • Makes the decision easier for not so rational employee • Computing single round best response is easier • Predictable employee response – not based on beliefs (beliefs affected by many factors) • Addresses the problem of equilibrium selection • “Open design: The design should not be secret”[SS] [SS] The Protection of Information in Computer Systems, Saltzer, J. H. and Schroeder, M. D.

  19. 4 Predictions Predictions • Doctors punished less than nurses • Punishing a doctor is more costly for hospitals • Less audit cost, better tools means more inspections • Organizations audit to protect against greater loss • Increasing difference in cost of externally and internally caught violation leads to more inspections • Should be studied empirically • Can be used as an effective policy tool • Data Breach Notiifcation law [SR] vs. External audits [SR]Romanosky, S., Hoffman, D., Acquisti, A., Empirical analysis of data breach litigation, International Conference on Information Systems. (2011)

  20. 5 Fair Auditing Budget Allocation • Organization plays multiple games • Organization is constrained by total budget • Let the games be 1….n. Let the budget be B. • Budget bi yields equilibrium Eq(bi) in game i • Eq(bi) results in payoff Pay(bi) in game i • Solve max ∑iPay(bi) subject to ∑ibi ≤ B

  21. 5 Fair Auditing Towards Accountable Data Governance • Utility maximization may lead to unfair allocation • Add fairness constraints • Minimum level of inspection, punishment rate for each type

  22. Conclusion • Future Work: • Study the accountability problem in depth • Study complexity/algorithmic aspects of computing equilibrium Audit near-rational employees to optimize organization’s utility in a fair manner

  23. References • Zhao, X., Johnson, M.E., Access governance: Flexibility with escalation and audit, Hawaii International International Conference on Systems Science, 2010 • Zhang, N., Yu, W., Fu, X., Das, S.K.,Towardseffective defense against insider attacks: The establishment of defender’s reputation, IEEE International Conference on Parallel and Distributed Systems. (2008) • Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S., Fuzzy Multi-Level Security : An Experiment on Quantified Risk-Adaptive Access Control,Proceedings of the IEEE Symposium on Security and Privacy. (2007) • Feigenbaum, J., Jaggard, A.D., Wright, R.N., Towards a formal model of accountability, Proceedings of the 2011 workshop on New security paradigms workshop. (2011)

More Related