Skip to main content
Log in

Compliance signaling games: toward modeling the deterrence of insider threats

Computational and Mathematical Organization Theory Aims and scope Submit manuscript

Abstract

In a typical workplace, organizational policies and their compliance requirements set the stage upon which the behavioral patterns of individual agents evolve. The agents’ personal utilities, access to information, and strategic deceptions shape the signaling systems of an intricate information-asymmetric game, thus mystifying assessment and management of organizational risks, which are primarily due to unintentional insider threats. Compliance games, as discussed here, model a rudimentary version of this signaling game between a sender (employee) and a receiver (organization). The analysis of these games’ equilibria as well as their dynamics in repeated game settings illuminate the effectiveness or risks of an organizational policy. These questions are explored via a repeated and agent-based simulation of compliance signaling games, leading to the following: (1) a simple but broadly applicable model for interactions between sender agents (employees) and receiver agents (principals in the organization), (2) an investigation of how the game theoretic approach yields the plausible dynamics of compliance, and (3) design of experiments to estimate parameters of the systems: evolutionary learning rates of agents, the efficacy of auditing using a trembling hand strategy, effects of non-stationary and multiple principal agents, and ultimately, the robustness of the system under perturbation of various related parameters (costs, penalties, benefits, etc.). The paper concludes with a number of empirical studies, illustrating a battery of compliance games under varying environments designed to investigate agent based learning, system control, and optimization. The studies indicate how agents through limited interactions described by behavior traces may learn and optimize responses to a stationary defense, expose sensitive parameters and emergent properties and indicate the possibility of controlling interventions which actuate game parameters. We believe that the work is of practical importance—for example, in constraining the vulnerability surfaces arising from compliance games.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

References

  • Axelrod RM (1997) The complexity of cooperation: agent-based models of competition and collaboration. Princeton University Press, Princeton

    Google Scholar 

  • Axelrod R, Hamilton WD (1981) The evolution of cooperation. Science 211(4489):1390–1396

    Article  Google Scholar 

  • Binmore KG, Samuelson L (1992) Evolutionary stability in repeated games played by finite automata. J Econ Theory 57(2):278–305

    Article  Google Scholar 

  • Binmore K, Samuelson L (2001) Evolution and mixed strategies. Games Econ Behav 34(2):200–226

    Article  Google Scholar 

  • Cappelli DM, Moore AP, Trzeciak RF (2012) The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Addison-Wesley, Boston

    Google Scholar 

  • Casey W, Morales JA, Nguyen T, Spring J, Weaver R, Wright E, Metcalf L, Mishra B (2014) Cyber security via signaling games: toward a science of cyber security. In: ICDCIT, p 34–42

  • Fukuyama F (2006) The end of history and the last man. Simon and Schuster, New York

    Google Scholar 

  • Graetz MJ, Reinganum JF, Wilde LL (1986) The tax compliance game: toward an interactive theory of law enforcement. J Law Econ Organ 2(1):1–32

    Google Scholar 

  • Greitzer FL, Strozer JR, Cohen S, Moore AP, Mundie D, Cowley J (2014) Analysis of unintentional insider threats deriving from social engineering exploits. In: 2014 IEEE security and privacy workshops (SPW). IEEE, p 236–250. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6957309&tag=1

  • Hadnagy C, Kelly PF (2014) Unmasking the social engineer: the human element of security, 1st edn. Wiley. http://www.amazon.com/Unmasking-Social-Engineer-Element-Security/dp/1118608577

  • Huttegger SM, Skyrms B (2008) Emergence of information transfer by inductive learning. Stud Log 89(2):237–256

    Article  Google Scholar 

  • Huttegger SM, Skyrms B, Smead R, Zollman KJ (2010) Evolutionary dynamics of lewis signaling games: signaling systems vs. partial pooling. Synthese 172(1):177–191

    Article  Google Scholar 

  • Insider Threat Team, CERT (2013) Unintentional insider threats: a foundational study (CMU/SEI-2013-TN-022). Retrieved April 18, 2016, from the Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=58744

  • Jansen V, van Baalen M (2006) Altruism through beard chromodynamics. Nature 440:663–666

    Article  Google Scholar 

  • Jee J, Sundstrom A, Massey S, Mishra B (2013) What can information-asymmetric games tell us about the context of Crick’s frozen accident? J R Soc Interface 10:20130614

    Article  Google Scholar 

  • Jervis R (1998) System effects: complexity in political and social life. Princeton University Press, Princeton

    Book  Google Scholar 

  • Lewis D (2008) Convention: a philosophical study. Wiley

  • Long J, Pinzon S, Mitnick KD (2008) No tech hacking: a guide to social engineering, dumpster diving, and shoulder surfing. Elsevier, Burlington

    Google Scholar 

  • Manshaei M, Zhu Q, Alpcan T, Başar T, Hubaux J-P (2013) Game theory meets network security and privacy. ACM Comput Surv 45(3):25:1–25:39

    Article  Google Scholar 

  • Park Y, Stolfo SJ (2012) Software decoys for insider threat. In: Proceedings of the 7th ACM symposium on information, computer and communications security. ACM, p 93–94

  • Skyrms B (2010) Signals: evolution, learning, and information. Oxford University Press, Oxford

    Book  Google Scholar 

  • Spence M (1973) Job market signaling. Q J Econ 87:355–374

    Article  Google Scholar 

  • Traulsen A, Nowak M (2007) Chromodynamics of cooperation in finite populations. PLoS One 2(3):e270

    Article  Google Scholar 

  • van Veelen M, García J, Rand DG, Nowak MA (2012) Direct reciprocity in structured populations. Proc Natl Acad Sci USA 109(25):9929–9934

    Article  Google Scholar 

  • Zhu Q, Clark A, Poovendran R, Başar T (2012) Deceptive routing games. In: IEEE 51st annual conference on decision and control (CDC), p 2704–2711

  • Zhu Q, Clark A, Poovendran R, Başar T (2013) Deployment and exploitation of deceptive honeybots in social networks. In: Proceedings of the 52nd IEEE conference on decision and control (CDC’13), Florence, Italy, 10–13 December 2013

Download references

Acknowledgments

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. This material has been approved for public release and unlimited distribution DM-0002961.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to William Casey.

Appendix: System parameters

Appendix: System parameters

Table 2 below summarizes and defines the parameters forming our multi-agent game systems.

Table 2 System parameters

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Casey, W., Morales, J.A., Wright, E. et al. Compliance signaling games: toward modeling the deterrence of insider threats. Comput Math Organ Theory 22, 318–349 (2016). https://doi.org/10.1007/s10588-016-9221-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10588-016-9221-5

Keywords

Navigation