Using the Conflicting Incentives Risk Analysis Method

  • Lisa Rajbhandari
  • Einar Snekkenes
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 405)


Risk is usually expressed as a combination of likelihood and consequence but obtaining credible likelihood estimates is difficult. The Conflicting Incentives Risk Analysis (CIRA) method uses an alternative notion of risk. In CIRA, risk is modeled in terms of conflicting incentives between the risk owner and other stakeholders in regards to the execution of actions. However, very little has been published regarding how CIRA performs in non-trivial settings. This paper addresses this issue by applying CIRA to an Identity Management System (IdMS) similar to the eGovernment IdMS of Norway. To reduce sensitivity and confidentiality issues the study uses the Case Study Role Play (CSRP) method. In CSRP, data is collected from the individuals playing the role of fictitious characters rather than from an operational setting. The study highlights several risk issues and has helped in identifying areas where CIRA can be improved.


Risk analysis risk privacy conflicting incentives 


  1. 1.
    ASME Innovative Technologies Institute (ASME-ITI). RAMCAP(Risk Analysis and Management for Critical Asset Protection) Framework, Version 2.0 (May 2006)Google Scholar
  2. 2.
    AS/NZS 4360. Risk management. AS/NZS (2004)Google Scholar
  3. 3.
    Atzeni, A., Cameroni, C., Faily, S., Lyle, J., Flechais, I.: Here’s Johnny: A Methodology for Developing Attacker Personas. In: ARES, pp. 722–727 (2011)Google Scholar
  4. 4.
    Chulef, A.S., Read, S.J., Walsh, D.A.: A Hierarchical Taxonomy of Human Goals. Motivation and Emotion 25(3), 191–232 (2001)CrossRefGoogle Scholar
  5. 5.
    Clemen, R.T.: Making Hard Decision: An Introduction to Decision Analysis, 2nd edn. Duxbury (1996)Google Scholar
  6. 6.
    Cooper, A.: The Inmates are Running the Asylum. Macmillan Publishing Co., Inc., Indianapolis (1999)CrossRefGoogle Scholar
  7. 7.
    Cox Jr., L.A.: Some limitations of “Risk = Threat x Vulnerability x Consequence” for risk analysis of terrorist attacks. Risk Analysis 28(6), 1749–1761 (2008)CrossRefGoogle Scholar
  8. 8.
    Difi (Direktoratet for forvaltning og IKT). MinID, (online accessed: November 2012)
  9. 9.
    Information Commissioner’s Office (ICO). Privacy Impact Assessment Handbook, Version 2.0 (2009), (online accessed: May 2013)
  10. 10.
    ISACA, Rolling Meadows. The Risk IT Framework (2009)Google Scholar
  11. 11.
    ISACA. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. IT Governance Institute (2012)Google Scholar
  12. 12.
    ISO 31000. Risk Management – Principles and Guidelines (2009)Google Scholar
  13. 13.
    ISO/IEC 27005. Information technology -Security techniques -Information security risk management. ISO/IEC, 1st edn. (2008)Google Scholar
  14. 14.
    Karabacak, B., Sogukpinar, I.: ISRAM: information security risk analysis method. Computers & Security 24(2), 147–159 (2005)CrossRefGoogle Scholar
  15. 15.
    Lund, M.S., Solhaug, B., Stølen, K.: A Guided Tour of the CORAS Method. In: Model-Driven Risk Analysis, pp. 23–43. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    NIST. NIST SP 800-39, Managing Information Security Risk - Organization, Mission, and Information System View (2011)Google Scholar
  17. 17.
    NIST. NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments (September 2012)Google Scholar
  18. 18.
    Treasury Board of Canada Secretariat. Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks Guidelines (April 2012), (online accessed: January 2013)
  19. 19.
    Rajbhandari, L., Snekkenes, E.: Intended Actions: Risk Is Conflicting Incentives. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 370–386. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Shanteau, J., Stewart, T.R.: Why study expert decision making? Some historical perspectives and comments. Organizational Behavior and Human Decision Processes 53(2), 95–106 (1992)CrossRefGoogle Scholar
  21. 21.
    Solove, D.J.: A Taxonomy of Privacy. University of Pennsylvania Law Review 154(3), 477 (2006); GWU Law School Public Law Research Paper No. 129CrossRefGoogle Scholar
  22. 22.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (July 2002)Google Scholar
  23. 23.
    The Honeynet Project. Know Your Enemy, 2nd edn. Addison-Wesley (2004)Google Scholar
  24. 24.
    Wright, D.: Should privacy impact assessments be mandatory? Commun. ACM 54(8), 121–131 (2011)CrossRefGoogle Scholar
  25. 25.
    Yardley-Matwiejczuk, K.M.: Role play: theory and practice. Sage Publications Limited (1997)Google Scholar
  26. 26.
    Yin, R.K.: Case Study Research: Design and Methods, 4th edn. Applied Social Research Method Series, vol. 5. Sage (2009)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Lisa Rajbhandari
    • 1
  • Einar Snekkenes
    • 1
  1. 1.Norwegian Information Security LaboratoryGjøvik University CollegeNorway

Personalised recommendations