Abstract
Security breaches often arise as a result of users’ failure to comply with security policies. Such failures to comply may simply be innocent mistakes. However, there is evidence that, in some circumstances, users choose not to comply because they perceive that the security benefit of compliance is outweighed by the cost that is the impact of compliance on their abilities to complete their operational tasks. That is, they perceive security compliance as hindering their work. The ‘compliance budget’ is a concept in information security that describes how the users of an organization’s systems determine the extent to which they comply with the specified security policy. The purpose of this paper is to initiate a qualitative logical analysis of, and so provide reasoning tools for, this important concept in security economics for which quantitative analysis is difficult to establish. We set up a simple temporal logic of preferences, with a semantics given in terms of histories and sets of preferences, and explain how to use it to model and reason about the compliance budget. The key ingredients are preference update, to account for behavioural change in response to policy change, and an ability to handle uncertainty, to account for the lack of quantitative measures.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alpcan, T., Başar, T., Security, N.: Decision and Game-Theoretic Approach. Cambridge University Press, Cambridge (2010)
Anderson, R.: Why information security is hard: an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference, pp. 358–265. IEEE (2001)
Anderson, R., Moore, T.: The economics of information security. Science 314, 610–613 (2006)
Baskent, C., McCusker, G.: Preferences and equilibria in history based models. In: Proceedings of the 12th Conference on Logic and the Foundations of Game and Decision Theory (2016). http://loft.epicenter.name
Beautement, A., Sasse, A., Wonham, M.: The compliance budget. In: Proceedings of the New Security Paradigms Workshop (NSPW 2008), pp. 47–55. ACM (2008) doi:10.1145/1595676.1595684
Beautement, A., Sasse, A.: The economics of user effort in information security. Comput. Fraud Secur. 10, 8–12 (2009). doi:10.1016/S1361-3723(09)70127-7
Beautement, A., Coles, R., Griffin, J., Ioannidis, C., Monahan, B., Pym, D., Sasse, A., Wonham, M.: Modelling the human and technological costs and benefits of USB memory stick security. In: Johnson, M.E. (ed.) Managing Information Risk and the Economics of Security, pp. 141–163. Springer, New York (2009)
Collinson, M., Monahan, B., Pym, D.: A Discipline of Mathematical Systems Modelling. College Publications, London (2012)
van Ditmarsch, H., Halpern, J., van der Hoek, W., Kooi, B. (eds.): Handbook of Epistemic Logic. College Publications, London (2015)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
Gordon, L.A., Loeb, M.P., Resources, M.C.: A Cost-Benefit Analysis. McGraw Hill, New York (2006)
Harsanyi, J.: Games with incomplete information played by ‘Bayesian’ players, Part III. Manag. Sci. 14(7), 486–502 (1968)
Huth, M., Ryan, M.: Logic in Computer Science: Modelling and Reasoning About Systems. Cambridge University Press, Cambridge (2004)
Ioannidis, C., Pym, D., Williams, J.: Investments and trade-offs in the economics of information security. In: Proceedings of the Financial Cryptography, Data Security, pp. 148–162 (2009)
Ioannidis, C., Pym, D., Williams, J.: Information security trade-offs and optimal patching policies. Eur. J. Oper. Res. 216(2), 434–444 (2012). doi:10.1016/j.ejor.2011.05.050
Ioannidis, C., Pym, D., Williams, J.: Is public co-ordination of investment in information security desirable? J. Inf. Secur. 7, 60–80 (2016). http://dx.doi.org/10.4236/jis.2016.72005
Pacuit, E.: Some comments on history based structures. J. Appl. Logic 5(4), 613–624 (2007)
Parikh, R., Ramanujam, R.: A knowledge-based semantics of messages. J. Logic Lang. Inf. 12(4), 453–467 (2003)
A. Pnueli. The temporal logic of programs. In: Proceedings of the 18th Annual Symposium on Foundations of Computer Science (FOCS), pp. 46–57 (1977). doi:10.1109/SFCS.1977.32
Tambe, M.: Security and Game Theory: Algorithms, Deployed Systems, Lessons Learned. Cambridge University Press, Cambridge (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Anderson, G., McCusker, G., Pym, D. (2016). A Logic for the Compliance Budget. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds) Decision and Game Theory for Security. GameSec 2016. Lecture Notes in Computer Science(), vol 9996. Springer, Cham. https://doi.org/10.1007/978-3-319-47413-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-47413-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47412-0
Online ISBN: 978-3-319-47413-7
eBook Packages: Computer ScienceComputer Science (R0)