A Logic for the Compliance Budget

Gabrielle Anderson, Guy McCusker, David Pym

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

Security breaches often arise as a result of users? failure to comply with security policies. Such failures to comply may simply be innocent mistakes. However, there is evidence that, in some circumstances, users choose not to comply because they perceive that the security benefit of compliance is outweighed by the cost that is the impact of compliance on their abilities to complete their operational tasks. That is, they perceive security compliance as hindering their work. The ?compliance budget? is a concept in information security that describes how the users of an organization?s systems determine the extent to which they comply with the specified security policy. The purpose of this paper is to initiate a qualitative logical analysis of, and so provide reasoning tools for, this important concept in security economics for which quantitative analysis is difficult to establish. We set up a simple temporal logic of preferences, with a semantics given in terms of histories and sets of preferences, and explain how to use it to model and reason about the compliance budget. The key ingredients are preference update, to account for behavioural change in response to policy change, and an ability to handle uncertainty, to account for the lack of quantitative measures.
LanguageEnglish
Title of host publicationProceedings, GameSec 2016- Decision and Game Theory for Security
Subtitle of host publication7th International Conference, GameSec 2016, New York, NY, USA, November 2-4, 2016
EditorsQuanyan Zhu, Tansu Alpcan, Emmanouil Panaousis, Milind Tambe, William Casey
PublisherSpringer Verlag
Pages370-381
ISBN (Print)9783319474120
DOIs
StatusPublished - 2016

Publication series

NameLecture Notes in Computer Science
Volume9996

Fingerprint

Logic
Security policy
Behavioural change
Economic security
Breach
Policy change
Information security
Uncertainty
Quantitative analysis
Costs

Cite this

Anderson, G., McCusker, G., & Pym, D. (2016). A Logic for the Compliance Budget. In Q. Zhu, T. Alpcan, E. Panaousis, M. Tambe, & W. Casey (Eds.), Proceedings, GameSec 2016- Decision and Game Theory for Security: 7th International Conference, GameSec 2016, New York, NY, USA, November 2-4, 2016 (pp. 370-381). (Lecture Notes in Computer Science; Vol. 9996). Springer Verlag. DOI: 10.1007/978-3-319-47413-7_21

A Logic for the Compliance Budget. / Anderson, Gabrielle; McCusker, Guy; Pym, David.

Proceedings, GameSec 2016- Decision and Game Theory for Security: 7th International Conference, GameSec 2016, New York, NY, USA, November 2-4, 2016. ed. / Quanyan Zhu; Tansu Alpcan; Emmanouil Panaousis; Milind Tambe; William Casey. Springer Verlag, 2016. p. 370-381 (Lecture Notes in Computer Science; Vol. 9996).

Research output: Chapter in Book/Report/Conference proceedingChapter

Anderson, G, McCusker, G & Pym, D 2016, A Logic for the Compliance Budget. in Q Zhu, T Alpcan, E Panaousis, M Tambe & W Casey (eds), Proceedings, GameSec 2016- Decision and Game Theory for Security: 7th International Conference, GameSec 2016, New York, NY, USA, November 2-4, 2016. Lecture Notes in Computer Science, vol. 9996, Springer Verlag, pp. 370-381. DOI: 10.1007/978-3-319-47413-7_21
Anderson G, McCusker G, Pym D. A Logic for the Compliance Budget. In Zhu Q, Alpcan T, Panaousis E, Tambe M, Casey W, editors, Proceedings, GameSec 2016- Decision and Game Theory for Security: 7th International Conference, GameSec 2016, New York, NY, USA, November 2-4, 2016. Springer Verlag. 2016. p. 370-381. (Lecture Notes in Computer Science). Available from, DOI: 10.1007/978-3-319-47413-7_21
Anderson, Gabrielle ; McCusker, Guy ; Pym, David. / A Logic for the Compliance Budget. Proceedings, GameSec 2016- Decision and Game Theory for Security: 7th International Conference, GameSec 2016, New York, NY, USA, November 2-4, 2016. editor / Quanyan Zhu ; Tansu Alpcan ; Emmanouil Panaousis ; Milind Tambe ; William Casey. Springer Verlag, 2016. pp. 370-381 (Lecture Notes in Computer Science).
@inbook{905a5b94004346689c9542ba1c63a70c,
title = "A Logic for the Compliance Budget",
abstract = "Security breaches often arise as a result of users? failure to comply with security policies. Such failures to comply may simply be innocent mistakes. However, there is evidence that, in some circumstances, users choose not to comply because they perceive that the security benefit of compliance is outweighed by the cost that is the impact of compliance on their abilities to complete their operational tasks. That is, they perceive security compliance as hindering their work. The ?compliance budget? is a concept in information security that describes how the users of an organization?s systems determine the extent to which they comply with the specified security policy. The purpose of this paper is to initiate a qualitative logical analysis of, and so provide reasoning tools for, this important concept in security economics for which quantitative analysis is difficult to establish. We set up a simple temporal logic of preferences, with a semantics given in terms of histories and sets of preferences, and explain how to use it to model and reason about the compliance budget. The key ingredients are preference update, to account for behavioural change in response to policy change, and an ability to handle uncertainty, to account for the lack of quantitative measures.",
author = "Gabrielle Anderson and Guy McCusker and David Pym",
year = "2016",
doi = "10.1007/978-3-319-47413-7_21",
language = "English",
isbn = "9783319474120",
series = "Lecture Notes in Computer Science",
publisher = "Springer Verlag",
pages = "370--381",
editor = "Quanyan Zhu and Tansu Alpcan and Emmanouil Panaousis and Milind Tambe and William Casey",
booktitle = "Proceedings, GameSec 2016- Decision and Game Theory for Security",

}

TY - CHAP

T1 - A Logic for the Compliance Budget

AU - Anderson,Gabrielle

AU - McCusker,Guy

AU - Pym,David

PY - 2016

Y1 - 2016

N2 - Security breaches often arise as a result of users? failure to comply with security policies. Such failures to comply may simply be innocent mistakes. However, there is evidence that, in some circumstances, users choose not to comply because they perceive that the security benefit of compliance is outweighed by the cost that is the impact of compliance on their abilities to complete their operational tasks. That is, they perceive security compliance as hindering their work. The ?compliance budget? is a concept in information security that describes how the users of an organization?s systems determine the extent to which they comply with the specified security policy. The purpose of this paper is to initiate a qualitative logical analysis of, and so provide reasoning tools for, this important concept in security economics for which quantitative analysis is difficult to establish. We set up a simple temporal logic of preferences, with a semantics given in terms of histories and sets of preferences, and explain how to use it to model and reason about the compliance budget. The key ingredients are preference update, to account for behavioural change in response to policy change, and an ability to handle uncertainty, to account for the lack of quantitative measures.

AB - Security breaches often arise as a result of users? failure to comply with security policies. Such failures to comply may simply be innocent mistakes. However, there is evidence that, in some circumstances, users choose not to comply because they perceive that the security benefit of compliance is outweighed by the cost that is the impact of compliance on their abilities to complete their operational tasks. That is, they perceive security compliance as hindering their work. The ?compliance budget? is a concept in information security that describes how the users of an organization?s systems determine the extent to which they comply with the specified security policy. The purpose of this paper is to initiate a qualitative logical analysis of, and so provide reasoning tools for, this important concept in security economics for which quantitative analysis is difficult to establish. We set up a simple temporal logic of preferences, with a semantics given in terms of histories and sets of preferences, and explain how to use it to model and reason about the compliance budget. The key ingredients are preference update, to account for behavioural change in response to policy change, and an ability to handle uncertainty, to account for the lack of quantitative measures.

UR - https://doi.org/10.1007/978-3-319-47413-7_21

U2 - 10.1007/978-3-319-47413-7_21

DO - 10.1007/978-3-319-47413-7_21

M3 - Chapter

SN - 9783319474120

T3 - Lecture Notes in Computer Science

SP - 370

EP - 381

BT - Proceedings, GameSec 2016- Decision and Game Theory for Security

PB - Springer Verlag

ER -