ZETAR: Modeling and Computational Design of Strategic and Adaptive Compliance Policies

Compliance management plays an important role in mitigating insider threats. Incentive design is a proactive and noninvasive approach to achieving compliance by aligning an insider's incentive with the defender's security objective, which motivates (rather than commands) an insider to act...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on computational social systems Vol. 11; no. 3; pp. 4001 - 4015
Main Authors Huang, Linan, Zhu, Quanyan
Format Journal Article
LanguageEnglish
Published Piscataway IEEE 01.06.2024
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Algorithms
Bayes methods
Bayesian persuasion
Behavioral sciences
Compliance
Computational modeling
Controllability
Convexity
Customization
incentive learning
incentive mechanism
Incentives
information design
insider threat
Misalignment
Monitoring
Organizations
Policies
Principles
Security
Training
Trust
Trustworthiness
zero-trust
Online AccessGet full text

Cover

More Information
Summary:Compliance management plays an important role in mitigating insider threats. Incentive design is a proactive and noninvasive approach to achieving compliance by aligning an insider's incentive with the defender's security objective, which motivates (rather than commands) an insider to act in the organization's interests. Controlling insiders' incentives for population-level compliance is challenging because they are neither precisely known nor directly controllable. To this end, we develop ZEro-Trust Audit with strategic Recommendation (ZETAR), a zero-trust audit and recommendation framework, to provide a quantitative approach to model insiders' incentives and design customized recommendation policies to improve their compliance. We formulate primal and dual convex programs to compute the optimal bespoke recommendation policies. We create the theoretical underpinning for understanding trust, compliance, and satisfaction, which leads to scoring mechanisms of how compliant and persuadable an insider is. After classifying insiders as malicious, self-interested, or amenable based on their incentive misalignment levels with the defender, we establish bespoke information disclosure principles for these insiders of different incentive categories. We identify the policy separability principle and the set convexity, which enable finite-step algorithms to efficiently learn the completely trustworthy (CT) policy set when insiders' incentives are unknown. Finally, we present a case study to corroborate the design. Our results show that ZETAR can well adapt to insiders with different risk and compliance attitudes and significantly improve compliance. Moreover, trustworthy recommendations can provably promote cyber hygiene and insiders' satisfaction.
ISSN:2329-924X
2329-924X
2373-7476
DOI:10.1109/TCSS.2023.3323539