Schneier on Security
A blog covering security and security technology.
« Crime-Facilitating Speech |
| DUI Cases Thrown Out Due to Closed-Source Breathalyzer »
September 15, 2005
Research in Behavioral Risk Analysis
I very am interested in this kind of research:
Network Structure, Behavioral Considerations and Risk Management in Interdependent Security Games
Interdependent security (IDS) games model situations where each player has to determine whether or not to invest in protection or security against an uncertain event knowing that there is some chance s/he will be negatively impacted by others who do not follow suit. IDS games capture a wide variety of collective risk and decision-making problems that include airline security, corporate governance, computer network security and vaccinations against diseases. This research project will investigate the marriage of IDS models with network formation models developed from social network theory and apply these models to problems in network security. Behavioral and controlled experiments will examine how human participants actually make choices under uncertainty in IDS settings. Computational aspects of IDS models will also be examined. To encourage and induce individuals to invest in cost-effective protection measures for IDS problems, we will examine several risk management strategies designed to foster cooperative behavior that include providing risk information, communication with others, economic incentives, and tipping strategies.
The proposed research is interdisciplinary in nature and should serve as an exciting focal point for researchers in computer science, decision and management sciences, economics, psychology, risk management, and policy analysis. It promises to advance our understanding of decision-making under risk and uncertainty for problems that are commonly faced by individuals, organizations, and nations. Through advances in computational methods one should be able to apply IDS models to large-scale problems. The research will also focus on weak links in an interdependent system and suggest risk management strategies for reducing individual and societal losses in the interconnected world in which we live.
Posted on September 15, 2005 at 7:05 AM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"computer science, decision and management sciences, economics, psychology, risk management, and policy analysis"
Why is it that military strategists are not included in the research of issues that have been a concern for physical security practicioners for ~25000 years.
Samples of phys sec 'IDS' issues:
* 'if my hut catches fire, yours might too, lets build a fire brigade'
* 'if my castle gets over-run and captured,they can use it as a base to invade yours, lets coordinate defences'
* 'if my country falls to the USSR, the economic and logistical impact will undermine the strategic defense of your nation, lets form NATO"
Recognizing that the above examples are radical oversimplifications, military strategy, is for the most part, directly applicable to network security, especially at the high level, policy & procedure level.
Aside from that, the research does look interesting. Are National Science Foundations research outputs in the public domain?
I hope I'm wrong, but it looks kinda like another taxpayer-funded grandiose research project to tell us what we already know, e.g., that people make decisions based on distorted perceptions of real-world risk.
This does sound interesting, and quite timely. I hope they spend a good deal of time evaluating the rising popularity/phenomenon of the American "rugged individualist" (nihilist) that advocates for the destruction of institutions as necessary for future improvement.
Many years ago I was approached by the head of a similar project with a goal to "advance our understanding of decision-making under risk and uncertainty" to improve network security systems. Unfortunately, that project started with a number of hypotheses based on the question "why do computers make mistakes" instead of the more realistic "why do people make mistakes and build them into their systems?"
I predict that interdependent security (IDS) games will soon be replaced by internal predictive security (IPS) games that will eliminate the false dependencies ;-)
Interesting to see the NSF step up and fund this. I wonder how their current level of investment in such topics compares to what is was when, say, Hogarth and Reder's "Rational Choice" collection was published.
I may be biased on this, but it looks like a little more up-front money in basic research could have paid some handsome dividends.
@ Davi Ottenheimer
"rising popularity/phenomenon of the American "rugged individualist" (nihilist) that advocates for the destruction of institutions as necessary for future improvement"
There might be an easy explination to this trend,
Pork Barrels and greasing squeaky wheels.
More realisticaly their has been research done about the size of an organisation and it's effectivness under certain conditions. The conclusion have always been that above a certain size all entities become progresivly less effective, often crossing over the line when they start commiting more harn than good
I feel compelled to mention my school's work in these subjects; specifically, experimental political and social sciences and economics:
Caltech has been leading a lot of the experimental research in these areas, and the work they've done has lead to real-world results--the most successful of which is the California Pollution Credit program. The pollution credit program is a system to optimize use of a common resource (air cleanliness) by using a computer-assisted market.
More applied public policy research:
I assume from one of the above comments that survivalists/nihilists believe spelling is another federal-commie plot :-)
Just a note -- I cannot post comment on the latest thread about DUI being thrown out due to no breathalyzer.
Will participation in this provide me with the information I need to get off of my new General Anxiety Disorder and Social Anxiety Disorder medication?
We are talking Interdependent Security, which would involve Risk Analysis.
Risk Analysis as we know is very subjective, human-effectiveness is too high a factor to ignore. A model for calculating a value based on the probability of a potential Risk by each group(CISO's team, ....,Cleaning staff) to the Information systems, and hence to the firm, could be envisioned.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.