Abstract
We consider the problem of enforcing compliance with information security policies in organizations in order to mitigate insider threat. We show that compliance with security policies may be enforced even for myopic, self-interested, agents by providing them proper economic incentives for compliance. Our approach includes several variations of a compliance game between the organization and its inside users in which a bonus is paid for compliance with security policies. We show that compliance may be sustained by emphasizing the continuous, repeated nature of security-related decisions. Alternatively, compliance is more likely to emerge when costs and benefits of increased protection are shared in a fair manner. Our results emphasize the need to build trust between organizational entities, as well as suggest a way to determine compliance bonus in a fair manner.
| Original language | English (US) |
|---|---|
| Title of host publication | 16th Workshop on Information Technologies and Systems, WITS 2006 |
| Publisher | Social Science Research Network |
| Pages | 211-216 |
| Number of pages | 6 |
| State | Published - Jan 1 2006 |
| Event | 16th Workshop on Information Technologies and Systems, WITS 2006 - Milwaukee, WI, United States Duration: Dec 9 2006 → Dec 10 2006 |
Other
| Other | 16th Workshop on Information Technologies and Systems, WITS 2006 |
|---|---|
| Country/Territory | United States |
| City | Milwaukee, WI |
| Period | 12/9/06 → 12/10/06 |