Incentive-Centered Design for Security

Incentive-Centered Design for Information Security

Humans are “smart components” in a system, but cannot be directly programmed to perform; rather, their autonomy must be respected as a design constraint and incentives provided to induce desired behavior. Sometimes these incentives are properly aligned, and the humans don’t represent a vulnerability. But often, a misalignment of incentives causes a weakness in the system that can be exploited b...

Incentive-Centered Design for User-Contributed Content

Humans Are Smart Devices, but Not Programmable: Incentive-centered Design for Security

The thing is, the motivations matter. For one thing, it’s why the bad guys keep coming, and why they expend (sometimes very considerable) resources to climb over or dig under or unhinge the gates. And there is the first fundamental design design principle that comes from paying attention to incentives: the amount we pay Bob to build the wall higher (the gate thicker, the moat deeper) should dep...

Incentive Design for Home Computer Security

People are the weakest link in security (Anderson, 1993). People write passwords on sticky notes on the screen. People don’t patch their home systems and become botnet zombies. People choose whether to label a patch critical or just recommended. Our motivating insight is that these actions generally reflect motivated behavior in response to the configuration of incentives confronting individual...

Incentive design for adaptive agents

We consider a setting in which a principal seeks to induce an adaptive agent to select a target action by providing incentives on one or more actions. The agent maintains a belief about the value for each action—which may update based on experience—and selects at each time step the action with the maximal sum of value and associated incentive. The principal observes the agent’s selection, but h...