A Prospect Theory approach to Security

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions. We discuss and examine how Prospect Theory, the major descriptive theory of risky decisions, predicts such decisions will go wrong and if such problems may be corrected. 1 Can security decisions go wrong? Security is both a normative and descriptive problem. We would like to normatively follow how to make correct decisions about security, but also descriptively understand where security decisions may go wrong. According to Schneier [1], security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure [1]. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, we are interested in how to achieve correct metrics that can help a decision-maker control security. But would successful quantification be the end of the story? The aim of this paper is to explore the potential difference between correct and actual security decisions when people are supposed to decide and act based on quantified information about risky options. If there is a gap between correct and actual decisions, how can we begin to model and characterize it? How large is it, and where can someone maybe exploit it? What can be done to fix and close it? As a specific example, this paper considers the impact of using risk as security metric for decision-making in security. The motivation to use risk is two-fold. First, risk is a well-established concept that has been applied in numerous ways to understand information security [2, 3, 4, 5, 6] and often assumed as a good metric. Second, we believe that it is currently the only well-developed reasonable candidate that aims to involve two necessary aspects when it comes to the control of operational security: asset value and threat uncertainty. Good information security is often seen as risk management [7], which will depend on methods to assess those risks correctly. However, this work examines potential threats and shortcomings concerning the usability of correctly quantified risk for security decisions. Our basic conceptual model to understand decision-making for security is as follows, similar to [8]: in this paper, we consider a system that a decision-maker needs to protect in an environment with uncertain threats. Furthermore, we also assume that the decision-maker wants to maximize some kind of security utility (the utility of security controls available) when making decisions regarding to different security controls. These different parts of the model vary greatly between different scenarios and little can be done to model detailed security decisions in general. Still, we think that this is an appropriate framework to understand the need of security metrics. One way, maybe often the standard way, to view security as a decision problem is that threats arise in the system and environment, and that the decision-maker needs to take care of those threats with available information, using some appropriate cost-benefit tradeoff. However, this common view overlooks threats with faults that are made by the decision-maker. We believe that many security failures should be seen in the light of limits (or potential faults) of the decision-maker when she, with best intentions, attempts to achieve security goals (maximizing security utility) by deciding between different security options.