Most modern organisations have information security policies that are designed to guide the behaviour of their user communities. It is often impractical for these policies to be enforced directly, and users frequently have incentives not to comply. In both realistic and simplified situations the resulting principal-agent problem can be extremely complicated. Consequently, managers often have to make decisions about security policy in the face of a high degree of uncertainty, both about user behaviour and the ambient threat environment. The purpose of this paper is to draw attention to some of the complexities using a variety of types of model, and to suggest ways in which progress towards practical, model-based decision processes might be made. No single model - or type of model - is likely to provide complete insight into the problem. First to be considered is a decision-making process using calculation of utility, and based on inferences about population behaviour derived from empirical data. The issues surrounding a practical methodology featuring simulation are discussed. The use of game theory is considered as a way of understanding the interaction between an organization and its users. It is further proposed that methods from statistical mechanics can be used to provide models of interaction and influence within the user community - these suggest that extreme non-linearities may be present in the behaviour of the community. In each case, attention is paid to the difficulties of collecting the data required by the models.
PDF
download
878987797
028-85220240
