Audit mechanisms for provable risk management and accountable data governance

Author

Jeremiah BLOCKI
Nicolas CHRISTIN
Anupam DATTA
Arunesh SINHA, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

11-2012

Abstract

Organizations that collect and use large volumes of personal information are expected under the principle of accountable data governance to take measures to protect data subjects from risks that arise from inapproriate uses of this information. In this paper, we focus on a specific class of mechanisms—audits to identify policy violators coupled with punishments—that organizations such as hospitals, financial institutions, and Web services companies may adopt to protect data subjects from privacy and security risks stemming from inappropriate information use by insiders. We model the interaction between the organization (defender) and an insider (adversary) during the audit process as a repeated game. We then present an audit strategy for the defender. The strategy requires the defender to commit to its action and when paired with the adversary’s best response to it, provably yields an asymmetric subgame perfect equilibrium. We then present two mechanisms for allocating the total audit budget for inspections across all games the organization plays with different insiders. The first mechanism allocates budget to maximize the utility of the organization. Observing that this mechanism protects the organization’s interests but may not protect data subjects, we introduce an accountable data governance property, which requires the organization to conduct thorough audits and impose punishments on violators. The second mechanism we present achieves this property. We provide evidence that a number of parameters in the game model can be estimated from prior empirical studies and suggest specific studies that can help estimate other parameters. Finally, we use our model to predict observed practices in industry (e.g., differences in punishment rates of doctors and nurses for the same violation) and the effectiveness of policy interventions (e.g., data breach notification laws and government audits) in encouraging organizations to adopt accountable data governance practices.

Keywords

Expected Utility, Repeated Game, Subgame Perfect Equilibrium, Public Signal, Inside Attack

Discipline

Databases and Information Systems | Information Security

Research Areas

Data Science and Engineering

Publication

International Conference on Decision and Game Theory for Security, Budapest, Hungary, 2012 November 5-6

First Page

38

Last Page

59

Identifier

10.1007/978-3-642-34266-0_3

Publisher

Springer, Berlin, Heidelberg

City or Country

Budapest, Hungary

Citation

BLOCKI, Jeremiah; CHRISTIN, Nicolas; DATTA, Anupam; and SINHA, Arunesh. Audit mechanisms for provable risk management and accountable data governance. (2012). International Conference on Decision and Game Theory for Security, Budapest, Hungary, 2012 November 5-6. 38-59.
Available at: https://ink.library.smu.edu.sg/sis_research/4490

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1007/978-3-642-34266-0_3