Top

Published in:

2022 | OriginalPaper | Chapter

4. Policy Management

Authors : Tim Kieras, Junaid Farooq, Quanyan Zhu

Published in: IoT Supply Chain Security Risk Analysis and Mitigation

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Supply chain security has become a growing concern in the security risk analysis of IoT systems. Their highly connected structures have significantly enlarged the attack surface, making it difficult to track the source of the risk posed by malicious or compromised suppliers. This chapter presents a system-scientific framework to study the accountability in IoT supply chains and provides a holistic risk analysis technologically and socio-economically. We develop stylized models and quantitative approaches to evaluate the accountability of the suppliers. Two case studies are used to illustrate accountability measures for scenarios with single and multiple agents. Finally, we present the contract design and cyber insurance as economic solutions to mitigate supply chain risks. They are incentive-compatible mechanisms that encourage truth-telling of the supplier and facilitate reliable accountability investigation for the buyer.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Risk Mitigation Decisions

next chapter Computational Tools

D.L. Farris, Target to pay nearly $40 million to settle with banks over data breach; total costs reach $290 million (2015). [Online]. Available: https://www.natlawreview.com/article/target-to-pay-nearly-40-million-to-settle-banks-over-data-breach-total-costs-reach

N. Manworren, J. Letwat, O. Daily, Why you should care about the target data breach. Bus. Horiz. 59(3), 257–266 (2016)CrossRef

T. Kieras, M.J. Farooq, Q. Zhu, Modeling and assessment of IoT supply chain security risks: the role of structural and parametric uncertainties, in 2020 IEEE Security and Privacy Workshops (SPW) (IEEE, 2020), pp. 163–170

T. Kieras, M.J. Farooq, Q. Zhu, RIoTS: Risk analysis of IoT supply chain threats, in 2020 IEEE 6th World Forum on Internet of Things (WF-IoT) (IEEE, 2020), pp. 1–6

T. Kieras, J. Farooq, Q. Zhu, I-SCRAM: A framework for IoT supply chain risk analysis and mitigation decisions. IEEE Access 9, 29827–29840 (2021)CrossRef

M.J. Farooq, Cyber-physical dynamic decision mechanisms for large scale Internet of things systems & networks, Ph.D. dissertation, New York University Tandon School of Engineering, 2020

L. Huang, Q. Zhu, Farsighted risk mitigation of lateral movement using dynamic cognitive honeypots, in International Conference on Decision and Game Theory for Security (Springer, 2020), pp. 125–146

J. Pawlick, E. Colbert, Q. Zhu, A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy. ACM Comput. Surv. (CSUR) 52(4), 82 (2019)

J. Pawlick, Q. Zhu, Game Theory for Cyber Deception: From Theory to Applications (Springer Nature, 2021)

10.

L. Huang, Q. Zhu, Duplicity games for deception design with an application to insider threat mitigation. IEEE Trans. Inf. Forens. Secur. 16, 4843–4856 (2021)CrossRef

11.

Q. Zhu, T. Başar, Game-theoretic methods for robustness, security, and resilience of cyberphysical control systems: games-in-games principle for optimal cross-layer resilient control systems. Control Syst. IEEE 35(1), 46–65 (2015)MathSciNetCrossRef

12.

L. Huang, Q. Zhu, A dynamic games approach to proactive defense strategies against advanced persistent threats in cyber-physical systems. Comput. Secur. 89, 101660 (2020)CrossRef

13.

Q. Zhu, Z. Xu, Cross-layer Design for Secure and Resilient Cyber-physical Systems (Springer, 2020)

14.

Y. Huang, L. Huang, Q. Zhu, Reinforcement learning for feedback-enabled cyber resilience. Preprint. arXiv:2107.00783 (2021)

15.

C.A. Kamhoua, C.D. Kiekintveld, F. Fang, Q. Zhu, Game Theory and Machine Learning for Cyber Security (Wiley, 2021)

16.

L. Huang, Q. Zhu, Adaptive honeypot engagement through reinforcement learning of semi-Markov decision processes, in International Conference on Decision and Game Theory for Security (Springer, 2019), pp. 196–216

17.

R. Zhang, Q. Zhu, Y. Hayel, A bi-level game approach to attack-aware cyber insurance of computer networks. IEEE J. Sel. Areas Commun. 35(3), 779–794 (2017)CrossRef

18.

C.J. Fung, Q. Zhu, FACID: A trust-based collaborative decision framework for intrusion detection networks. Ad Hoc Netw. 53, 17–31 (2016). [Online]. Available: http://www.sciencedirect.com/science/article/pii/S1570870516302062

19.

M.H. Manshaei, Q. Zhu, T. Alpcan, T. Bacşar, J.P. Hubaux, Game theory meets network security and privacy. ACM Comput. Surv. (CSUR) 45(3), 25 (2013)

20.

Q. Zhu, C. Fung, R. Boutaba, T. Başar, GUIDEX: A game-theoretic incentive-based mechanism for intrusion detection networks. IEEE J. Sel. Areas Commun. 30(11), 2220–2230 (2012)CrossRef

21.

Q. Zhu, H. Tembine, T. Başar, Network security configurations: A nonzero-sum stochastic game approach, in Proceedings of the 2010 American Control Conference (IEEE, 2010), pp. 1059–1064

22.

T. Zhang, Q. Zhu, Strategic defense against deceptive civilian GPS spoofing of unmanned aerial vehicles, in International Conference on Decision and Game Theory for Security (Springer, 2017), pp. 213–233

23.

Q. Zhu, Z. Yuan, J.B. Song, Z. Han, T. Başar, Interference aware routing game for cognitive radio multi-hop networks. IEEE J. Sel. Areas Commun. 30(10), 2006–2015 (2012)CrossRef

24.

Q. Zhu, J.B. Song, T. Başar, Dynamic secure routing game in distributed cognitive radio networks, in Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE (IEEE, 2011), pp. 1–6

25.

Q. Zhu, H. Li, Z. Han, T. Başar, A stochastic game model for jamming in multi-channel cognitive radio systems, in ICC (2010), pp. 1–6

26.

Q. Zhu, W. Saad, Z. Han, H.V. Poor, T. Başar, Eavesdropping and jamming in next-generation wireless networks: A game-theoretic approach, in Military Communications Conference (MILCOM), 2011 (IEEE, 2011), pp. 119–124

27.

Q. Zhu, Z. Yuan, J.B. Song, Z. Han, T. Başar, Dynamic interference minimization routing game for on-demand cognitive pilot channel, in Global Telecommunications Conference (GLOBECOM 2010), 2010 IEEE (IEEE, 2010), pp. 1–6

28.

J. Pawlick, E. Colbert, Q. Zhu, Modeling and analysis of leaky deception using signaling games with evidence. IEEE Trans. Inf. Forens. Secur. 14(7), 1871–1886 (2018)CrossRef

29.

J. Zheng, D.A. Castañón, Dynamic network interdiction games with imperfect information and deception, in 2012 IEEE 51st IEEE Conference on Decision and Control (CDC) (IEEE, 2012), pp. 7758–7763

30.

Q. Zhu, A. Clark, R. Poovendran, T. Başar, Deceptive routing games, in 2012 IEEE 51st IEEE Conference on Decision and Control (CDC) (IEEE, 2012), pp. 2704–2711

31.

K. Horák, Q. Zhu, B. Bošanskỳ, Manipulating adversary’s belief: A dynamic game approach to deception by design for proactive network security, in International Conference on Decision and Game Theory for Security (Springer, 2017), pp. 273–294

32.

L. Huang, Q. Zhu, A dynamic games approach to proactive defense strategies against advanced persistent threats in cyber-physical systems. CoRR, vol. abs/1906.09687 (2019). [Online]. Available: http://arxiv.org/abs/1906.09687

33.

Q. Zhu, S. Rass, On multi-phase and multi-stage game-theoretic modeling of advanced persistent threats. IEEE Access 6, 13958–13971 (2018)CrossRef

34.

J. Chen, C. Touati, Q. Zhu, A dynamic game analysis and design of infrastructure network protection and recovery. ACM SIGMETRICS Perform. Eval. Rev. 45(2), 128 (2017)

35.

J. Chen, Q. Zhu, Interdependent strategic cyber defense and robust switching control design for wind energy systems, in Power & Energy Society General Meeting, 2017 IEEE (IEEE, 2017), pp. 1–5

36.

S. Rass, S. Schauer, S. König, Q. Zhu, Cyber-Security in Critical Infrastructures: A Game-Theoretic Approach. Advanced Sciences and Technologies for Security Applications (Springer, 2020)

37.

C. Rieger, I. Ray, Q. Zhu, M. Haney, Industrial Control Systems Security and Resiliency: Practice and Theory. Advances in Information Security (Springer, 2019)

38.

Q. Zhu, T. Başar, Robust and resilient control design for cyber-physical systems with an application to power systems, in 2011 50th IEEE Conference on Decision and Control and European Control Conference (IEEE, 2011), pp. 4066–4071

39.

Q. Zhu, L. Bushnell, T. Başar, Resilient distributed control of multi-agent cyber-physical systems, in Control of Cyber-Physical Systems (Springer, 2013), pp. 301–316

40.

F. Miao, Q. Zhu, M. Pajic, G.J. Pappas, A hybrid stochastic game for secure control of cyber-physical systems. Automatica 93, 55–63 (2018)MathSciNetCrossRef

41.

Z. Xu, Q. Zhu, A cyber-physical game framework for secure and resilient multi-agent autonomous systems, in 2015 IEEE 54th Annual Conference on Decision and Control (CDC) (IEEE, 2015), pp. 5156–5161

42.

J. Chen, C. Touati, Q. Zhu, Optimal secure two-layer IoT network design. IEEE Trans. Control Netw. Syst. 7(1), 398–409 (2019)MathSciNetCrossRef

43.

Q.D. La, T.Q. Quek, J. Lee, A game theoretic model for enabling honeypots in IoT networks, in 2016 IEEE International Conference on Communications (ICC) (IEEE, 2016), pp. 1–6

44.

J. Chen, Q. Zhu, Interdependent strategic security risk management with bounded rationality in the Internet of things. IEEE Trans. Inf. Forens. Secur. 14(11), 2958–2971 (2019)CrossRef

45.

J. Chen, C. Touati, Q. Zhu, A dynamic game approach to designing secure interdependent IoT-enabled infrastructure network. IEEE Trans. Netw. Sci. Eng. 8(3), 2601–2612 (2021)MathSciNetCrossRef

46.

J. Chen, Q. Zhu, A Game-and Decision-Theoretic Approach to Resilient Interdependent Network Analysis and Design (Springer, 2019)

47.

T. Börgers, D. Krahmer, An Introduction to the Theory of Mechanism Design (Oxford University Press, USA, 2015)CrossRef

48.

R.B. Myerson, Perspectives on mechanism design in economic theory. Am. Econ. Rev. 98(3), 586–603 (2008)MathSciNetCrossRef

49.

H. Nissenbaum, Computing and accountability. Commun. ACM 37(1), 72–81 (1994)CrossRef

50.

J. Feigenbaum, A.D. Jaggard, R.N. Wright et al., Accountability in Computing: Concepts and Mechanisms (Now Publishers, 2020)

51.

J. Feigenbaum, A.D. Jaggard, R.N. Wright, Open vs. closed systems for accountability, in Proceedings of the 2014 Symposium and Bootcamp on the Science of Security (2014), pp. 1–11

52.

R. Künnemann, I. Esiyok, M. Backes, Automated verification of accountability in security protocols, in 2019 IEEE 32nd Computer Security Foundations Symposium (CSF) (IEEE, 2019), pp. 397–39716

53.

J. Zou, Y. Wang, K.J. Lin, A formal service contract model for accountable SAAS and cloud services, in 2010 IEEE International Conference on Services Computing (IEEE, 2010), pp. 73–80

54.

R. Avenhaus, B. Von Stengel, and S. Zamir, Inspection games, Handbook of game theory with economic applications 3, pp. 1947–1987, 2002.CrossRef

55.

T. Zhang, Q. Zhu, Hypothesis testing game for cyber deception, in International Conference on Decision and Game Theory for Security (Springer, 2018), pp. 540–555

56.

G. Peng, Q. Zhu, Sequential hypothesis testing game, in 2020 54th Annual Conference on Information Sciences and Systems (CISS) (IEEE, 2020), pp. 1–6

57.

J. Blocki, N. Christin, A. Datta, A.D. Procaccia, A. Sinha, Audit games, in Twenty-Third International Joint Conference on Artificial Intelligence (2013)

58.

S. Rass, S. Schauer, S. König, Q. Zhu, Optimal inspection plans, in Cyber-Security in Critical Infrastructures (Springer, 2020), pp. 179–209

59.

S. Rass, Q. Zhu, GADAPT: a sequential game-theoretic framework for designing defense-in-depth strategies against advanced persistent threats, in International Conference on Decision and Game Theory for Security (Springer, 2016), pp. 314–326

60.

R.B. Myerson, Optimal auction design. Math. Oper. Res. 6(1), 58–73 (1981)MathSciNetCrossRef

61.

M.J. Farooq, Q. Zhu, Optimal dynamic contract for spectrum reservation in mission-critical UNB-IoT systems, in 2018 16th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt) (IEEE, 2018), pp. 1–6

62.

T. Zhang, Q. Zhu, Optimal two-sided market mechanism design for large-scale data sharing and trading in massive IoT networks. Preprint. arXiv:1912.06229 (2019)

63.

T. Zhang, Q. Zhu, On incentive compatibility in dynamic mechanism design with exit option in a Markovian environment. Dyn. Games Appl. 12, 701–745 (2022)MathSciNetCrossRef

64.

J. Chen, Q. Zhu, Security as a service for cloud-enabled Internet of controlled things under advanced persistent threats: a contract design approach. IEEE Trans. Inf. Forens. Secur. 12(11), 2736–2750 (2017)CrossRef

65.

R. Zhang, Q. Zhu, FlipIn:a game-theoretic cyber insurance framework for incentive-compatible cyber risk management of internet of things. IEEE Trans. Inf. Forens. Secur. 15, 2026–2041 (2019)CrossRef

66.

L. Huang, Q. Zhu, Dynamic bayesian games for adversarial and defensive cyber deception, in Autonomous Cyber Deception (Springer, 2019), pp. 75–97

67.

S. Jajodia, A.K. Ghosh, V. Swarup, C. Wang, X.S. Wang, Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54 (Springer Science & Business Media, 2011)

68.

Q. Zhu, T. Başar, Game-theoretic approach to feedback-driven multi-stage moving target defense, in International Conference on Decision and Game Theory for Security (Springer, 2013), pp. 246–263

69.

Z. Qian, J. Fu, Q. Zhu, A receding-horizon MDP approach for performance evaluation of moving target defense in networks, in 2020 IEEE Conference on Control Technology and Applications (CCTA) (IEEE, 2020), pp. 1–7

70.

B.C. Levy, Binary and Mary hypothesis testing, in Principles of Signal Detection and Parameter Estimation (Springer, 2008), pp. 1–57

71.

T.D. Wickens, Elementary Signal Detection Theory (Oxford University Press, 2001)

72.

J.H. Shapiro, Bounds on the area under the ROC curve. JOSA A 16(1), 53–57 (1999)CrossRef

73.

J.N. Tsitsiklis, Decentralized detection, in Advances in Statistical Signal Processing, Signal Detection, ed. by Poor, Thomas, vol. 2, (JAI Press, 1990)

74.

K. C. Nguyen, T. Alpcan, and T. Basar, Distributed hypothesis testing with a fusion center: The conditionally dependent case, in 2008 47th IEEE Conference on Decision and Control (IEEE, 2008), pp. 4164–4169

75.

W.H. Organization et al., Global status report on road safety 2018: summary, World Health Organization, Tech. Rep. (2018)

76.

C. Stöckle, W. Utschick, S. Herrmann, T. Dirndorfer, Robust design of an automatic emergency braking system considering sensor measurement errors, in 2018 21st International Conference on Intelligent Transportation Systems (ITSC) (IEEE, 2018)

77.

M. Wang, W. Daamen, S.P. Hoogendoorn, B. van Arem, Rolling horizon control framework for driver assistance systems. part I: Mathematical formulation and non-cooperative systems. Transp. Res. Part C Emerg. Technol. 40, 271–289 (2014)

78.

D. Braue, Global ransomware damage costs predicted to exceed $265 billion by 2031, 2021, accessed: July 20, 2021. [Online]. Available: https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/

79.

D. Geneiatakis, I. Kounelis, R. Neisse, I. Nai-Fovino, G. Steri, G. Baldini, Security and privacy issues for an IoT based smart home, in 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (IEEE, 2017), pp. 1292–1297

80.

E. Cartwright, J. Hernandez Castro, A. Cartwright, To pay or not: game theoretic models of ransomware. J. Cybersecur. 5(1), tyz009 (2019)

81.

J. Neyman, E.S. Pearson, IX. On the problem of the most efficient tests of statistical hypotheses. Philos. Trans. R. Soc. Lond. A 231(694–706), 289–337 (1933). Containing Papers of a Mathematical or Physical Character

82.

J. Boyens, C. Paulsen, R. Moorthy, N. Bartol, Supply chain risk management practices for federal information systems and organizations (2015). [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf

83.

D. Kovaleski, Bill that requires security standards for government purchases of iot devices signed into law (2020). [Online]. Available: https://homelandprepnews.com/stories/58555-bill-that-requires-security-standards-for-government-purchases-of-iot-devices-signed-into-law/

84.

R.L. Kelly, Text - h.r.1668 - 116th congress (2019-2020): Internet of things cybersecurity improvement act of 2020 (2020). [Online]. Available: https://www.congress.gov/bill/116th-congress/house-bill/1668/text

85.

Executive order on improving the nation’s cybersecurity, May (2021). [Online]. Available: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

86.

J. Hecht, Lidar for self-driving cars. Opt. Photonics News 29(1), 26–33 (2018)CrossRef

87.

N.A. of Insurance Commissioners (NAIC), Report on the cybersecurity insurance market (2021). Accessed 20 Oct 2021. [Online]. Available: https://content.naic.org/sites/default/files/index-cmte-c-Cyber_Supplement_2020_Report.pdf

88.

B. Cashell, W.D. Jackson, M. Jickling, B. Webel, The economic impact of cyber-attacks, Congressional research service documents, CRS RL32331 (Washington DC), 2 (2004)

89.

R.P. Majuca, W. Yurcik, J.P. Kesan, The evolution of cyberinsurance. Preprint. cs/0601020 (2006)

90.

A. Marotta, F. Martinelli, S. Nanni, A. Orlando, A. Yautsiukhin, Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017)CrossRef

91.

R. Zhang, Q. Zhu, Optimal cyber-insurance contract design for dynamic risk management and mitigation. IEEE Trans. Comput. Soc. Syst. (2021)

92.

R. Zhang, Strategic cyber data risk management over networks: from proactive defense to cyber insurance, Ph.D. dissertation, New York University Tandon School of Engineering, 2020

93.

R. Pal, L. Golubchik, K. Psounis, P. Hui, Will cyber-insurance improve network security? a market analysis, in IEEE INFOCOM 2014-IEEE Conference on Computer Communications (IEEE, 2014), pp. 235–243

94.

R. Böhme, G. Schwartz et al., Modeling cyber-insurance: Towards a unifying framework, in WEIS (2010)

95.

P. Radanliev, D. De Roure, S. Cannady, R. Mantilla Montalvo, R. Nicolescu, M. Huth, Analysing IoT cyber risk for estimating IoT cyber insurance, in Living in the Internet of Things: Cybersecurity of the IoT-2018. IET Conference Proceedings (The Institution of Engineering and Technology, London, 2018), pp. 1–9

96.

D. Kahneman, A. Tversky, Prospect theory: An analysis of decision under risk, in Handbook of the Fundamentals of Financial Decision Making: Part I (World Scientific, 2013), pp. 99–127

Title: Policy Management
Authors: Tim Kieras
Junaid Farooq
Quanyan Zhu
Publisher: Springer International Publishing
Book: IoT Supply Chain Security Risk Analysis and Mitigation
Print ISBN: 978-3-031-08479-9

Electronic ISBN: 978-3-031-08480-5

Copyright Year: 2022
DOI: https://doi.org/10.1007/978-3-031-08480-5_4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner