perverse incentives in security contracts a case study in
play

Perverse Incentives in Security Contracts: A Case Study in the - PowerPoint PPT Presentation

Dec 11, 2023 •456 likes •715 views

Perverse Incentives in Security Contracts: A Case Study in the Colombian Power Grid Carlos Barreto and Alvaro C ardenas University of Texas at Dallas The 15th Annual Workshop on the Economics of Information Security C. Barreto and A. C

  1. Perverse Incentives in Security Contracts: A Case Study in the Colombian Power Grid Carlos Barreto and Alvaro C´ ardenas University of Texas at Dallas The 15th Annual Workshop on the Economics of Information Security C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 1 / 24

  2. Conflict in Colombia Colombia has suffered decades of civil war. The main guerrilla groups are: FARC (Revolutionary Armed Forces of Colombia) ELN (National Liberation Army) Terrorist groups started as revolutionary movements (1964) originated because of Political violence Social dissatisfaction Communist influence (Cuban revolution) Objective of guerrillas Replace the state and impose their own ideals. Started in rural areas with the intention of spread influence along the country. C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 2 / 24

  3. Terrorism Funding Guerrillas support the war against the state with illegal activities such as Illegal drug trade, Extortion, and Exploitation of resources Guerrillas target critical infrastructures to Extort companies Display an ideology to attract popular support (ELN) ▶ They are against exploitation of resources by multinationals Undermine the national economy Show military capacity C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 3 / 24

  4. Problem: Perverse incentives in repair contracts Repair services become necessary due to the large number of attacks. In 2007 93% of the attacks on towers took place in the same region. Investigators discovered that 1 All the towers belonged to the Attacks vs Pending Repairs 350 Attacks same company (ISA) Pending Repairs 300 The modus operandi was the 250 same (e.g., bombs were installed owers 200 in the same place) Attacks on T 150 All repairs were made by the same contractor 100 50 0 2000 2002 2004 2006 2008 2010 2012 2014 Year 1 Semana: Negocio redondo, http://www.semana.com/nacion/articulo/negocio-redondo/94315-3 , 2008, (visited on 02/01/2016). C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 4 / 24

  5. Problem: Perverse incentives in repair contracts Detectives infiltrated the company and found that since 2005 a repair company conspired with terrorists to attack electricity towers. Attacks on Main Affected Regions 200 ANTIOQUIA CAUCA** (Region of fraud) NORTE DE SANTANDER 150 owers Start of fraud Discovery Attacks on T 100 Executives of the company hired 50 guerrilla militants to dynamite towers with 0 2000 2002 2004 2006 2008 2010 2012 2014 Year Easy access Cause partial damage C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 5 / 24

  6. Problem: Perverse incentives in repair contracts Attack’s objective: increase repair services provoking attacks Perverse incentives were feasible because: Attacks easily attributed to terrorist groups Sponsored attacks allows ▶ Reduce the repair costs ▶ Pretend efficiency repairing towers to assure future contracts C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 6 / 24

  7. Contributions We model the changes to contracts that the transmission company implemented to reduce perverse incentives. Idea: Hinder unlawful benefits by assigning contracts randomly (so attacked towers are not repaired by the contractor who sponsored the attack) C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 7 / 24

  8. Outline Structure of repair contracts 1 Frauds in repair contracts 2 Design of a contracts that reduce attacks 3 Conclusions 4 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 8 / 24

  9. Repair contracts: Ideal Case Contracts are assigned using reverse auctions. Electricity company chooses the Contractors offer repair services contractor with the lowest bid Profit Bids Payment for the service: c 1 U 1 p = min i ∈{ 1 ,..., m } c i = c 1 c 2 U 2 . . . . . . c m U m Ideally, the contractors will make bids that guarantee the minimum expected benefit U i . C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 9 / 24

  10. Outline Structure of repair contracts 1 Frauds in repair contracts 2 Design of a contracts that reduce attacks 3 Conclusions 4 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 10 / 24

  11. Repair contracts: Fraud Attacks on Main Affected Regions From the reports we know: 200 ANTIOQUIA CAUCA** (Region of fraud) Number of sponsored attacks NORTE DE SANTANDER during 2005-2008: ˜ θ i = 215 / 3 150 This region had attacks every owers Start of fraud Discovery week! Attacks on T 100 Payment for the militants: b = $4444 50 Repair payments $27778 ≤ p ≤ $83333 0 2000 2002 2004 2006 2008 2010 2012 2014 Year Benefits of sponsoring attacks: Increase the number of repair services: θ → θ + ˜ θ i Reduce the cost of repairs, which increases the benefits: U i → ˜ U i The bribe or cost of sponsoring one attacks is b C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 11 / 24

  12. Model of fraud Contractors could reduce their benefit to make lower bids (and become more competitive) L i = ˜ U i − U i : excess benefit with sponsored attacks γ ∈ [0 , 1]: benefit reduction ˜ ˜ θ i New benefit: U i − γ L i New repair cost: c i = c i − ˜ θ i γ L i θ +˜ The profit of a contractor with sponsored attacks becomes sponsored attacks bribe genuine attacks � �� � ���� ���� θ i ( ˜ ˜ b (˜ θ U i + U i − γ L i ) − θ i ) variable cost fixed cost � �� � λ (1 + α ) ˜ ���� θ i − 1 b (˜ ˜ θ i ) = θ i b 0 + α λ, α : parameters to model the increasing cost of additional attacks C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 12 / 24

  13. Repair contracts: Optimal Attack The optimal number of attacks ˜ θ ∗ i can be found solving: θ U i + ˜ θ i ( ˜ U i − γ L i ) − b (˜ maximize θ i ) ˜ θ i (1) ˜ θ i ∈ Z ∗ , subject to The optimal number of attacks is ( )/ α ( ˜ U i − γ L i − b 0 ) θ ∗ ˜ i = ln ln(1 + α ) (2) λ ln(1 + α ) Attacks are unprofitable if ˜ θ ∗ i < 1 λ α (1 + α ) ln(1 + α ) + b 0 > ˜ U i − γ L i ≥ U i . (3) The cost of the attacks is smaller than the expected profit of the contractor. The number of attacks cannot be manipulated by the company C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 13 / 24

  14. Example Known Parameters: Unknown Parameters: Repair cost: Benefit with genuine repairs U 1 p max = $83333 Benefit with dishonest actions ˜ U 1 p min = $27778 Parameters of the bribe function λ Bribe for one attack α b (1) = 4444 We assume that the benefit can be expressed as U 1 = p − E where E are repair expenses. If the contractor requires a return of investment of 10%, that is, U 1 = 0 . 1 E then U 1 = p / 11. Thus U = p max / 11 ≈ $7575 . 7 U = p min / 11 ≈ $2525 . 3 E = 10 U ≈ $75757 E = 10 U ≈ $25253 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 14 / 24

  15. Example In the worst case the company won’t know the real repair cost. Hence The electricity company will make a payment p max (usual repair cost of attacks) The expenses of sponsored attacks are E (sponsored attacks have the minimum repair cost) Thus, benefit of a sponsored attack is ˜ U 1 = p max − E ≈ 58081 The benefit of sponsored attacks ˜ U 1 is more than seven times the benefit non-sponsored attacks. ˜ U 1 > 7 U 1 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 15 / 24

  16. Example We assume that the variable cost λ is equal to 20% of the constant cost, i.e., λ = 0 . 2 b 0 . Thus, since b (1) = b 0 + λ we extract b 0 = $3704 We assume that the reported number of sponsored attacks was optimal. Then, ˜ θ ∗ i = 215 / 3 ≈ 72. Assuming that γ = 1 we can estimate α = 0 . 0234 Number of attacks as a function of γ 200 180 160 Number of attacks 140 120 100 80 60 0 0.2 0.4 0.6 0.8 1 Benefit reduction ( γ ) C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 16 / 24

  17. Solutions: Use regulatory mechanisms Regulation might reduce undesirable incentives, e.g., Offer repair contracts with fixed payments (regardless of the number of attacks) Limitation: Malicious contractors could increase the number of attacks to increase the contract’s payments Set remuneration comparing costs of multiple similar firms (Yardstick competition) 2 . Limitation: A malicious contractor can offer costs consistent with Yardstick competition while still offering smaller bids. 2 Andrei Shleifer: A theory of yardstick competition, in: The RAND Journal of Economics 1985, pp. 319–327. C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 17 / 24

  18. Outline Structure of repair contracts 1 Frauds in repair contracts 2 Design of a contracts that reduce attacks 3 Conclusions 4 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 18 / 24

  19. Mechanism to Disincentivize attacks Electricity company chooses n Contractors offer repair services contractors with the lowest bid Bids c 1 Payment for the service: c 2 p ( n ) = max i ∈{ 1 ,..., n } c i = c n ˆ . . . c n . . . c m Selecting n contractors is more expensive for the electric transmission operator because the payments are defined as C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 19 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Incentives: The Evil Hat Liz Keogh liz@lunivore.com @lunivore Perverse incentives are a

Incentives: The Evil Hat Liz Keogh liz@lunivore.com @lunivore Perverse incentives are a

Learning and Perverse Incentives: The Evil Hat Liz Keogh liz@lunivore.com @lunivore Perverse incentives are a common problem. We think more about solutions than we do about the system the solutions create. We can see systems better from

1.2k views • 72 slides
J. Leotta June 2015 Slide 1 Introduction Incentive Fee Contracts Principal-Agent

J. Leotta June 2015 Slide 1 Introduction Incentive Fee Contracts Principal-Agent

J. Leotta June 2015 Slide 1 Introduction Incentive Fee Contracts Principal-Agent Problem Stock Pricing Theory Case Study 1: Public Sector Case Study 2: Private Sector Alternate Contract Incentives Conclusions Slide

389 views • 24 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
Cross Country BC 2017 Club Development Workshop Case study: Do incentives and deadlines work? 2

Cross Country BC 2017 Club Development Workshop Case study: Do incentives and deadlines work? 2

Cross Country BC 2017 Club Development Workshop Case study: Do incentives and deadlines work? 2 Gold Star pass upgrade EXAMPLE (when buying your membership on Zone4) NEW OPTION : (in support of our ___ program) For $49, upgrade your pass

535 views • 18 slides
Model Checking Contracts A case study Gordon Pace Cristian Prisacariu Gerardo Schneider

Model Checking Contracts A case study Gordon Pace Cristian Prisacariu Gerardo Schneider

Model Checking Contracts A case study Gordon Pace Cristian Prisacariu Gerardo Schneider gordon.pace@um.edu.mt cristi@ifi.uio.no gerardo@ifi.uio.no Department of Informatics, University of Oslo ATVA07 Tokyo, Japan October 22-25, 2007

1.08k views • 65 slides
Contracts: Practical Contribution Incentives for P2P Live Streaming Michael Piatek, Arvind

Contracts: Practical Contribution Incentives for P2P Live Streaming Michael Piatek, Arvind

Contracts: Practical Contribution Incentives for P2P Live Streaming Michael Piatek, Arvind Krishnamurthy, Arun Venkataramani, Richard Yang, David Zhang, Alexander Jaffe U. of Washington, U. of Massachusetts, Yale, PPLive Live streaming

555 views • 51 slides
Governing Mega-Event Security: A Case Study of G2014 Dr Suzanne Young Professor Simon Mackenzie

Governing Mega-Event Security: A Case Study of G2014 Dr Suzanne Young Professor Simon Mackenzie

15/06/2012 Governing Mega-Event Security: A Case Study of G2014 Dr Suzanne Young Professor Simon Mackenzie Scottish Centre for Crime and Justice Research University of Glasgow The study: The Governance of Security and the Analysis of Risk

211 views • 4 slides
s rsrt Case study: payment card security

s rsrt Case study: payment card security

s rsrt Case study: payment card security Tyler Moore Two-sided market structure Cardholder Merchant Issuing bank Acquiring bank In the beginning There was no protection for

549 views • 11 slides
A case study Levente Buttyn Laboratory of Cryptography and System Security (CrySyS Lab)

A case study Levente Buttyn Laboratory of Cryptography and System Security (CrySyS Lab)

Mentoring talent in IT security A case study Levente Buttyn Laboratory of Cryptography and System Security (CrySyS Lab) Budapest University of Technology and Economics www.crysys.hu this is joint work with Gbor Pk, Mrk Flegyhzi,

937 views • 24 slides
Mixed perverse sheaves on flag varieties of Coxeter groups Cristian Vay UNCCONICET Argentina

Mixed perverse sheaves on flag varieties of Coxeter groups Cristian Vay UNCCONICET Argentina

Motivation Elias-Williamson diagrammatic categories Biequivariant Categories Perverse sheaves Mixed perverse sheaves on flag varieties of Coxeter groups Cristian Vay UNCCONICET Argentina joint work with P. Achar and S. Riche Almera

514 views • 32 slides
Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study

Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study

Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study KarthikPattabiraman Farid Molazem Tabrizi, Maryam Raiyat, Abraham Chan, Ivan Beschastnikh University of British Columbia (UBC) My Research Building

693 views • 51 slides
Incentives to relay 1) Incentives to relay traffic 2) Incentives to do it well 3)

Incentives to relay 1) Incentives to relay traffic 2) Incentives to do it well 3)

Incentives to relay 1) Incentives to relay traffic 2) Incentives to do it well 3) Incentives to allow exits. Nave tit-for-tat probably not so smart. But maybe something like it? Run two servers and wait Over time,

303 views • 13 slides
A Case Study in Safety, Security, and Availability of Wireless-Enabled Aircraft Communication

A Case Study in Safety, Security, and Availability of Wireless-Enabled Aircraft Communication

Motivation Safety Security Availability A Case Study in Safety, Security, and Availability of Wireless-Enabled Aircraft Communication Networks Rohit Dureja, Eric W.D. Rozier, and Kristin Yvonne Rozier Iowa State University

851 views • 39 slides
Investment Incentives under Price Cap- Regulation the Case of Energy Dr. Christian Growitsch

Investment Incentives under Price Cap- Regulation the Case of Energy Dr. Christian Growitsch

Investment Incentives under Price Cap- Regulation the Case of Energy Dr. Christian Growitsch Infraday 2008 Berlin, 10 October 2008 0 Agenda Investment incentives and incentive regulation: - Theory - Issues International practice

417 views • 30 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
Common Security Requirement Language for Procurements &amp; Maintenance Contracts Julio

Common Security Requirement Language for Procurements &amp; Maintenance Contracts Julio

Common Security Requirement Language for Procurements &amp; Maintenance Contracts Julio Rodriguez Idaho National Laboratory National Cyber Security Division (NCSD) Control Systems Security Program (CSSP) December 8, 2006 1 Background

682 views • 13 slides
COMPLEX NETWORKS: STRUCTURE AND FUNCTIONALTY II. Equivalence Frank den Hollander Mathematical

COMPLEX NETWORKS: STRUCTURE AND FUNCTIONALTY II. Equivalence Frank den Hollander Mathematical

COMPLEX NETWORKS: STRUCTURE AND FUNCTIONALTY II. Equivalence Frank den Hollander Mathematical Institute, Leiden University 12th MSJ-SI , Fukuoka, Japan, 31/0709/08, 2019. STATISTICAL PHYSICS Systems consisting of a very large number of

786 views • 24 slides
Barbara Kenny, Ph.D. Program Director Industrial Innova;on and

Barbara Kenny, Ph.D. Program Director Industrial Innova;on and

Barbara Kenny, Ph.D. Program Director Industrial Innova;on and Partnerships Division Na;onal Science Founda;on August 6, 2014 http://www.nsf.gov/eng/iip/pfi/air-tt.jsp 1

367 views • 9 slides
Classification Key Concepts Duen Horng (Polo) Chau Associate Professor, College of Computing

Classification Key Concepts Duen Horng (Polo) Chau Associate Professor, College of Computing

http://poloclub.gatech.edu/cse6242 CSE6242: Data &amp; Visual Analytics Classification Key Concepts Duen Horng (Polo) Chau Associate Professor, College of Computing Associate Director, MS Analytics Georgia Tech Mahdi Roozbahani Lecturer,

547 views • 23 slides
Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic

Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic

Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic Oehlert Selma Saidi Heiko Falk Institute of Embedded Systems Hamburg University of Technology firstname.surname@tuhh.de 30th Euromicro Conference on

963 views • 77 slides
CYBERLOCKER TRAFFIC FLOWS Aniket Niklas Martin Carey Mahanti Carlsson Arlitt Williamson 2

CYBERLOCKER TRAFFIC FLOWS Aniket Niklas Martin Carey Mahanti Carlsson Arlitt Williamson 2

CHARACTERIZING CYBERLOCKER TRAFFIC FLOWS Aniket Niklas Martin Carey Mahanti Carlsson Arlitt Williamson 2 Introduction Cyberlocker services provide an easy Web interface to upload, manage, and share content. Recent academic and

396 views • 26 slides
Lecture 12: Iteration and For-Loops (Sections 4.2 and 10.3) CS 1110 Introduction to Computing

Lecture 12: Iteration and For-Loops (Sections 4.2 and 10.3) CS 1110 Introduction to Computing

http://www.cs.cornell.edu/courses/cs1110/2019sp Lecture 12: Iteration and For-Loops (Sections 4.2 and 10.3) CS 1110 Introduction to Computing Using Python [E. Andersen, A. Bracy, D. Gries, L. Lee, S. Marschner, C. Van Loan, W. White] Problem:

838 views • 38 slides
Jianning Yue Wookyun Kho Young Jin Yoon AGL : Animation applet Generation Language Contents

Jianning Yue Wookyun Kho Young Jin Yoon AGL : Animation applet Generation Language Contents

Jianning Yue Wookyun Kho Young Jin Yoon AGL : Animation applet Generation Language Contents IPL? Advantages Syntax Development Examples Lessons Learned AGL : Animation applet Generation Language IPL? IPL is not

629 views • 26 slides
Wellbeing in the Tech Industry Dr Michelle OSullivan What to Expect 1. Learn about the

Wellbeing in the Tech Industry Dr Michelle OSullivan What to Expect 1. Learn about the

Managing for Mental Wellbeing in the Tech Industry Dr Michelle OSullivan What to Expect 1. Learn about the impact of mental ill-health in the workplace 2. Tips for managing employee mental ill-health and occupational psychosocial factors

441 views • 17 slides

More recommend