ZETAR: Modeling and Computational Design of Strategic and Adaptive
Compliance Policies
- URL: http://arxiv.org/abs/2204.02294v2
- Date: Sat, 14 Oct 2023 01:37:44 GMT
- Title: ZETAR: Modeling and Computational Design of Strategic and Adaptive
Compliance Policies
- Authors: Linan Huang and Quanyan Zhu
- Abstract summary: We develop ZETAR, a zero-trust audit and recommendation framework, to provide a quantitative approach to model insiders' incentives.
We identify the policy separability principle and the set convexity, which enable finite-step algorithms to efficiently learn the Completely Trustworthy (CT) policy set.
Our results show that ZETAR can well adapt to insiders with different risk and compliance attitudes and significantly improve compliance.
- Score: 19.9521399287127
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Compliance management plays an important role in mitigating insider threats.
Incentive design is a proactive and non-invasive approach to achieving
compliance by aligning an insider's incentive with the defender's security
objective, which motivates (rather than commands) an insider to act in the
organization's interests. Controlling insiders' incentives for population-level
compliance is challenging because they are neither precisely known nor directly
controllable. To this end, we develop ZETAR, a zero-trust audit and
recommendation framework, to provide a quantitative approach to model insiders'
incentives and design customized recommendation policies to improve their
compliance. We formulate primal and dual convex programs to compute the optimal
bespoke recommendation policies. We create the theoretical underpinning for
understanding trust, compliance, and satisfaction, which leads to scoring
mechanisms of how compliant and persuadable an insider is. After classifying
insiders as malicious, self-interested, or amenable based on their incentive
misalignment levels with the defender, we establish bespoke information
disclosure principles for these insiders of different incentive categories. We
identify the policy separability principle and the set convexity, which enable
finite-step algorithms to efficiently learn the Completely Trustworthy (CT)
policy set when insiders' incentives are unknown. Finally, we present a case
study to corroborate the design. Our results show that ZETAR can well adapt to
insiders with different risk and compliance attitudes and significantly improve
compliance. Moreover, trustworthy recommendations can provably promote cyber
hygiene and insiders' satisfaction.
Related papers
- On the Trustworthiness of Generative Foundation Models: Guideline, Assessment, and Perspective [314.7991906491166]
Generative Foundation Models (GenFMs) have emerged as transformative tools.
Their widespread adoption raises critical concerns regarding trustworthiness across dimensions.
This paper presents a comprehensive framework to address these challenges through three key contributions.
arXiv Detail & Related papers (2025-02-20T06:20:36Z) - Deliberative Alignment: Reasoning Enables Safer Language Models [64.60765108418062]
We introduce Deliberative Alignment, a new paradigm that teaches the model safety specifications and trains it to explicitly recall and accurately reason over the specifications before answering.
We used this approach to align OpenAI's o-series models, and achieved highly precise adherence to OpenAI's safety policies, without requiring human-written chain-of-thoughts or answers.
arXiv Detail & Related papers (2024-12-20T21:00:11Z) - CURATe: Benchmarking Personalised Alignment of Conversational AI Assistants [5.7605009639020315]
Assessment of ten leading models across five scenarios (with 337 use cases each)
We find that top-rated "harmless" models make recommendations that should be recognised as obviously harmful to the user given the context provided.
Key failure modes include inappropriate weighing of conflicting preferences, sycophancy (prioritising desires above safety), a lack of attentiveness to critical user information within the context window, and inconsistent application of user-specific knowledge.
arXiv Detail & Related papers (2024-10-28T15:59:31Z) - Responsible AI in Open Ecosystems: Reconciling Innovation with Risk Assessment and Disclosure [4.578401882034969]
We focus on how model performance evaluation may inform or inhibit probing of model limitations, biases, and other risks.
Our findings can inform AI providers and legal scholars in designing interventions and policies that preserve open-source innovation while incentivizing ethical uptake.
arXiv Detail & Related papers (2024-09-27T19:09:40Z) - Technocracy, pseudoscience and performative compliance: the risks of
privacy risk assessments. Lessons from NIST's Privacy Risk Assessment
Methodology [0.0]
Privacy risk assessments have been touted as an objective, principled way to encourage organizations to implement privacy-by-design.
Existing guidelines and methods remain vague, and there is little empirical evidence on privacy harms.
We highlight the limitations and pitfalls of what is essentially a utilitarian and technocratic approach.
arXiv Detail & Related papers (2023-08-24T01:32:35Z) - On the Complexity of Adversarial Decision Making [101.14158787665252]
We show that the Decision-Estimation Coefficient is necessary and sufficient to obtain low regret for adversarial decision making.
We provide new structural results that connect the Decision-Estimation Coefficient to variants of other well-known complexity measures.
arXiv Detail & Related papers (2022-06-27T06:20:37Z) - Towards a multi-stakeholder value-based assessment framework for
algorithmic systems [76.79703106646967]
We develop a value-based assessment framework that visualizes closeness and tensions between values.
We give guidelines on how to operationalize them, while opening up the evaluation and deliberation process to a wide range of stakeholders.
arXiv Detail & Related papers (2022-05-09T19:28:32Z) - Trustworthy Artificial Intelligence and Process Mining: Challenges and
Opportunities [0.8602553195689513]
We show that process mining can provide a useful framework for gaining fact-based visibility to AI compliance process execution.
We provide for an automated approach to analyze, remediate and monitor uncertainty in AI regulatory compliance processes.
arXiv Detail & Related papers (2021-10-06T12:50:47Z) - Policy Gradient Bayesian Robust Optimization for Imitation Learning [49.881386773269746]
We derive a novel policy gradient-style robust optimization approach, PG-BROIL, to balance expected performance and risk.
Results suggest PG-BROIL can produce a family of behaviors ranging from risk-neutral to risk-averse.
arXiv Detail & Related papers (2021-06-11T16:49:15Z) - Training Value-Aligned Reinforcement Learning Agents Using a Normative
Prior [10.421378728492437]
It is increasingly a prospect that an agent trained to perform a task optimally, using only a measure of task performance as feedback, can violate societal norms for acceptable behavior or cause harm.
We introduce an approach to value-aligned reinforcement learning, in which we train an agent with two reward signals: a standard task performance reward, plus a normative behavior reward.
We show how variations on a policy shaping technique can balance these two sources of reward and produce policies that are both effective and perceived as being more normative.
arXiv Detail & Related papers (2021-04-19T17:33:07Z) - Privacy-Constrained Policies via Mutual Information Regularized Policy Gradients [54.98496284653234]
We consider the task of training a policy that maximizes reward while minimizing disclosure of certain sensitive state variables through the actions.
We solve this problem by introducing a regularizer based on the mutual information between the sensitive state and the actions.
We develop a model-based estimator for optimization of privacy-constrained policies.
arXiv Detail & Related papers (2020-12-30T03:22:35Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.