Software Engineering Institute

In this paper, we present our work in progress applying game-theoretic modeling and analysis to our study of the effects of policy compliance requirements on shifting insider motivation. We focus on non-malicious employee non-compliance (possibly intentional) with policy and the potential risks introduced from this non-compliance. We view an employee’s decision about whether to comply with policy as a cost-benefit tradeoff and use a compliance budget as the mechanism for modeling those decisions. We demonstrate using game theoretic analysis as a powerful modeling technique to represent how the potentially deleterious effects of requiring employees to follow frequent or burdensome requirements to comply with fixed policy can affect employee decision making. By modeling employee motivation as instance-based learning in a game with players represented by fluctuating Markov decision processes, we can identify conditions where employees are driven to more or less risky behaviors. We calibrated our model execution results to a recent meta-analysis of years of policy compliance research, which provided a level of confidence in the fidelity of our model execution results and our related practice recommendations.