Audit Games
This work addresses resource allocation and punishment design for internal audits in organizations handling personal data, representing an incremental advance in applying game theory to privacy enforcement.
The paper tackles the problem of designing effective audit mechanisms for enforcing privacy laws in organizations by modeling it as an audit game with resource allocation and punishment schemes, and presents an additive FPTAS that efficiently computes a near-optimal solution.
Effective enforcement of laws and policies requires expending resources to prevent and detect offenders, as well as appropriate punishment schemes to deter violators. In particular, enforcement of privacy laws and policies in modern organizations that hold large volumes of personal information (e.g., hospitals, banks, and Web services providers) relies heavily on internal audit mechanisms. We study economic considerations in the design of these mechanisms, focusing in particular on effective resource allocation and appropriate punishment schemes. We present an audit game model that is a natural generalization of a standard security game model for resource allocation with an additional punishment parameter. Computing the Stackelberg equilibrium for this game is challenging because it involves solving an optimization problem with non-convex quadratic constraints. We present an additive FPTAS that efficiently computes a solution that is arbitrarily close to the optimal solution.