Current Research

Inspiring Quote - "I belong to the school that holds ideas and exposition to be more important than 'mere' results." Thomas Kailath (EE, Stanford)

Research Keywords - cyber-risk management, cyber-security, personal data economics, data privacy, cyber-insurance, game theory, behavioral economics

At NCIS@ECE, I lead research efforts that revolve around resolving challenges (using theory and experiments) surrounding TWO important, timely, and impactful directions in cyber-risk and privacy management research.

1. (Catastrophic) Cyber-Risk Management in Service Networks of Industrial IoT (IIoT) Systems - Global commerce is undergoing a profound digital transformation. A plethora of business and enterprise sectors (e.g., automobiles, electronics, energy, finance, etc.) and national infrastructure are increasingly embracing IT/IoT technology alongside data science for improved innovation, efficiency, and up-scaling of their service operations for the benefit of society.

Consequently, on the flip side, these sectors lend themselves amenable to critical vulnerability exposures that are cyber-driven in a fast-changing and rugged cyber-threat landscape and, more worryingly, are shared by information systems managing these sectors (and their digital twins). The massive and devastating Sunburst APT hack is a recent example of driving home our point. It enabled hackers to slip malware into software updates of SolarWinds' Orion software, widely used to manage large organizational networks in multiple service sectors. More importantly, the correlated cyber-risks rooted in common vulnerable software exposures accumulate/aggregate over time and across industrial IoT systems (IIoTs) that share trading relationships via service networks. Unfortunately, these aggregate cyber-risks, taking shape in the form of massive data breaches and business disruption events, have in the past led to commercial losses worth up to billions of dollars, as a `tip of the iceberg' estimate. These losses can contribute to a significant portion of their GDP in certain macro economies. Though relatively rare in occurrence, such scale of cyber-loss impacts might potentially increase in frequency (more so, during WFH). It can make challenging the design of (aggregate) risk coverage policies demanded by industries (deploying IIoTs) that are the root of a significant service supply chain. The importance of this point was recently made in the Beazley NetDiligence Cyber Risk Summit of 2020.

Our main research agenda is to fundamentally tackle some of the most significant challenges facing the success of much-needed scalable aggregate cyber-risk coverage (ARC) businesses for IoT-driven networked service supply chains. More specifically, using tools from the data and the decision sciences, we aim to design and analyze robust (to breach/security information availability) and rigorous network-scientific cyber-risk management (CRM) solution frameworks that address the following challenges:

(a) design and analyze models to accurately estimate first and third party cyber-loss impacts on organizations post cyber-breach events in service-networked smart societies,

(b) formally characterize the effect of human (employee) behavior inside IIoTs on the statistical nature of cyber-risk impacting various divisions of an IIoT-networked organization,

(c) test the commercial and algorithmic feasibility of providing third-party CRM (e.g., via (re-)insurance) for such loss impacts, and

(d) design and analyze optimal strategies (as a function of a supply-chain network of IIoT systems) for commercial CRM businesses to boost product sales in the network, at the same time significantly improve cyber-security.

2. Transparent and Equitable Privacy-Enhanced Personal Data Commerce to Mitigate Economic Inequality - The value of personal consumer data to modern e-commerce is worth trillions of USD, and is continually growing in the IoT age. This data helps businesses (a) know customers better through targeted advertising, (b) make better decisions, boost their ROI, and (c) form mutually beneficial and profitable business relationships with other organizations. Economic inequality in certain digitally booming GDP-rich nations is glaring. India, a rapidly growing economy that ranks in the top five GDP nations globally, is an example. In such countries, millionaires control a significant portion of the nation's GDP(e.g., 54% in India), leaving the average individual's income paltry (e.g., approximately USD 5 [PPP converted] per month in India). The monetary power of AI-driven personal data commerce (PDC) can be leveraged using a host of initiatives to achieve a more ``equal'' (equitable) distribution of wealth and increase GDP in nations exhibiting high economic inequality.

Recent studies in the western world show a diverse range of the monetary impact of personal data (PD) on the earnings of e-commerce firms and society individuals. As an example, the absence of a single attribute like ZIP code in a customer's data record (let alone the entire record) collected by a frequently used popular service (e.g., Amazon shopping) can result in an opportunity cost of up to US$250 for the service providing firm. More importantly, frequently collected personal data by e-commerce firms such as age, sex, browsing activity, geolocation, etc., of the average (mobile-savvy) individual is worth at least US$1000 annually. If paid to OSA users (after PPP conversion) as a cash payment for their PD, such an amount can significantly reduce the GDP-induced macro-economic inequality in any particular economy around the globe. Its effect is most likely to be felt on economies with high inequality like India and China. E.g., for the smart-phone penetrating, GDP-rich, but highly inequal Indian economy, a PPP-converted value of US$1000 is likely to reduce the average economic inequality by one-fourth.

An introductory question we seek to address in our research through field experiments is: are individuals willing to receive direct payment in the first place? On the one hand, it might seem obvious that users would welcome the opportunity for financial gain. However, such direct payments might require the user to be informed explicitly about: (i) what is being transacted (in terms of quantity and quality), (ii) on what terms, (iii) to whom, and (iv) for what purpose. It is possible that users will have second thoughts about their OSA use when presented with such information, which was previously opaque and vague? But, it could be equally likely that such information gives the users a sense of agency and control. Further, the users' concerns over privacy risk (along with future adverse repercussions of algorithmic bias from AI-engines) could be substantially alleviated if they are allowed to make the definitive and affirmative decision of selling their data for direct monetary gain? Of course, it could be that both are true, each applying to different population segments.

Based on affirmative results obtained (from large-scale experiments) to our introductory question for the cultural and education diverse Indian sub-continent, 0ur research ambition broadly seeks to promote a paradigm-shifting transparent, equitable, and privacy-friendly personal data commerce (PDC), by establishing its economics, (differential) privacy, and algorithmic foundations informed by human subject experiments. Our notion of ‘transparency’ implies that individuals should be effectively informed/educated of the PD that is being collected by PD aggregators along with the privacy risks that might accompany such data collection activities.

More specifically, our research agenda to realize a PDC 2.0 as mentioned above, is driven by three guiding principles:

(a) our design should account for behavioral preferences of individuals (or certain groups), and buyers on monetizing personal data,

(b) the end system should provide beneficial privacy-QoS trade-offs in information externality settings to the PDC stakeholders that include individuals, and competitive commercial entities in the data collection ecosystem (e.g, controllers, processors, brokers), and

(c) share of commercial profit from the data collection ecosystem should be re-distributed among individuals in favor of monetizing data.

Moreover, though the profit redistribution aspect of this paradigm shift is necessary for growing economies with high inequality and would have an out-sized impact on the latter, the underlying methodologies characterizing the design and implementation of such PDC are equally applicable elsewhere. As an orthogonal but equally important agenda, we will study (a) demography-specific behavioral justifications behind individuals' propensities to trade PD, and (b) the regulatory and policy interventions that might promote (or go against) the implementation of PDC 2.0 in practice.