Date Added: Dec 2010
Incentives play an important role in (security and IT) risk management of a large-scale organization with multiple autonomous divisions. This paper presents an incentive mechanism design framework for risk management based on a game-theoretic approach. The risk manager acts as a mechanism designer providing rules and incentive factors such as assistance or subsidies to divisions or units, which are modeled as selfish players of a strategic (non-cooperative) game. Based on this model, incentive mechanisms with various objectives are developed that satisfy efficiency, preference-compatibility, and strategy-proofness criteria. In addition, iterative and distributed algorithms are presented, which can be implemented under information limitations such as the risk manager not knowing the individual units' preferences. An example scenario illustrates the framework and results numerically.