Economics of User Segmentation, Profiling, and Detection in SecurityBin MaiCollege of Business AdministrationNorthwestern State UniversityNatchitoches, LA 71497maibnsula.eduHuseyin Cavusoglu, Srinivasan Raghunathan, and Byungwan KohSchool of ManagementThe University of Texas at DallasRichardson, TX 75083sraghu,huseyin,byungwan.kohutdallas.eduUser profiling is regarded as an effective and efficient tool to detect security breaches because it allows firms to target attackers by deploying a more stringent detection system for them than for normal users. The absence of profiling restricts the firm to use the same detection system for all users. While profiling can be a useful tool, we show that it induces attackers to fake their identity and trick the profiling system into misclassifying their type, and that this incentive is higher if the profiling accuracy is higher. By faking, an attacker reduces the likelihood of being classified as an attacker by the profiling system; a higher profiling accuracy decreases this likelihood more. Further, a higher disparity in detection rates for attackers and normal users employed by the firm to take advantage of a higher profiling accuracy makes faking even more attractive. If faking is sufficiently easy, the profiling accuracy is sufficiently poor, or if faking degrades the profiling accuracy sufficiently, then the firm realizes a lower payoff when it uses profiling than when it does not. For profiling to offer maximum benefit, faking cost should be higher than a threshold value, which is increasing in the profiling accuracy. If faking is not an issue, then, consistent with our intuition, it is optimal for a firm to deploy a more stringent detection system for an attacker and a less stringent detection system for a normal user when profiling accuracy improves. However, when faking is an issue, if the profiling accuracy is higher than a threshold value, then the firm should design less differentiated detection systems by degrading the detection rate for an attacker or by enhancing the detection rate for a normal user when profiling accuracy improves. May 20071. IntroductionDetection systems are an integral part of many security architectures. Metal detectors, X-ray scanners, and physical inspections are a few such systems used in aviation security. Intrusion Detection Systems (IDSs) detect hacking in computer systems. Providing adequate and cost-effective security in domains such as aviation and information security is challenging because only a small fraction of users have any incentive to attack. Subjecting every user to a costly detection procedure is inefficient, but selecting a sub set of users randomly is likely to be ineffective. If potential attackers can be identified, then it may be beneficial to employ a more rigorous detection procedure on actions of these individuals compared to those of others. Thus, user profiling, which attempts to classify users into different risk classes, is considered to be a potentially useful tool in security contexts. According to Oxford English Dictionary, one of the definitions of profiling is the “selection for scrutiny by law enforcement officials, etc., based on superficial characteristics (as ethnic background or race) rather than on evidentiary criteria.” In this paper, we adopt this definition to distinguish between profiling and detection; while profiling uses criteria pertaining to individuals, detection uses criteria related to criminal behavior. For instance, in aviation security, a Computer Assisted Passenger Prescreening System (CAPPS), s profiling system in our definition, classifies passengers into different risk classes For a discussion on the history of CAPPS and its successor CAPPS II, the readers are referred to the vast literature on aviation security (e.g., McLay et al. (2005b) and the references therein) based on characteristics such as gender whereas a metal detector, a detection system, looks for evidence of metal to detect security breaches.While proponents of profiling tout its ability to offer improved detection at a lower cost, critics have pointed out that users may be able to game the profiling system through trial-and-error sampling and learning. Critics have also pointed out that profiling is illegal because it is discriminatory, but we do not focus on the legality of profiling in this paper. For instance, Chakrabarti and Strauss (2002) demonstrate how a terrorist can circumvent the CAPPS and reduce his chances of being detected. Dalvi et al. (2004) discuss how spammers can alter their strategies to trick spam filters in the information security context. In this paper, we analyze the problem of cost-effective design of multi-level detection systems in the presence of user profiling and potential gaming of it by attackers and seek to answer the following questions about detection systems design:When attackers have the ability to fake