Perverse Incentives in Security Contracts: A Case Study in the Colombian Power Grid Carlos Barreto and Alvaro C´ ardenas University of Texas at Dallas The 15th Annual Workshop on the Economics of Information Security C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 1 / 24
Conflict in Colombia Colombia has suffered decades of civil war. The main guerrilla groups are: FARC (Revolutionary Armed Forces of Colombia) ELN (National Liberation Army) Terrorist groups started as revolutionary movements (1964) originated because of Political violence Social dissatisfaction Communist influence (Cuban revolution) Objective of guerrillas Replace the state and impose their own ideals. Started in rural areas with the intention of spread influence along the country. C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 2 / 24
Terrorism Funding Guerrillas support the war against the state with illegal activities such as Illegal drug trade, Extortion, and Exploitation of resources Guerrillas target critical infrastructures to Extort companies Display an ideology to attract popular support (ELN) ▶ They are against exploitation of resources by multinationals Undermine the national economy Show military capacity C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 3 / 24
Problem: Perverse incentives in repair contracts Repair services become necessary due to the large number of attacks. In 2007 93% of the attacks on towers took place in the same region. Investigators discovered that 1 All the towers belonged to the Attacks vs Pending Repairs 350 Attacks same company (ISA) Pending Repairs 300 The modus operandi was the 250 same (e.g., bombs were installed owers 200 in the same place) Attacks on T 150 All repairs were made by the same contractor 100 50 0 2000 2002 2004 2006 2008 2010 2012 2014 Year 1 Semana: Negocio redondo, http://www.semana.com/nacion/articulo/negocio-redondo/94315-3 , 2008, (visited on 02/01/2016). C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 4 / 24
Problem: Perverse incentives in repair contracts Detectives infiltrated the company and found that since 2005 a repair company conspired with terrorists to attack electricity towers. Attacks on Main Affected Regions 200 ANTIOQUIA CAUCA** (Region of fraud) NORTE DE SANTANDER 150 owers Start of fraud Discovery Attacks on T 100 Executives of the company hired 50 guerrilla militants to dynamite towers with 0 2000 2002 2004 2006 2008 2010 2012 2014 Year Easy access Cause partial damage C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 5 / 24
Problem: Perverse incentives in repair contracts Attack’s objective: increase repair services provoking attacks Perverse incentives were feasible because: Attacks easily attributed to terrorist groups Sponsored attacks allows ▶ Reduce the repair costs ▶ Pretend efficiency repairing towers to assure future contracts C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 6 / 24
Contributions We model the changes to contracts that the transmission company implemented to reduce perverse incentives. Idea: Hinder unlawful benefits by assigning contracts randomly (so attacked towers are not repaired by the contractor who sponsored the attack) C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 7 / 24
Outline Structure of repair contracts 1 Frauds in repair contracts 2 Design of a contracts that reduce attacks 3 Conclusions 4 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 8 / 24
Repair contracts: Ideal Case Contracts are assigned using reverse auctions. Electricity company chooses the Contractors offer repair services contractor with the lowest bid Profit Bids Payment for the service: c 1 U 1 p = min i ∈{ 1 ,..., m } c i = c 1 c 2 U 2 . . . . . . c m U m Ideally, the contractors will make bids that guarantee the minimum expected benefit U i . C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 9 / 24
Outline Structure of repair contracts 1 Frauds in repair contracts 2 Design of a contracts that reduce attacks 3 Conclusions 4 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 10 / 24
Repair contracts: Fraud Attacks on Main Affected Regions From the reports we know: 200 ANTIOQUIA CAUCA** (Region of fraud) Number of sponsored attacks NORTE DE SANTANDER during 2005-2008: ˜ θ i = 215 / 3 150 This region had attacks every owers Start of fraud Discovery week! Attacks on T 100 Payment for the militants: b = $4444 50 Repair payments $27778 ≤ p ≤ $83333 0 2000 2002 2004 2006 2008 2010 2012 2014 Year Benefits of sponsoring attacks: Increase the number of repair services: θ → θ + ˜ θ i Reduce the cost of repairs, which increases the benefits: U i → ˜ U i The bribe or cost of sponsoring one attacks is b C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 11 / 24
Model of fraud Contractors could reduce their benefit to make lower bids (and become more competitive) L i = ˜ U i − U i : excess benefit with sponsored attacks γ ∈ [0 , 1]: benefit reduction ˜ ˜ θ i New benefit: U i − γ L i New repair cost: c i = c i − ˜ θ i γ L i θ +˜ The profit of a contractor with sponsored attacks becomes sponsored attacks bribe genuine attacks � �� � ���� ���� θ i ( ˜ ˜ b (˜ θ U i + U i − γ L i ) − θ i ) variable cost fixed cost � �� � λ (1 + α ) ˜ ���� θ i − 1 b (˜ ˜ θ i ) = θ i b 0 + α λ, α : parameters to model the increasing cost of additional attacks C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 12 / 24
Repair contracts: Optimal Attack The optimal number of attacks ˜ θ ∗ i can be found solving: θ U i + ˜ θ i ( ˜ U i − γ L i ) − b (˜ maximize θ i ) ˜ θ i (1) ˜ θ i ∈ Z ∗ , subject to The optimal number of attacks is ( )/ α ( ˜ U i − γ L i − b 0 ) θ ∗ ˜ i = ln ln(1 + α ) (2) λ ln(1 + α ) Attacks are unprofitable if ˜ θ ∗ i < 1 λ α (1 + α ) ln(1 + α ) + b 0 > ˜ U i − γ L i ≥ U i . (3) The cost of the attacks is smaller than the expected profit of the contractor. The number of attacks cannot be manipulated by the company C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 13 / 24
Example Known Parameters: Unknown Parameters: Repair cost: Benefit with genuine repairs U 1 p max = $83333 Benefit with dishonest actions ˜ U 1 p min = $27778 Parameters of the bribe function λ Bribe for one attack α b (1) = 4444 We assume that the benefit can be expressed as U 1 = p − E where E are repair expenses. If the contractor requires a return of investment of 10%, that is, U 1 = 0 . 1 E then U 1 = p / 11. Thus U = p max / 11 ≈ $7575 . 7 U = p min / 11 ≈ $2525 . 3 E = 10 U ≈ $75757 E = 10 U ≈ $25253 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 14 / 24
Example In the worst case the company won’t know the real repair cost. Hence The electricity company will make a payment p max (usual repair cost of attacks) The expenses of sponsored attacks are E (sponsored attacks have the minimum repair cost) Thus, benefit of a sponsored attack is ˜ U 1 = p max − E ≈ 58081 The benefit of sponsored attacks ˜ U 1 is more than seven times the benefit non-sponsored attacks. ˜ U 1 > 7 U 1 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 15 / 24
Example We assume that the variable cost λ is equal to 20% of the constant cost, i.e., λ = 0 . 2 b 0 . Thus, since b (1) = b 0 + λ we extract b 0 = $3704 We assume that the reported number of sponsored attacks was optimal. Then, ˜ θ ∗ i = 215 / 3 ≈ 72. Assuming that γ = 1 we can estimate α = 0 . 0234 Number of attacks as a function of γ 200 180 160 Number of attacks 140 120 100 80 60 0 0.2 0.4 0.6 0.8 1 Benefit reduction ( γ ) C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 16 / 24
Solutions: Use regulatory mechanisms Regulation might reduce undesirable incentives, e.g., Offer repair contracts with fixed payments (regardless of the number of attacks) Limitation: Malicious contractors could increase the number of attacks to increase the contract’s payments Set remuneration comparing costs of multiple similar firms (Yardstick competition) 2 . Limitation: A malicious contractor can offer costs consistent with Yardstick competition while still offering smaller bids. 2 Andrei Shleifer: A theory of yardstick competition, in: The RAND Journal of Economics 1985, pp. 319–327. C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 17 / 24
Outline Structure of repair contracts 1 Frauds in repair contracts 2 Design of a contracts that reduce attacks 3 Conclusions 4 C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 18 / 24
Mechanism to Disincentivize attacks Electricity company chooses n Contractors offer repair services contractors with the lowest bid Bids c 1 Payment for the service: c 2 p ( n ) = max i ∈{ 1 ,..., n } c i = c n ˆ . . . c n . . . c m Selecting n contractors is more expensive for the electric transmission operator because the payments are defined as C. Barreto and A. C´ ardenas Perverse Incentives in Security Contracts 19 / 24
Recommend
More recommend