Compliance management plays an important role in mitigating insider threats. Incentive design is a proactive and non-invasive approach to achieving compliance by aligning an insider's incentive with the defender's security objective, which motivates (rather than commands) an insider to act in the organization's interests. Controlling insiders' incentives for population-level compliance is challenging because they are neither precisely known nor directly controllable. To this end, we develop ZETAR, a zero-trust audit and recommendation framework, to provide a quantitative approach to model insiders' incentives and design customized recommendation policies to improve their compliance. We formulate primal and dual convex programs to compute the optimal bespoke recommendation policies. We create the theoretical underpinning for understanding trust, compliance, and satisfaction, which leads to scoring mechanisms of how compliant and persuadable an insider is. After classifying insiders as malicious, self-interested, or amenable based on their incentive misalignment levels with the defender, we establish bespoke information disclosure principles for these insiders of different incentive categories. We identify the policy separability principle and the set convexity, which enable finite-step algorithms to efficiently learn the Completely Trustworthy (CT) policy set when insiders' incentives are unknown. Finally, we present a case study to corroborate the design. Our results show that ZETAR can well adapt to insiders with different risk and compliance attitudes and significantly improve compliance. Moreover, trustworthy recommendations can provably promote cyber hygiene and insiders' satisfaction.

翻译：合规管理在缓解内部威胁中扮演着重要角色。激励机制设计是一种主动且非侵入式的合规实现方法，通过将内部人员的激励目标与防御者的安全目标对齐，激励（而非强制）内部人员以组织利益行事。控制内部人员对于群体合规的激励具有挑战性，因为这些激励既无法精确获知，也难以直接调控。为此，我们开发了ZETAR——一种零信任审计与建议框架，旨在提供量化方法对内部人员激励进行建模，并设计定制化建议策略以提升其合规性。我们构建了原始凸规划与对偶凸规划来求解最优定制建议策略。我们建立了理解信任、合规与满意度的理论基础，从而形成评估内部人员合规性与可说服性的评分机制。在根据内部人员与防御者激励偏差程度将其划分为恶意型、自利型与顺从型后，我们针对这些不同激励类别的内部人员建立了定制化信息披露原则。我们发现了策略可分离性原则与集合凸性，这使得当内部人员激励未知时，可通过有限步算法高效学习完全可信策略集。最后，我们通过案例研究验证了该设计。结果表明，ZETAR能够良好适应具有不同风险与合规态度的内部人员，并显著提升合规水平。此外，可信赖的建议可被证明能够促进网络卫生与内部人员满意度。