Course Overview    Readings by Date    Course Grading    Research    Teaching    Home    Net Trust   

 

 

I590 (525): Economics of Information Security

Readings and schedule for Economics of Information Security for spring 2006.
1:00 pm Tuesdays and Thursdays.
Professor Jean Camp

The Course in a Nutshell

Introduction and course overview

In the initial class meeting I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The course will be designed to serve the needs of the students in it. I will unavoidable be in Delhi for this meeting.
Questionnaire: Learning Economics of Security

What is Economics of Security?

Questions to consider during reading

Here is an essay about economics by Bruce Schneier. It was a keynote from the Workshop on the Economics of Information Security. The five questions are not theoretical economics, not do they use much of the language. However, these questions are the ones that you cannot answer without economics.
Bruce Schneier, Evaluating Security Systems, Ch20, pp 289 - 294.
Dan Geer, Making Choices to Show ROI Secure Business Quarterly.

 

Here we move towards a more formal explanation that integrates security and economics. Bruce describes how economics assist security professionals in asking questions. Ross explains why those questions must be asked of the technology as well as the organization.

Reading

R. Anderson, Why information security is hard, ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001

 

Questions to consider during reading

The security market is one with obtuse claims, and diffuse contractual requirements. When reading this paper, come up with your own reasoned definition of security. In class we will examine some of the white papers and materials from security providers, and view them through the lens of this work.

Reading

Bruce Schneier, 2002 Computer Security: Its the Economics, Stupid: Economics and Information Security Workshop, Berkeley, CA. http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/18.doc
Carl Landwher, Improving Information Flow in the Security Market, CH12.

 

Questions to consider during reading

Security as risk management is a distinction approach. The question above approach this but these more formal guidelines offer more insight.

Reading

Longstaff, T. A., C. Chittister, R. Pethia and Y. Y. Haimes, Are We Forgetting the Risks of Information Technology IEEE Computer, pp. 43-51, December 2000.
Stoneburner, G., A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, 2001.

Individual Perspectives on Security

 

Questions to consider during reading

Security is not inherently constructive. Security protects an entity so it can function; it does not directly augment that functionality. Sometimes security goes against the interest of the users; for example, with DRM. Therefore most users have a mixed relationship with security.

Readings

L. Jean Camp, Trust, Reputation and Security: Theories and Practice, ed. Rino Falcone, Springer-Verlang (Berlin).
Adam Shostack and Paul Syverson, What Price Privacy CH 10, pp 129-142.

 

Questions to consider during reading

Despite the stunning success of such novelties as invisible dogs at theme parks and pet rocks, those goods with invisible value do not, in general, sell well. This paper argues that making security visible is critical to its success.

Readings

M Sandrini and F Cerbone, We Want Security But We Hate It Ch 16, pp 213-224
P Thomspon, Cybenko and Giana, Cognitive Hacking CH 19 pp255 -289.

Security and the Firm

Questions to consider during reading

Why do firms share information that could be embarrassing about their security state? There are obvious costs, but even when some firms lie, there are obvious benefits.

Readings

Esther Gal-or and Anindya Ghose The Economic Consequences of Sharing Security Information CH 8, pp 95-104
Lawrence A. Gordon, An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence, Workshop on the Economics of Information Security, 2002,Berkeley, CA.

 

Questions to consider during reading

Security is not a single market. It is a set of markets: spyware, virus detection, firewalls, spam, etc. How is it that those markets develop into distinct or combined markets, and why this makes economic sense.

Readings

Anindya Ghose, Arun Sundararajan, Pricing Security Software: Theory and Evidence

 

Class Moved to School of Law for One Session

Reading

Acquisti and Grosslage, Privacy Attitudes and Privacy Behaviors CH 13, pp 165-178. Available here http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf

 

Questions to consider during reading

Which firm should invest in security? And what kinds of security make the best investments?

Readings

Varian, System Reliability and Free Riding CH 1.

 

Questions to consider during reading

When denial of service attacks are discussed it is always assumed that all discouraged customers go away, exactly once, for the purchase they would have made had the sight been up. This paper looks at how valuations such as these might both undervalue and overvalue a denial of service attack.

Readings

Why do denial of service attacks reduce future visits? Switching costs vs. changing Fourth Workshop on Economics of Security, available at http://www.infosecon.net

 

Questions to consider during reading

Spam is no tasty treat. Last year AOL claimed to have stoppped its billionth spam email. Spam has significant costs in bandwidth, processing time, and attention spam of the inevitable recipients.

Readings

Modeling Incentives for Email Blocking Strategies Fourth Workshop on Economics of Security, available at http://www.infosecon.net
Proof of Work Doesn't Work Third Workshop on Economics of Security, available at http://www.infosecon.net

 

Questions to consider during reading

Reputation systems are used for ratings, for p2p download controls, for knowledge management. Reputation systems can be considered micro payment systems, knowledge management systems or access control systems. What, then, is a reputation system? What are its economic consequences?

Readings

L. Jean Camp Peer to Peer Systems,The Internet Encyclopedia ed. Hossein Bidgoli, John Wiley & Sons (Hoboken, New Jersey) 2003. http://www.ljean.org/files/P2P.pdf
Friedman and Resnick The Social Cost of Cheap Pseudonyms Journal of Economics and Management Strategy 10:2, 173-199 www.si.umich.edu/~presnick/papers/identifiers/

Readings

Chapter 16: Peer-to-peer as disruptive technologies, Accountability http://www.freehaven.net/doc/oreilly/accountability-ch16.html

Economics of Privacy

 

Questions to consider during reading

Why is all the information compiled about consumers online? Is it all information psychosis - companies want it because they want it? What data are valuable and why?Think about your own decisions and how you evaluate them over time. And why you might hold some information more dear than other information.

Readings

Odlyzko, Privacy and Price Discrimination CH 15, pp 187-212

 

Guest speaker : To Be Determined

 

Guest speaker : To Be Determined

 

Questions to consider during reading

How do you decide if you want to share information? As the information has been shared, and is diffused are you more or less concerned about past habits? What information do you share voluntarily, on blogs or the Face Book, and what is the privacy policy of the place where you share information?

Readings

Bernardo A. Huberman, Eytan Adar and Leslie R. Fine, Valuating Privacy Fourth Workshop on Economics of Security, available at http://www.infosecon.net

 

Questions to consider during reading

Have you ever read a privacy policy? Try reading one before class today, I recommend the Face Book or Amazon. Under what conditions can it change? Is it easy to read? How is it reliable?
When someone sells your information, what is it that troubles you? In an experiment asking people to share their information, people are concerned about how it will influence them later. How do we resolve this finding with the earlier theory of hyperbolic discounting?

Reading

Tony Vila and Rachel Greenstadt and David Molnar Why We Cannot Be Bothered to Read Privacy Policies CH 11, pp. 143-154.

Readings

Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation Fourth Workshop on Economics of Security, available at http://www.infosecon.net

 

 

Digital Rights Management

 

Questions to consider during reading

What are the goals of security in theory? How does this differ from how it is used in practice? One value of economics of security is that it examines how to look at security as it might function in the marketplace as opposed to in theory.

Readings

Ross Anderson, Cryptography and Competition Policy: Issues with Trusted Computing, http://www.cl.cam.ac.uk/ftp/users/rja14/tcpa.pdf
Samuleson, Digital Rights Management {and, or, vs.} the Law vol. 46, no. 4, April 2003. http://www.sims.berkeley.edu/~pam/papers.html

 

Questions to consider during reading

This reading defines copyright as a bundle of rights, rights that can now be made distinct in digital goods. How you model security or DRM depends upon the relative valuation of those rights.

Readings

Camp, DRM Doesn't Really Mean Copyright, IEEE Internet Computing. May 2003. http://www.ljean.org/files/DRM.pdf 16 Spring Break
Spinello & Tavani: Excerpts from the Digital Millennium Copyright Act (DMCA) of 1998

 

Questions to consider during reading

If you think of DRM as a negotiation, limiting the ability to use a good might limit the ability to charge for the good.

Readings

Dirk Bergemann, Thomas Eisenbach, Joan Feigenbaum, Scott Shenkerx, Flexibility as an Instrument in Digital Rights Management Fourth Workshop on Economics of Security, available at http://www.infosecon.net
S. Lewis, How much is stronger DRM Worth? CH 4, pp 53-58.

 

Questions to consider during reading

This is a continuation of the previous discussion.

Readings

Yooki Park and Suzanne Scotchmer, Digital Rights Management and the Pricing of Digital Products Fourth Workshop on Economics of Security, available at http://www.infosecon.net

Optional reading

Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open Source http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf

Vulnerability Markets

 

Questions to consider during reading

Here is the first paper that begins to take a formal economic approach to the question of economics of security. For many years before this, the question of economics as an externality was widely asserted but never formally illustrated. This is a transitional paper to the more formal work following.

Reading

L Jean Camp and Catherine Wolfram, Pricing Security, CH 2, pp. 17 -35.

Optional Reading

What kind of good is a vulnerability? How should that effect the market perspective?
Delong and Froomkin (1997) The Next Economy? Internet Publishing and Beyond: The Economics of Digital Information and Intellectual Property. Edited by B Kahin and H Varian. Cambridge, MA MIT Press. http://www.law.miami.edu/~froomkin/articles/newecon.htm

 

Questions to consider during reading

One way to pay for vulnerabilities is using a per-package mechanism. In this ways vendors could illustrate support with measurable amounts.

Reading

Schechter, Computer Security Strength & Risk: A Quantitative Approach,Workshop on the Economics of Information Security, 2002 May 16-17,Berkeley, CA, USA

 

Questions to consider during reading

Consider an auction for vulnerabilities. This is what might effectively happen if there are multiple purchasers. Is this better or worse than a fixed price situation? Different sets of assumptions can yield different answers to this question.

Readings

Klemperer, What really matters in auction design OnCourse
Ozment, Bug Auctions: Vulnerability Markets Reconsidered

Optional Readings

Dixit and Skeath, Dixit and Skeath, Bidding Strategy and Auction Design,Chapter 15, in Games of Strategy, pp. 494-518. This provides a nice, accessible, broad overview.

 

Questions to consider during reading

This paper is both about the importance of patching and vulnerabilites, and an excellent example of how to construct an experiment. The honey pots were set up with clear questions and goals in mind; the data compiled was appropriate; and the results are clear. We will spend some time discussing the construction of experiments.

Readings

Ashish Arora, Honey Pots, Impact of Vulnerability Disclosure and Patch AvailabilityThird Workshop on the Economics of Information Security, 2004, Minneapolis, MN.

 

Questions to consider during reading

How might all of these markets fit together? Which is the best market - auctions, bounties, government action or private parties??

Readings

Rahul Telang and Karthik Kannan, An Economic Analysis of Market for Software Vulnerabilities, Third Workshop on the Economics of Information Security, 2004,Minneapolis, MN.

 

Student Work, Student Selected Readings, Works in Progress

Based on student choices about their grading, these sections may include presentations of student work in the class. Alternatively, students will define the interests and we will look at those papers. By this time in the semester the 2006 Workshop on Economics of Information Security will be organized, and there will be interesting works in that as well.