I330: Legal and Organizational Security Informatics

Readings and schedule for Organizational Informatics for Spring 2006.
11:15 - 12:05 pm Monday and Wednesday in OP 107
Professor Jean Camp

The Course in a Nutshell

January 8

Introduction and course overview

Today we handle who, when, and why. We will introduce ourselves. I will define course policies. I will provide information about the project, about grade distribution, etc.
This course is about ICTs, organizations and the role of security in organizations. The course has three primary elements.
First, the readings and lectures where the minimum critical topics for literacy in organizations and information security are introduced. The readings and lectures will focus primarily on theory, particularly looking at organizations through the lens of economics.
Second, the discussion section. There will be some readings during the discussion section, primarily those that apply to the practical training part of the course.
Third is the practical training. The project is an experience in team management. It includes writing a workplan, implementing the work plan, and filling out an evaluation of your peers. Most of you are attending this University to broaden your horizons and increase your employment-relevant skills. This project, properly executed, will do both. At the end of the project you should have a considerably expanded knowledge of your subject, improved presentation skills, and an extremely cursory introduction to project management. Regular deadlines during the semester are intended to force the groups not to wait until the last moment to complete the project.

Introduction to Security

 

January 10 Security as Anonymity
Anonymity is neither the opposite of security nor the opposite of privacy. Lecture by Paul Sylverson and Roger Dingledine.

 

January 15 MLK Day

 

January 17 Security as Crime
Lecture by Alex Tsow
Why Phishing Works by Dhamija, Tygar, Hearst, available at http://portal.acm.org/citation.cfm?id=1124772.1124861
Warkitting by Tsow, Liu, Jakobsson, Wetzel, available at http://www.indiana.edu/~phishing/papers/warkit.pdf

 

January 22 Security and Decision-Making
The five critical questions that must be asked about every security choice in any organization.
Bruce Schneier, Evaluating Security Systems, Ch20, pp 289 - 294.

 

January 24 Security as CIA
Security as defined by its basic goals, from the text by Matt Bishop.

 

Project outline and abstract due.

 

January 29 Security as Economic
R. Anderson, Why information security is hard, ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001
Bruce Schneier, 2002 Computer Security: Its the Economics, Stupid: Economics and Information Security Workshop, Berkeley, CA. http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/18.doc

Introduction to Organizations

An organization can be considered a single entity, a collection of competing subsets, a group of self-optimizing individuals, a machine following a process, or a cultural entity. In the first section of this course we will examine each of those models. For three of the models the reading will be Essence of Decision. This book is about the interaction of nation states rather than the interactions of businesses. However, in terms of the descriptions of three of these models there is no other reading that is short but informative. There are more tedious readings, and readings made terse by assumptions of the education of the reader. Therefore, the classic by Allison will be used to discuss the issues. I will provide a very short introduction to rational choices, and then examine the limits of rationality. We return to the limits of rationality topic in Economics and Uncertainty.

 

January 31 Organizations as Single Rational Beings

Questions to consider during reading

There are three models of organizations: individual rational actors, collections of groups or stakeholders, and as groups of political individuals with their own visions and power struggles.

Readings


Allison "Essence of Decision", The Rational Actor, pp. 13 26.
Tversky and Kahneman, "Rational Choice and the Framing of Decisions" in Rational Choice, Hogarth and Reder, eds., pp. 67-94.

 

February 5 Organizations as Compilation of Stakeholders

Questions to consider during reading

Organizations are not always entirely rational. Ironically, the rational organization understands itself as being created by a group of components, and tries to construct mechanisms to create effective interactions between the components. Understanding the components of the organization can prevent the creation of perverse incentives.

Reading


Allison, Essence of Decision, Model II: Organizational Behavior, pp. 143-160.

Organizations in Informatics Context

February 12 Security and Mental Models
Lecture by Farzaneh Asgharpour

 

February 14 Security and Usability
Lecture by Tonya Stroman

 

Group work plans due.
February 19 Security and Privacy

Questions to consider during reading

What characteristics of a security problem create a conflict with privacy?

Reading

Camp, Design for Trust

 

Organizational Models Continued

More conceptual models of organizations. Each of these applies to most organizations in difference decision contexts. Determining the context of a debate can help you win internal debates.
February 21 Organizations as Policy Constructs

Questions to consider during reading

From where do organizations come? Is it just the cooperation of a many people? Economic forces? Group psychology? Indeed, businesses are presented in media and academy as distinct and clear opposites from government. Yet in fact their interaction is quite deep and profound. Government plays a critical role in creating markets and businesses just as the environment plays a critical role in creating ecosystems and species.

Readings

Deborah Spar Ruling the Waves pp. 1-22, p.124-289 Why Google Bought YouTube, available on OnCourse

 

Bibliographies due.
February 26 Organizations as Cultures

Questions to consider during reading

Americans spend most of their waking hours are work. Workplaces are not neutral or free from emotion. Workplaces have their own cultures, some of which are successfully cultured by management.

Readings

Morgan, Gareth (1997) "Ch. 7 : Organizations as Cultures" in Images of Organization. London: Sage, pages 119-145.
Ullman, Ellen. (1997) Close to the Machine, pp 17-27;95-121

Recommended Additional Reading

Van Mannen, J. (1991) "The Smile Factory: Work at Disneyland." In Frost, P.J., L.E. Moore, M.R. Louis, C.C. Lundberg and J. Martin (eds.): Reframing Organizational Culture.

 

February 28 Organizations as Machines
Lecture by Tonya Stroman

Questions to consider during reading

Why is IT important in an organization? Are ICTS inherently valuable? If not, how do ICTs illustrate their value.

Reading


John Mendonca, Organizational Impact, The Internet Encyclopedia ed. Hossein Bidgoli, John Wiley & Sons (Hoboken, New Jersey) 2003. Vol. 2, pp 832 - end.

 

The Behavioral Component

A short discussion on how individuals in an organization behave, and how economics alters that behavior. Do you ever consider leaving Informatics? Is there an airline you refuse to use? In Informatics are the people with whom you refuse to work?
March 5 Games Companies Plays

Questions to consider during reading

What happens when an organization is broken? How do the people that make up organizations choose to function or fail to function in an organization? Might companies sacrifice security in order to control their own employees?

Readings


R. Hirschman, Exit, Voice, and Loyalty. Chapters 1, 2, 3, and 8 (pp. 1-20, 21-29, 30-43, 106-119)

 

March 7 The Human in the Organization

Questions to consider during reading

What incentives are created in software production in a winner-take-all world?

Readings

Frank and Cook, The Winner-Take-All Society Chapter 1 (p. 1-22)

 

March 12 Spring Break

 

March 14 Spring Break

 

March 19 Security and Misalignment
How are on-line discussions and organizations distinct from off-line organizations? Does an organization or process change by virtue of replicating it in electronic form? How are people and interactions different on email? How did you handle this information overload?

Readings

M Sandrini and F Cerbone, We Want Security But We Hate It Ch 16, pp 213-224
P Thomspon, Cybenko and Giana, Cognitive Hacking CH 19 pp255 -289.

 

Decision - Making Tools in Economics

Economics has developed a series of tools that are widely used in daily business analysis. This section of the course will introduce a few of those tools, and focus on the potential of these tools to enable analytical insights.

 

March 21 Security and Usability
Lecture by Tonya Stroman
rescheduled from course cancelation of Feb. 14

 

Revised work plans and outline due.
March 26 Information Market Basics

Questions to consider during reading

How is content presentation different on the network?

Readings

Delong and Froomkin (1997) The Next Economy? Internet Publishing and Beyond: The Economics of Digital Information and Intellectual Property. Edited by B Kahin and H Varian. Cambridge, MA MIT Press. http://www.law.miami.edu/~froomkin/articles/newecon.htm

Optional Readings

Gupta, Stahl & Whinston, Pricing of Services on the Internet http://cism.bus.utexas.edu/alok/pricing.html  

Why were they wrong? Why has there not been per-use pricing?
Kalakota & Whinston, Electronic Commerce pp 251-282. Addison Wesley (Boston, MA)

 

March 28 NPV and Discounted Cash Flow

Questions to consider during reading

Net present value is a way of deciding if we are better off investing money today or saving money to invest tomorrow. Overview of examples. A simple example of a decision tree in class.

Readings

http://www.duncanwil.co.uk/invapp.html Luehman, What's It Worth?: A General Manager's Guide to Valuation HBR May - June pp. 133-141.
Dan Geer, Making Choices to Show ROI Secure Business Quarterly.

 

April 2 Economics and Uncertainty

Questions to consider during reading

Every person experiences uncertainty. Now that uncertainty is merely personal but in the future your uncertainty and decisions may play a role in decision-making. Think about your own decisions and how you have fallen to these habits.

Readings

Tversky and Kahneman, "Judgment Under Uncertainty: Heuristics and Biases" Science, vol. 185, 1974, pp. 1124-1131.
M. G. Morgan , B. Fischhoff , A. Bostrom Risk Communication : A Mental Models Approach pp 1-18, pp 34-62.
Acquisti, Privacy and Facebook,Available here http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-212

 

Information Economics

The session above provided a rudimentary overview of economic tools. In this section the focus is on the unique features of the information market.
April 4 Lock-In

Questions to consider during reading

Once you get an iPod you are unlikely to change your music library, because you would lose all your iTunes. Lock-in is the economic name for this turn of events.

Readings


Bernardo A. Huberman, Eytan Adar and Leslie R. Fine, Valuating Privacy Fourth Workshop on Economics of Security, available at http://www.infosecon.ne W. B. Arthur, "Competing Technologies, Increasing returns and Lock-in by Historical Events", The Economic Journal, Vol 99, Issue 394, pp116-131
P. A. David "Clio and the Economics of Qwerty" The American Economic Review, Vol 75, Issue 2, Papers and Proceedings of the 97th Annual Review of the American Economic Association, May 1985, pp. 332-337.

 

April 9 Interconnection and Network Effects

Questions to consider during reading

Feedback is a critical concept in the economics of networks and in network-based competition.

Reading

Noam, Interconnecting the Network of Networks, MIT Press, 2001. pp. 1-25.

Optional Reading

The Economics of Networks, by Nicholas Economides, International Journal of Industrial Organization, Vol. 16, no. 4, pp. 673-699 (October 1996). Available on-line

 

April 11 Spam-onomics

Questions to consider during reading

Spam is no tasty treat. Last year AOL claimed to have stopped its billionth spam email. Spam has significant costs in bandwidth, processing time, and attention spam of the inevitable recipients.

Readings

Modeling Incentives for Email Blocking Strategies Fourth Workshop on Economics of Security, available at http://www.infosecon.net
Proof of Work Doesn't Work Third Workshop on Economics of Security, available at http://www.infosecon.net
Proof of Work Can Work, from the 2006 conference.

 

April 16 Externalities

Questions to consider during reading

Network economics implies feedback. Feedback can cause lock-in. How easy will it be for you to get a new email? A new phone? Here is the first paper that begins to take a formal economic approach to the question of economics of security. For many years before this, the question of economics as an externality was widely asserted but never formally illustrated. This is a transitional paper to the more formal work following.

Reading


Varian, System Reliability and Free Riding CH 1.

 

April 18 Net Neutrality
The Net Neutrality debate has moved forward in the past year in fits and starts, but the foundation of the argument has remained the same. We will discuss value-added services and identity-based services in the Net Neutrality context.

Readings

weak net neutrality + DRM = dystopia? available at Educause Resources

 

April 23 Versioning

Questions to consider during reading

What is versioning? How does digital change versioning? Does beer taste differently from a keg than from a can?
MLS listings on-line http://www.realtor.com and http://www.targetmls.com/
Amazon.com and www.barnes and noble.com and www.reiters.com

Readings

Information Rules, Shapiro, Carl. & Varian, Hal, Harvard Business School Press, (Boston, MA) , c1999, pages 53-81

 

Information Ownership

Information is unique because the ownership structure is extremely fluid. Who owns which elements of an information good is a critical question.
April 26 Hazards of Vendor Rule

Questions to consider during reading

How are markets organized? What were the inherent assumptions about markets in the readings from last week? Where do markets come from? Who participates in defining the rules of a market? What are EULA and UCITA?

Readings

The Uniform Computer Information Transactions Act: A Well Built Fence or Barbed Wire Around the Intellectual Commons? uts.cc.utexas.edu/~lbjjpa/2001/bowman.pdf
Information Rules , Shapiro, Carl. & Varian, Harvard Business School Press, (Boston, MA) , c1999, also available as an e-book, pp. 1-50

Optional Readings

National Academy of Science, The Digital Dilemma: Intellectual Property in the Information Age. National Academy Press, Washington, DC (2000); (contents completely available on-line) pp. 1-75.

 

Apr. 28 Security and Competition

Questions to consider during reading

What are the goals of security in theory? How does this differ from how it is used in practice? Would the security strategies discussed in Anderson work with open code?

Readings

Ross Anderson, Cryptography and Competition Policy: Issues with Trusted Computing, http://www.cl.cam.ac.uk/ftp/users/rja14/tcpa.pdf

 

April 30 -- Papers Due