I525: Economics of Information Security

Readings and schedule for Economics of Information Security for Fall 2007.

Professor Jean Camp

The Course in a Nutshell

Aug 27

Introduction and course overview



In the initial class meeting I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The course will be designed to serve the needs of the students in it.

Reading

Questionnaire: Learning Economics of Security

What is Economics of Security?

Aug 29 Thinking About Security From Economics

Questions to consider during reading

Here is an essay about economics by Bruce Schneier. It was a keynote from the Workshop on the Economics of Information Security. The five questions are not theoretical economics, not do they use much of the language. However, these questions are the ones that you cannot answer without economics.

Reading

R. Anderson, Why information security is hard, ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001| http://www.acsac.org/2001/papers/110.pdf

Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613, October 27, 2006. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.

Optional Reading

Bruce Schneier, Evaluating Security Systems, Ch20, pp 289 - 294.

Dan Geer, Making Choices to Show ROI Secure Business Quarterly.

 

Sept 3 Happy Labor Day

 

Sept 5 What is a Market

Questions to consider during reading

Here we examine the classic lemonade stand market, where the goods and the market are well understood by buyer and seller. This lecture will include a basic introduction to marginal cost, marginal price, competitive and monopolistic markets.

Reading

Microseconomics text exceprt.

 

Sept 10 Principles and Agents

Questions to consider during reading

Rational economics is constructed by consider the behavior of rational agents. It can be most difficult for one who is not an economist to construct models that are meaningful to an economist if this basic paradigm is not understood.

Reading

Pratt and Zeckhauser, "Principals and Agents: An Overview," Chapter 1, in Principals and Agents, pp. 1-35.

Arrow, "The Economics of Agency," Chapter 2, in Principals and Agents, pp. 37-51.

 

Sept 12 Network Economics

Questions to consider during reading

Whiel this reading may appear a bit heavy, it is a light introduction to a very dense topic. Please track any questions you have during the reading.

Reading

Bailey, J., L. McKnight, and P. Bosco. 1997. "The economics of advanced services in an open communications infrastructure: Transaction costs, production costs, and network externalities."

Nicholas Economides, "The Economics of Networks" October 1996, International Journal of Industrial Organization http://www.stern.nyu.edu/networks/94-24.pdf

 

Sept 17 What is a Broken Market?

Questions to consider during reading

Security as risk management is a distinction approach. The question above approach this but these more formal guidelines offer more insight.

Reading

Delong and Froomkin (1997) The Next Economy? Internet Publishing and Beyond: The Economics of Digital Information and Intellectual Property. Edited by B Kahin and H Varian. Cambridge, MA MIT Press. http://www.law.miami.edu/~froomkin/articles/newecon.htm

Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open Source http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf

 

Behavioral Economics of Security

Sept 19 Behavior in Markets

Questions to consider during reading

How can the conception of a rational agent be made consistent with the reality of irrational humans?

Reading

Kahneman & Tversky Rational Choice and the Framing of Decisions Journal of Business, 1986, Vol. 59, No 4, pp-251-275.

 

Sept 24 Now I Have It, I'll Keep It

Questions to consider during reading

How much would you pay me for a coff

Readings

Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.

Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.

 

 

Sept 26 Security - The Invisible, Undesirable Good

Questions to consider during reading

Security is not inherently constructive. Security protects an entity so it can function; it does not directly augment that functionality. Sometimes security goes against the interest of the users; for example, with DRM. Therefore most users have a mixed relationship with security. Despite the stunning success of such novelties as invisible dogs at theme parks and pet rocks, those goods with invisible value do not, in general, sell well. This paper argues that making security visible is critical to its success.

Readings

L. Jean Camp, Trust, Reputation and Security: Theories and Practice, ed. Rino Falcone, Springer-Verlang (Berlin).

Adam Shostack and Paul Syverson, What Price Privacy CH 10, pp 129-142.

Security and the Firm

Oct 1 Why Companies Share Security Information

Questions to consider during reading

Why do firms share information that could be embarrassing about their security state? There are obvious costs, but even when some firms lie, there are obvious benefits.

Readings

Esther Gal-or and Anindya Ghose The Economic Consequences of Sharing Security Information CH 8, pp 95-104, http://www.ljean.com/files/gal_orGhose.pdf

Lawrence A. Gordon, An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence, Workshop on the Economics of Information Security, 2002,Berkeley, CA. http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/51.doc

 

Oct 3 Defining a Security Market

Questions to consider during reading

Security is not a single market. It is a set of markets: spyware, virus detection, firewalls, spam, etc. How is it that those markets develop into distinct or combined markets, and why this makes economic sense. And how larger trends in the ICT market influence the security market.

Readings

Anindya Ghose, Arun Sundararajan, Pricing Security Software: Theory and Evidencehttp://infosecon.net/workshop/pdf/37.pdf

Alok Gupta and Dmitry Zhdanov, "Growth and sustainability of MSSP networks", WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://weis07.infosecon.net/papers/65.pdf

 

Oct 8 Guest Speaker: Measurements and Business Process

Questions to consider during reading

Computers are everywhere but in the productivity numbers is the famous summation of the productivity paradox. The productivity paradox indicates that the investment in computers is not clearly reflected in measurements of productivity or output. If measuring the results of investment in IT is difficult, are there reasns to expect the investment in securing IT be any more or less deifficult?

Reading

Toward Incentive-based Cyber Trust (accepted for presented at i-Society) http://meritology.com/resources/ select the conference version.

Total Cost of Cyber (In)security (presented at Mini-Metricon) http://meritology.com/resources/ Select the PPT of this file.

 

Oct 10 Pricing Privacy

Questions to consider during reading

Privacy includes rational valuation, price discrimination, and behaviors all interacting in unusual ways.

Reading

Acquisti and Grosslage, Privacy Attitudes and Privacy Behaviors CH 13, pp 165-178. Available here http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf

Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://weis07.infosecon.net/papers/48.pdf

 

Oct 15 Guiding Vulnerability Markets

Questions to consider during reading

Which firm should invest in security? And what kinds of security make the best investments?

Readings

Jay Pil Choi, Chaim Fershtman, Neil Gandal "Network Security: Vulnerabilities and Disclosure Policy" WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#gandal

Charles Miller, "The legitimate vulnerability market: the secretive world of 0-day exploit sales" WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://weis07.infosecon.net/papers/29.pdf

 

Oct 17 Valuing Spam

Questions to consider during reading

Spam is no tasty treat. Last year AOL claimed to have stoppped its billionth spam email. Spam has significant costs in bandwidth, processing time, and attention spam of the inevitable recipients. .

Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87, http://www.comp.u\ s.edu.sg/~ipng/research/spam_CACM.pdf

Rainer Boehme and Thorsten Holz, The Effect of Stock Spam on Financial Markets, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, http://ssrn.com/abstract=897431

 

Oct 22 Economics of Spam

Questions to consider during reading

More analyses of spam: does it work?

Readings

Modeling Incentives for Email Blocking Strategies Fourth Workshop on Economics of Security, available at www.cl.cam.ac.uk/~rnc1/emailblocking.pdf

Proof of Work Doesn't Work Third Workshop on Economics of Security, available at www.dtc.umn.edu/weis2004/weis-clayton.pdf

 

Oct 24 Economics of Reputation

Questions to consider during reading

Reputation systems are used for ratings, for p2p download controls, for knowledge management. Reputation systems can be considered micro payment systems, knowledge management systems or access control systems. What, then, is a reputation system? What are its economic consequences?

Readings

L. Jean Camp Peer to Peer Systems,The Internet Encyclopedia ed. Hossein Bidgoli, John Wiley & Sons (Hoboken, New Jersey) 2003. http://www.ljean.org/files/P2P.pdf

Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash

Friedman and Resnick The Social Cost of Cheap Pseudonyms Journal of Economics and Management Strategy 10:2, 173-199 www.si.umich.edu/~presnick/papers/identifiers/

Readings

Chapter 16: Peer-to-peer as disruptive technologies, Accountability http://www.freehaven.net/doc/oreilly/accountability-ch16.html

Economics of Privacy

 

Oct 29 Privacy and Pricing

Questions to consider during reading

Why is all the information compiled about consumers online? Is it all information psychosis - companies want it because they want it? What data are valuable and why?Think about your own decisions and how you evaluate them over time. And why you might hold some information more dear than other information.

Readings

Odlyzko, Privacy and Price Discrimination CH 15, pp 187-212

 

Oct 31 Privacy and the Secondary Market

Questions to consider during reading

How do you decide if you want to share information? As the information has been shared, and is diffused are you more or less concerned about past habits? What is the privacy policy of the place where you share information?

Readings

Bernardo A. Huberman, Eytan Adar and Leslie R. Fine, Valuating Privacy Fourth Workshop on Economics of Security, available at http://infosecon.net/workshop/pdf/7.pdf.

Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation Fourth Workshop on Economics of Security, available at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf

 

Nov 5 Validating Your Bad Habits

Questions to consider during reading

Have you ever read a privacy policy? Try reading one before class today, I recommend the Face Book or Amazon. Under what conditions can it change? Is it easy to read? How is it reliable?

When someone sells your information, what is it that troubles you? In an experiment asking people to share their information, people are concerned about how it will influence them later. How do we resolve this finding with the earlier theory of hyperbolic discounting?

Reading

Tony Vila and Rachel Greenstadt and David Molnar Why We Cannot Be Bothered to Read Privacy Policies CH 11, pp. 143-154. http://www.cpppe.umd.edu/rhsmith3/papers/Final_session3_molnar.greenstadt.vila.pdf

Rainer Boehme and Sven Koble, Technische University Dresden, " On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?," WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://weis07.infosecon.net/papers/30.pdf

Digital Rights Management

 

Nov 7 DRM in the Market

Questions to consider during reading

What are the goals of security in theory? How does this differ from how it is used in practice? One value of economics of security is that it examines how to look at security as it might function in the marketplace as opposed to in theory.

Readings

C. Osorio, "A contribution to the understanding of illegal copying of software: empirical and analytical evidence against conventional wisdom" http://opensource.mit.edu/papers/osorio.pdf

Besen, S. M. and S. N. Kirby (1989). Private Copying, Appropriability, and Optimal Copying Royalties. Journal of Law and Economics. 32(October): 255-280. For this article go to JSTOR at http://www.libraries.iub.edu/index.php?pageId=2347. Log in with your IU ID.

Optional Readings

Ross Anderson, Cryptography and Competition Policy: Issues with Trusted Computing, http://www.cl.cam.ac.uk/ftp/users/rja14/tcpa.pdf

 

Nov 12 DRM Dissected

Questions to consider during reading

This reading defines copyright as a bundle of rights, rights that can now be made distinct in digital goods. How you model security or DRM depends upon the relative valuation of those rights.

Readings

Camp, DRM Doesn't Really Mean Copyright, IEEE Internet Computing. May 2003. papers.ssrn.com/sol3/papers.cfm?abstract_id=348941

Samuleson, Digital Rights Management {and, or, vs.} the Law vol. 46, no. 4, April 2003. http://www.sims.berkeley.edu/~pam/papers.html

 

Nov 14 DRM and Pricing

Questions to consider during reading

If you think of DRM as a negotiation, limiting the ability to use a good might limit the ability to charge for the good.

Readings

Michael D. Smith and Rahul Telang, Competing with Free: The Impact of Movie Broadcasts on DVD Sales and Internet Piracy DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/smith.ppt

 

Nov 19 DRM and Patch Management

Questions to consider during reading

This is a continuation of the previous discussion.

Readings

Srinivasan Raghunathan, Huseyin Cavusoglu, Byungwan Koh, Bin Mai, Economics of User Segmentation, Profiling, and Detection in Security, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. papers.ssrn.com/sol3/papers.cfm?abstract_id=916373

Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/5.pdf

 

Nov 21 Thanksgiving Recess

Questions to consider during recess

Watch for cameras and count them as you travel. Examine how many times you are required to present identity information, are queried by a security agent, or have to provide authenticating information.

 

Vulnerability Markets

 

Nov 26 Security as an Implicit Market in Vulnerabilities

Questions to consider during reading

Here is the first paper that begins to take a formal economic approach to the question of economics of security. For many years before this, the question of economics as an externality was widely asserted but never formally illustrated. This is a transitional paper to the more formal work following.

Reading

L Jean Camp and Catherine Wolfram, Pricing Security, CH 2, pp. 17 -35. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=894966

Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://weis07.infosecon.net/papers/68.doc

Anindya Ghose and Uday Rajan, The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/37.pdf

 

Nov 28 Vulnerability Auctions

Questions to consider during reading

Consider an auction for vulnerabilities. This is what might effectively happen if there are multiple purchasers. Is this better or worse than a fixed price situation? Different sets of assumptions can yield different answers to this question.

Readings

Klemperer, What really matters in auction design http://papers.ssrn.com/sol3/papers.cfm?abstract_id=237114

Ozment, Bug Auctions: Vulnerability Markets Reconsidered http://www.dtc.umn.edu/weis2004/ozment.pdf

Optional Reading

Dixit and Skeath, Bidding Strategy and Auction Design,Chapter 15, in Games of Strategy, pp. 494-518. This provides a nice, accessible, broad overview.

 

 

Dec 3 Valuing Patching and Disclosure

Questions to consider during reading

This paper is both about the importance of patching and vulnerabilites, and an excellent example of how to construct an experiment. The honey pots were set up with clear questions and goals in mind; the data compiled was appropriate; and the results are clear. We will spend some time discussing the construction of experiments.

Readings

Ashish Arora, Honey Pots, Impact of Vulnerability Disclosure and Patch AvailabilityThird Workshop on the Economics of Information Security, 2004, Minneapolis, MN. http://www.dtc.umn.edu/weis2004/telang.pdf

Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, http://weis2006.econinfosec.org/docs/35.pd

Optional Reading

Ivan Png, Chen Yu Wang, The Deterrent Effect of Enforcement Against Computer Hackers: Cross-Country Evidence, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.

 

Dec 5 Making the Optimal Market

Questions to consider during reading

How do we regulate security? Here are two options: disclosure and signaling.

Readings

Deirdre K. Mulligan, Information Disclosure as a light-weight regulatory mechanism DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/mulligan.ppt

L Jean Camp, Reliable, Usable Signaling to Defeat Masquerade Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK http://weis2006.econinfosec.org/docs/48.pdf