Course Overview
Research
Teaching
Home
Net Trust
I525: Economics of Information Security
Readings and schedule for Economics of Information Security for Fall 2007.
Professor Jean Camp
The Course in a Nutshell
Aug 27
Introduction and course overview
In the initial class meeting I ask that you write down what
particularly interest you in the topic.
Are you more interested in the methods or the findings? Is your heart
in HCI or are you the soul of business? What level of mathematical
discussion is appropriate for the course?
The course will be designed to serve the needs of the students in it.
Reading
Questionnaire: Learning Economics of Security
What is Economics of Security?
Aug 29 Thinking About Security From Economics
Questions to consider during reading
Here is an essay about economics by Bruce Schneier.
It was a keynote from the Workshop on the Economics of Information
Security. The five questions are not theoretical economics, not do they
use much of the language. However, these questions are the ones that
you cannot answer without economics.
Reading
R. Anderson,
Why information security is hard
,
ACSAC '01: Proceedings of the 17th Annual Computer Security
Applications Conference, IEEE Computer Society, Washington, DC. 2001|
http://www.acsac.org/2001/papers/110.pdf
Ross Anderson and Tyler Moore. "The Economics of
Information Security" Science 314 (5799), pp.610-613, October 27, 2006.
http://www.cl.cam.ac.uk/~twm29/science-econ.pdf, WEIS 2007 - Sixth
Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June
2008.
Optional Reading
Bruce Schneier, Evaluating Security Systems, Ch20, pp 289 - 294.
Dan Geer,
Making Choices to Show ROI
Secure Business Quarterly.
Sept 3 Happy Labor Day
Sept 5 What is a Market
Questions to consider during reading
Here we examine the classic lemonade stand market, where the goods and
the market are well understood by buyer and seller. This lecture will
include a basic introduction to marginal cost, marginal price,
competitive and monopolistic markets.
Reading
Microseconomics text exceprt.
Sept 10 Principles and Agents
Questions to consider during reading
Rational economics is constructed by consider the behavior of rational agents. It can be most difficult for one who is not an economist to construct models that are meaningful to an economist if this basic paradigm is not understood.
Reading
Pratt and Zeckhauser, "Principals and Agents: An Overview," Chapter 1, in Principals and Agents, pp. 1-35.
Arrow, "The Economics of Agency," Chapter 2, in Principals and Agents, pp. 37-51.
Sept 12 Network Economics
Questions to consider during reading
Whiel this reading may appear a bit heavy, it is a light introduction to a very dense topic. Please track any questions you have during the reading.
Reading
Bailey, J., L. McKnight, and P. Bosco. 1997. "The economics of advanced services in an open communications infrastructure: Transaction costs, production costs, and network externalities."
Nicholas Economides, "The Economics of Networks"
October 1996, International Journal of Industrial Organization
http://www.stern.nyu.edu/networks/94-24.pdf
Sept 17 What is a Broken Market?
Questions to consider during reading
Security as risk
management is a distinction approach. The question above approach this
but these more formal guidelines offer more insight.
Reading
Delong and Froomkin (1997)
The Next Economy?
Internet
Publishing and Beyond: The Economics of Digital Information and
Intellectual Property. Edited by B Kahin and H Varian. Cambridge, MA
MIT Press.
http://www.law.miami.edu/~froomkin/articles/newecon.htm
Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open
Source
http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
Behavioral Economics of Security
Sept 19 Behavior in Markets
Questions to consider during reading
How can the conception of a rational agent be made consistent with the reality of irrational humans?
Reading
Kahneman & Tversky
Rational Choice and the Framing of Decisions
Journal of Business, 1986, Vol. 59, No 4, pp-251-275.
Sept 24 Now I Have It, I'll Keep It
Questions to consider during reading
How much would you pay me for a coff
Readings
Jens Grossklags, Alessandro Acquisti, When 25 Cents is
too much: An Experiment on Willingness-To-Sell and
Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop
on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
Sept 26 Security - The Invisible, Undesirable Good
Questions to consider during reading
Security is not inherently
constructive. Security protects an entity so it can function; it does
not directly augment that functionality. Sometimes security goes
against the interest of the users; for example, with DRM. Therefore
most users have a mixed relationship with security. Despite the
stunning success of such novelties as invisible dogs at theme parks and
pet rocks, those goods with invisible value do not, in general, sell
well. This paper argues that making security visible is critical to its
success.
Readings
L. Jean Camp, Trust, Reputation and Security: Theories and Practice, ed. Rino Falcone, Springer-Verlang (Berlin).
Adam Shostack and Paul Syverson,
What Price Privacy
CH 10, pp 129-142.
Security and the Firm
Oct 1 Why Companies Share Security Information
Questions to consider during reading
Why do firms share information that could be embarrassing about their
security state? There are obvious costs, but even when some firms lie,
there are obvious benefits.
Readings
Esther Gal-or and Anindya Ghose
The Economic Consequences of Sharing Security Information
CH 8, pp 95-104,
http://www.ljean.com/files/gal_orGhose.pdf
Lawrence A. Gordon,
An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence
, Workshop on the Economics of Information Security, 2002,Berkeley, CA.
http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/51.doc
Oct 3 Defining a Security Market
Questions to consider during reading
Security is not a single
market. It is a set of markets: spyware, virus detection, firewalls,
spam, etc. How is it that those markets develop into distinct or
combined markets, and why this makes economic sense. And how larger trends in the ICT market influence the security market.
Readings
Anindya Ghose, Arun Sundararajan,
Pricing Security Software: Theory and Evidence
http://infosecon.net/workshop/pdf/37.pdf
Alok Gupta and Dmitry Zhdanov, "Growth and sustainability of MSSP networks", WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
http://weis07.infosecon.net/papers/65.pdf
Oct 8 Guest Speaker: Measurements and Business Process
Questions to consider during reading
Computers are everywhere but in the productivity numbers
is the famous summation of the productivity paradox. The productivity paradox indicates that the investment in computers is not clearly reflected in measurements of productivity or output. If measuring the results of investment in IT is difficult, are there reasns to expect the investment in securing IT be any more or less deifficult?
Reading
Toward Incentive-based Cyber Trust
(accepted for presented at i-Society)
http://meritology.com/resources/ select the conference version.
Total Cost of Cyber (In)security
(presented at Mini-Metricon)
http://meritology.com/resources/ Select the PPT of this file.
Oct 10 Pricing Privacy
Questions to consider during reading
Privacy includes rational valuation, price discrimination, and behaviors all interacting in unusual ways.
Reading
Acquisti and Grosslage,
Privacy Attitudes and Privacy Behaviors
CH 13, pp 165-178.
Available here
http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf
Ramnath
K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free
Disposal Services: The Case of Personalization under Privacy Concerns,
WEIS 2007 - Sixth Workshop on Economics of Information Security,
Pittsburgh PA, 7-8 June 2008.
http://weis07.infosecon.net/papers/48.pdf
Oct 15 Guiding Vulnerability Markets
Questions to consider during reading
Which firm should invest in security? And what kinds of security make the best investments?
Readings
Jay Pil Choi, Chaim Fershtman, Neil Gandal "Network Security: Vulnerabilities and Disclosure Policy" WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#gandal
Charles Miller, "The legitimate vulnerability market: the secretive world of 0-day exploit sales" WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
http://weis07.infosecon.net/papers/29.pdf
Oct 17 Valuing Spam
Questions to consider during reading
Spam is no tasty treat. Last year AOL claimed to have stoppped its
billionth spam email. Spam has significant costs in bandwidth,
processing time, and attention spam of the inevitable recipients.
.
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets
Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87,
http://www.comp.u\
s.edu.sg/~ipng/research/spam_CACM.pdf
Rainer Boehme and Thorsten Holz, The Effect of Stock Spam on Financial Markets, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online,
http://ssrn.com/abstract=897431
Oct 22 Economics of Spam
Questions to consider during reading
More analyses of spam: does it work?
Readings
Modeling Incentives for Email Blocking Strategies
Fourth Workshop on Economics of Security, available at
www.cl.cam.ac.uk/~rnc1/emailblocking.pdf
Proof of Work Doesn't Work
Third Workshop on Economics of Security, available at
www.dtc.umn.edu/weis2004/weis-clayton.pdf
Oct 24 Economics of Reputation
Questions to consider during reading
Reputation systems are
used for ratings, for p2p download controls, for knowledge management.
Reputation systems can be considered micro payment systems, knowledge
management systems or access control systems. What, then, is a
reputation system? What are its economic consequences?
Readings
L. Jean Camp
Peer to Peer Systems
,The Internet
Encyclopedia ed. Hossein Bidgoli, John Wiley & Sons (Hoboken, New
Jersey) 2003.
http://www.ljean.org/files/P2P.pdf
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.
http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash
Friedman and Resnick
The Social Cost of Cheap Pseudonyms
Journal of Economics and Management Strategy 10:2, 173-199
www.si.umich.edu/~presnick/papers/identifiers/
Readings
Chapter 16: Peer-to-peer as disruptive technologies, Accountability
http://www.freehaven.net/doc/oreilly/accountability-ch16.html
Economics of Privacy
Oct 29 Privacy and Pricing
Questions to consider during reading
Why is all the information compiled about consumers online? Is it all
information psychosis - companies want it because they want it? What
data are valuable and why?Think about your own decisions and how you
evaluate them over time. And why you might hold some information more
dear than other information.
Readings
Odlyzko,
Privacy and Price Discrimination
CH 15, pp 187-212
Oct 31 Privacy and the Secondary Market
WPES in DC
Questions to consider during reading
How do you decide if you
want to share information? As the information has been shared, and is
diffused are you more or less concerned about past habits?
What is the privacy policy of the place where you share
information?
Readings
Bernardo A. Huberman, Eytan Adar and Leslie R. Fine,
Valuating Privacy
Fourth Workshop on Economics of Security, available at
http://infosecon.net/workshop/pdf/7.pdf.
Luc Wathieu and Allan Friedman,
An empirical approach to the valuing privacy valuation
Fourth Workshop on Economics of Security, available at
http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
Nov 5 Validating Your Bad Habits
Questions to consider during reading
Have you ever read a
privacy policy? Try reading one before class today, I recommend the
Face Book or Amazon. Under what conditions can it change? Is it easy to
read? How is it reliable?
When someone sells your information, what is it that troubles you?
In an experiment asking people to share their information, people are
concerned about how it will influence them later. How do we resolve
this finding with the earlier theory of hyperbolic discounting?
Reading
Tony Vila and Rachel Greenstadt and David Molnar
Why We Cannot Be Bothered to Read Privacy Policies
CH 11, pp. 143-154.
http://www.cpppe.umd.edu/rhsmith3/papers/Final_session3_molnar.greenstadt.vila.pdf
Rainer Boehme and Sven Koble, Technische University Dresden, " On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?," WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
http://weis07.infosecon.net/papers/30.pdf
Digital Rights Management
Nov 7 DRM in the Market
Questions to consider during reading
What are the goals of
security in theory? How does this differ from how
it is used in practice? One value of economics of security is that it
examines how to look at security as it might function in the
marketplace as opposed to in theory.
Readings
C. Osorio, "A contribution to the understanding of illegal copying of software:
empirical and analytical evidence against conventional wisdom"
http://opensource.mit.edu/papers/osorio.pdf
Besen, S. M. and S. N. Kirby (1989). Private Copying, Appropriability, and Optimal Copying Royalties. Journal of Law and Economics. 32(October): 255-280.
For this article go to JSTOR at
http://www.libraries.iub.edu/index.php?pageId=2347. Log in with your IU ID.
Optional Readings
Ross Anderson, Cryptography and Competition Policy: Issues with Trusted
Computing,
http://www.cl.cam.ac.uk/ftp/users/rja14/tcpa.pdf
Nov 12 DRM Dissected
Questions to consider during reading
This reading defines copyright as a bundle of rights, rights that can
now be made distinct in digital goods. How you model security or DRM
depends upon the relative valuation of those rights.
Readings
Camp,
DRM Doesn't Really Mean Copyright
, IEEE Internet Computing. May 2003.
papers.ssrn.com/sol3/papers.cfm?abstract_id=348941
Samuleson, Digital Rights Management {and, or, vs.} the Law vol.
46, no. 4, April 2003.
http://www.sims.berkeley.edu/~pam/papers.html
Nov 14 DRM and Pricing
Questions to consider during reading
If you think of DRM as a negotiation, limiting the ability to use a good might limit the ability to charge for the good.
Readings
Michael D. Smith and Rahul Telang, Competing with Free: The Impact of Movie Broadcasts on DVD Sales and Internet Piracy DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.
http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/smith.ppt
Nov 19 DRM and Patch Management
Questions to consider during reading
This is a continuation of the previous discussion.
Readings
Srinivasan Raghunathan, Huseyin Cavusoglu, Byungwan Koh, Bin Mai, Economics of User Segmentation, Profiling, and Detection in Security, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
papers.ssrn.com/sol3/papers.cfm?abstract_id=916373
Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at
http://weis2006.econinfosec.org/docs/5.pdf
Nov 21 Thanksgiving Recess
Questions to consider during recess
Watch for cameras and count them as you travel. Examine how many times you are required to present identity information, are queried by a security agent, or have to provide authenticating information.
Vulnerability Markets
Nov 26 Security as an Implicit Market in Vulnerabilities
Questions to consider during reading
Here is the first paper
that begins to take a formal economic approach to the question of
economics of security. For many years before this, the question of
economics as an externality was widely asserted but never formally
illustrated. This is a transitional paper to the more formal work
following.
Reading
L Jean Camp and Catherine Wolfram, Pricing Security, CH 2, pp. 17 -35.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=894966
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network
Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth
Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June
2008.
http://weis07.infosecon.net/papers/68.doc
Anindya Ghose and Uday Rajan, The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at
http://weis2006.econinfosec.org/docs/37.pdf
Nov 28 Vulnerability Auctions
Questions to consider during reading
Consider an auction for vulnerabilities. This is what might effectively
happen if there are multiple purchasers. Is this better or worse than a
fixed price situation? Different sets of assumptions can yield
different answers to this question.
Readings
Klemperer,
What really matters in auction design
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=237114
Ozment,
Bug Auctions: Vulnerability Markets Reconsidered
http://www.dtc.umn.edu/weis2004/ozment.pdf
Optional Reading
Dixit and Skeath, Bidding
Strategy and Auction Design,Chapter 15, in Games of Strategy, pp.
494-518. This provides a nice, accessible, broad overview.
Dec 3 Valuing Patching and Disclosure
Questions to consider during reading
This paper is both about the importance of patching and vulnerabilites,
and an excellent example of how to construct an experiment. The honey
pots were set up with clear questions and goals in mind; the data
compiled was appropriate; and the results are clear. We will spend some
time discussing the construction of experiments.
Readings
Ashish Arora,
Honey Pots, Impact of Vulnerability Disclosure and Patch Availability
Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN.
http://www.dtc.umn.edu/weis2004/telang.pdf
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online,
http://weis2006.econinfosec.org/docs/35.pd
Optional Reading
Ivan Png, Chen Yu Wang, The Deterrent Effect of Enforcement Against Computer Hackers: Cross-Country Evidence, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
Dec 5 Making the Optimal Market
Questions to consider during reading
How do we regulate security? Here are two options: disclosure and signaling.
Readings
Deirdre K. Mulligan, Information Disclosure as a light-weight regulatory mechanism DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.
http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/mulligan.ppt
L Jean Camp, Reliable, Usable Signaling to Defeat Masquerade Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK
http://weis2006.econinfosec.org/docs/48.pdf