Readings and schedule for Economics of Information Security for Fall 2008.
Professor Jean Camp
Sept. 3 The Course in a Nutshell
Introduction and course overview
In the initial class meeting I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The course will be designed to serve the needs of the students in it.
Reading
Questionnaire: Learning Economics of Security - provided in class
Sept. 8 Why Economics of Security?
Reading
Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613,
October 27, 2006. Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf
R. Anderson, "Why information security is hard", ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001|
Sept 10 Security as Economics
Here we move towards a more formal explanation that integrates security and economics. The security market is one with obtuse claims, and diffuse contractual requirements. When Reading
this paper, come up with your own reasoned definition of security. In class we will examine some of the white papers and materials from security providers, and view them through the lens of these works.
Reading
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash
Optional Reading
Bruce Schneier, 2002 Computer Security: Its the Economics, Stupid: Economics and Information Security Workshop, Berkeley, CA. http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/18.doc
Carl Landwher, "Improving Information Flow in the Security Market", CH12.
Sept 15 What is a Network?
Those in this class might consider the network to be The Internet. However, studies of interactions, pricing and connectivity are as ancient as the sea trade of the Roman Empire, where the concept of common carriage was first applied.
Questions to consider during Reading
Why the commonality of the use of the word networks? How is it that buying a chocolate bar is not entirely unlike buying a router? How are these things different? What about buying software for a router?
Reading
The Economics of Networks, provided in class Sept 10.
Sept 17 Following the Money
The reason that there is economics of security is because there are violations of security based on economics, e.g. crime. These papers address the economics of crime, the incentives and the nature of the proverbial beast.
Questions to consider during Reading
Are these numbers what you expect? Credit card number prices appear to be going down. Think about two opposite reasons why this might be the case.
Reading
Jason Franklin, Vern Paxon, Adrian Perrig, and Stefan Savage, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS '07, Alexandria, VA. 29
http://www.cs.ucsd.edu/~savage/papers/CCS07.pdf
Tyler Moore and Richard Clayton An Empirical Analysis of the Current State of Phishing Attack and Defence, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.http://weis07.infosecon.net/papers/51.pdf
Sept 22 Risky Business
Questions to consider during Reading
Security as risk management is a distinction approach. The question above approach this but these more formal guidelines offer more insight.
Reading
Jean Camp, "Bringing Mental Models to Computer Security Risk" under review for Risk Analysis.
Chapter 10, "Risk Budget Theory"
Sept 24 We Spent {Too Much, Not Enough} on Security
Questions to consider during Reading
These two papers take the same fundamental question and come up with two different answers. How can that be the case? As with all the papers we read this semester the critical issues are in the first few pages: the assumptions and the construction of the model.
Reading
Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, people.ischool.berkeley.edu/~hal/Papers/2004/reliability
Bruce Kobayashi, Private Versus Social Incentives in Cybersecurity: Law and Economics, Ch 1 pp 13- 28, The Law and Security of Economics.
Sept 29 Experimentation In Practice
Questions to consider during Reading
How do you apply issues of risk budgets to computer security? How can you construct an experiment that takes an abstract highly empirical concept and turn it into an applied question? How does this work build upon the risk budget work we discussed previously?
Reading
Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/66.pdf
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10,http://portal.acm.org/citation.cfm?id=1164394.1164399
October 2006, 83-87, http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
Oct 1 Evaluation Results Across Experiments
Questions to consider during Reading
Are the results of this extended experiment consistent with the results of other work. Does this work appear to be more general or more specific? Is it consistent with your own behavior online?
Reading
Alessandro Acquisti and Jens Grossklags, Losses, Gains, and Hyperbolic Discounting: An Experimental Approach to Information Security Attitudes and Behaviors, Second Workshop on the Economics of Information Security, 2003, College Park, MD. http://www.cpppe.umd.edu/rhsmith3/papers/Final_session6_acquisti.grossklags.pdf
Oct 6 Evaluation of Theory from Direct Market Observation
Questions to consider during Reading
Bundling and versioning are pricing approaches to many information goods. Do these generic strategies work in security? Should these strategies be more of less common in security goods relative to other information goods?
Reading
Anindya Ghose, Arun Sundararajan, Pricing Security Software: Theory and Evidence
, http://hdl.handle.net/2451/14133
Oct 8 Beyond Bundling: Risk Pooling
Questions to consider during Reading
What types of software, facilities, and services does IUB provide directly? What types are outsourced? Why might a company choose to outsource security and is that different from other outsourcing decisions?
Reading
A. Gupta, Growth and Sustainability of Managed Security Services networks: An Economic Perspective, Working Paper.
Oct 13 Sharing Information
Questions to consider during Reading
This is the first in a set of readings about sharing security information. If you knew of a vulnerability would you tell the company, sell the knowledge, or announce the vulnerability? This questions assumes that leveraging that vulnerability for criminal activity is not an option.
Reading
Esther Gal-or and Anindya Ghose "The Economic Consequences of Sharing Security Information", http://www.springerlink.com/index/x31871322lq35t81.pdf
Lawrence A. Gordon, "An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence", Workshop on the Economics of Information Security, 2002,Berkeley, CA.http://www.cl.cam.ac.uk/~rja14/econws/51.doc
Oct 15 When to Share Your Vulnerabilities
Questions to consider during Reading
What is a vulnerability? When should it be shared? How is a generic vulnerability distinct from a specific incident or strategy?
Reading
Camp, L. Jean and Wolfram, Catherine D.,Pricing Security: Vulnerabilities as Externalities. Economics of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966
Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/5.pdf
Oct 20 Does Sharing Matter?
Questions to consider during Reading
Consider the previous models and their underlying assumptions about interactions of vulnerabilities and attacks. Do these assumptions hold? How did the previous analytical work provide guidance to the construction of this work?
Reading
Ashish Arora, "Honey Pots, Impact of Vulnerability Disclosure and Patch Availability", Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN. http://www.dtc.umn.edu/weis2004/telang.pdf
Oct 22 Debin Liu: I3P Meeting
Playing Around with Security
Questions to consider during Reading
Game theory is an approach to security and economics that addresses the inherent interaction of attacker and defender.
Reading
K. Lye and Jeannette Wing, Game Strategies in Network Security, Foundations of Computer Security, 2020, Copenhagen Denmark. www.cs.cmu.edu/~wing/publications/CMU-CS-02-136.pdf
Oct 27 C. Viecco (ACM CCS)
IPv6 As a Market and Security Question
Questions to consider during Reading
If IPv6 is an economic of security problem is that promising or demoralizing? Why do we have markets? What if the proposed market works, what would be the implications for IPv6?
Reading
Elmore, Hillary, Stephens, Brandon and Camp, L. Jean, Diffusion and Adoption of IPv6 in the Arin Region(August 25, 2008).
Available at SSRN: http://ssrn.com/abstract=1255262
Ben Edelman, "Running Out of Numbers: The Impending Scarcity of IP Addresses and What To Do About It", Harvard Business School bedelman@hbs.edu (May 28, 2008) Draft, not for redistribution.
Oct 29 J Duncan (ACM CCS)
DRM
Questions to consider during Reading
What is the economic value of DRM in terms of social welfare, music consumption and pricing? How have we seen some of these predictions borne out?
Reading
Yooki Park and Suzanne Scotchmer, Digital Rights Management and the Pricing of Digital Products, Fourth Workshop on Economics of Security, available at socrates.berkeley.edu/~scotch/w11532.pdf
Dirk Bergemann, Thomas Eisenbach, Joan Feigenbaum, Scott Shenkerx, Flexibility as an Instrument in Digital Rights Management, Fourth Workshop on Economics of Security, available at ideas.repec.org/p/cwl/cwldpp/1505.html
Nov 3 More Disclosure
Questions to consider during Reading
And now back to our regularly scheduled disclosure discussion. You are Reading
the core literature and researchers in disclosure policy. Consider how these play against one another. Examine the assumptions of the underlying model and compare the results.
Reading
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf
Nov 5 Price Discrimination
Questions to consider during Reading
Why is your privacy violated so consistently when you are online? What are the economic incentives for collecting private information?
Reading
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
Alessandro Acquisti, Security of Personal Information and Privacy: Economic Incentives and Technological Solutions, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online,
http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/36.doc
Nov 10 Guest Speaker Tonya Stroman
Usability and Visibility
Questions to consider during Reading
What is the relationship between usability and economics? Does increased usability simply lower costs?
Reading
Adam Shostack and Paul Syverson, What Price Privacy, CH 10, pp 129-142.www.stormingmedia.us/20/2005/A200564.html
Nov 12 Economics of Anonymity
Reading
Anonymity Loves Company: Usability and the Network Effect. http://www.freehaven.net/anonbib/cache/usability:weis2006.pdf
Tor: The Second-Generation Onion Router, in Proceedings of the 13th USENIX Security Symposium, August 2004http://www.onion-router.net/Publications/tor-design.pdf
Nov 17 Auction Design
Questions to consider during Reading
And now back to our regularly scheduled disclosure discussion. You are Reading
the core literature and researchers in disclosure policy. Consider how these play against one another. Examine the assumptions of the underlying model and compare the results.
Reading
Klemperer, What really matters in auction design, ideas.repec.org/p/cpr/ceprdp/2581.html
Ozment, Bug Auctions: Vulnerability Markets Reconsidered. OnCourse.
Nov 19
Privacy
Questions to consider during Reading
If you have nothing to hide you have nothing to worry about. Deviance as a predictor of privacy preference.
Reading
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf.
Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
Nov 24 Privacy as Profiling
Questions to consider during Reading
Perhaps you should hide some things, in order that you can mange your own risks. How should a company respond in this case?
Reading
Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007 http://weis07.infosecon.net/papers/48.pdf
Srinivasan Raghunathan, Huseyin Cavusoglu, Byungwan Koh, Bin Mai, Economics of User Segmentation, Profiling, and Detection in Security, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/42.doc
Nov 26
Thanksgiving!
Happy Thanksgiving! Enjoy Celebrating the Second Surviving English Settlement in the Americas!
Assignment
What value surveillance?
You will see many cameras and experience many "security"measures as you travel. Do these make economic sense? Do these make practical sense? Please count the number of cameras you see in a day, particularly a travel day, and also note the number and contexts in which you have to present ID. And then construct an argument identifying the most and least economically rational.
Dec 1 Privacy!
Questions to consider during Reading
If privacy is a luxury good, what would that imply about the averaging of costs for price discrimination goods?
Reading
Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/30.pdf
Dec 3 Spam One
Questions to consider during Reading
Are the spam'o'nomics of the first paper predicted by the economics of the second paper? What kind of market would you predict?
Reading
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamscatter: Characterizing Internet Scam Hosting Infrastructure, USENIX Security Symposium, Boston, MA. 5 -10 August 2007.
http://www.cs.ucsd.edu/~savage/papers/UsenixSec07.pdf
Rainer Boehme and Thorsten Holz, The Effect of Stock Spam on Financial Markets, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://ssrn.com/abstract=897431
Dec 8 Spam Two
Questions to consider during Reading
Consider the following argument in light of the paper above. How much would spam have to cost and what are the assumptions about the infrastructure?
Reading
Debin Liu and L Jean Camp, Proof of Work can Work, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/50.pdf
Ben Laurie and Richard Clayton, Proof-of-Work Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf
Dec 10 Trust Me
Questions to consider during Reading
Under what conditions does an economic party need to assert that they are trustworthy?
Reading
Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/10.pdf
Alex Tsow, Camilo Viecco, and L. Jean Camp, Privacy-Aware Architecture for Sharing Web Histories, IBM Systems Journal, in OnCourse and not for redistribution.