I525: Economics of Information Security

Readings and schedule for Economics of Information Security for Fall 2009.

Professor Jean Camp
Course Prospectus



Aug. 31* Introduction and Overview
In the initial class meeting I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The course will be designed to serve the needs of the students.

Questions to consider during Reading

What would be your ideal outcome for this course? What do you hope to learn? Can you imagine applying this at this time?

Reading


Questionnaire: Learning Economics of Security - provided in OnCourse
 
Introductory Examples
Sept. 2* Computer Security as Economics

Questions to consider during Reading

Notice that the answer to the question "Why information security is hard?" is not because mathematics is sublime. Rather, the work on the fundamentals continues in a scientific (but unpredictable) manner, while adoption of basic solutions occurs in fits, booms, or not at all.

Reading

Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613, October 27, 2006. Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf
R. Anderson, "Why information security is hard", ACSAC 01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001|
 
Sept 7 Economics as Applied to Computer Security

Questions to consider during Reading


Security is not a single market. Please consider three possible examples where Varian's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines?

Reading

Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, people.ischool.berkeley.edu/~hal/Papers/2004/reliability
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash
 
Sept 9* Basic Observations in Economics of Security

Questions to consider during Reading


The reason that there is economics of security is because there are violations of security based on economics, e.g. crime. These papers address the economics of crime, the incentives and the nature of the proverbial beast. Are these numbers what you expect? Credit card number prices appear to be going down. Think about two opposite reasons why this might be the case.

Reading

Jason Franklin, Vern Paxon, Adrian Perrig, and Stefan Savage, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS '07, Alexandria, VA. 29 http://www.cs.ucsd.edu/~savage/papers/CCS07.pdf
Cormac Herley, Dinei Florencio Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
 
Behavioral Economics
Sept 14* Economic Behavior

Questions to consider during Reading

Why are we willing to take the risks that we take? What makes us unwilling to pay $1 for something one moment that will be worth ten times that in another? Is it true that He who hesitates is lost? or is it critical to loop before one leaps? Humans are not rational when it comes to risk -- economic or networked.

Reading

Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
L Jean Camp, "Mental Models of Security", IEEE Technology & Society, Winter, 2007
 
Rational Economics
Sept 16 Rational Economics Basics

Questions to consider during Reading

Here we examine the classic lemonade stand market, where the goods and the market are well understood by buyer and seller. This lecture will include a basic introduction to marginal cost, marginal price, competitive and monopolistic markets.

Reading

First, there will be additional notes provided in class
Pratt and Zeckhauser, "Principals and Agents: An Overview," Chapter 1, in Principals and Agents, pp. 1-35.
Arrow, "The Economics of Agency," Chapter 2, in Principals and Agents, pp. 37-51.
 
Sept 21 Rational Economics Applied to the Network

Questions to consider during Reading

What are transactions costs, production costs and network externalities? How do these influence investment in networked goods? Which categories of security products can be considered networked, and what can be considered stand-alone?

Reading

Nicholas Economides, "The Economics of Networks" October 1996, International Journal of Industrial Organization http://www.stern.nyu.edu/networks/94-24.pdf
 
Economics of Vulnerabilities
Sept 23 Sharing Vulnerability Information

Questions to consider during reading

Why do firms share information that could be embarrassing about their security state? There are obvious costs, but even when some firms lie, there are obvious benefits. Note these are somewhat classic articles now.

Readings

Esther Gal-or and Anindya Ghose The Economic Consequences of Sharing Security Information CH 8, pp 95-104
Lawrence A. Gordon, An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence, Workshop on the Economics of Information Security, 2002,Berkeley, CA.
 
Sept 28 Uncertainty In Decision-Making in terms of Patching

Questions to consider during Reading

What dimensions of uncertainty exist in vulnerabilities? What strategies do different organizations, both software producers and consumers, apply to deal with these uncertainties?

Reading

Rainer Boehme, Tyler Moore The Iterated Weakest Link - A Model of Adaptive Security Investment, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
 
Sept 30 Vulnerabilities and the optimal Response

Questions to consider during Reading

Reading

Camp, L. Jean and Wolfram, Catherine D., Pricing Security: Vulnerabilities as Externalities. Economics of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966
Rahul Telang, and Sunil Wattal, "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation", Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/telang_wattal.pdf

 
Oct 5 Conceptions of Vulnerabilities

Questions to consider during Reading

The creator of the vulnerability, the party who discovers the vulnerability, the entity that creates the patch, the responsible computer-owner who patches and the rational computer owner who fails to patch are all economic agents. What are their incentives?

Reading

Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf
 
Oct 7 Patch release and Adoption

Questions to consider during Reading

Here we consider the incentives of the attackers as well as the parties listed previously. What are the incentives of attackers?

Reading

Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/5.pdf
T. Maillart, D. Sornette, http://arxiv.org/abs/0803.2256 Heavy-Tailed Distribution of Cyber-Risks, Physics and Society

 
Oct 12 As The Worm Turns

Questions to consider during Reading

Does publication of a patch does not prevent worms from spreading, or rather there are periodic waves? Given the readings below, what is the optimal patch notification policy?

Reading

Ashish Arora, "Honey Pots, Impact of Vulnerability Disclosure and Patch Availability", Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN. http://www.dtc.umn.edu/weis2004/telang.pdf
William A. Arbaugh and William L. Fithen and John McHugh, Windows of Vulnerability: A Case Study Analysis, Computer, Vol. 33, 12, 2000, 52-59, IEEE Computer Society Press,

Oct 14 Auction Design

Questions to consider during Reading

Would it be possible to design an auction as discussed in Ozment that is immune to the factors discussed in Klemperer? What perverse incentives might be created.

Reading

Klemperer, What really matters in auction design, ideas.repec.org/p/cpr/ceprdp/2581.html
Ozment, Bug Auctions: Vulnerability Markets Reconsidered. OnCourse.

Economics of Privacy
Oct 19 Price Discrimination

Questions to consider during Reading

Why is your privacy violated so consistently when you are online? Why does anyone care? What are the economic incentives for collecting private information?

Reading

Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf

Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
 
Oct 21 Pricing Personal Information

Questions to consider during Reading

How much would you pay to hide your lowest grade? How much would you accept to disclose it? Is deviance from the perceived norm a predictor of your privacy preference? Thinking of it in these terms likely results in close numbers, but that is not how mental accounting always works.

Reading

Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf.
 
Oct 26 Privacy and Identity

Questions to consider during Reading

Should there be a special Clear line for travelers? Was the TSA correct in refusing to limit searches to those not in the Clear program?

Reading

Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007
http://weis07.infosecon.net/papers/48.pdf Tony Vila and Rachel Greenstadt and David Molnar Why We Cannot Be Bothered to Read Privacy Policies CH 11, pp. 143-154.
 
Oct 28 Privacy as a Luxury Good

Questions to consider during Reading

If privacy is a luxury good, what would that imply about the averaging of costs for price discrimination goods? "I thought, too, of the admirable smoke and drink and the deep armchairs and the pleasant carpets: of the urbanity, the geniality, the dignity which are the offspring of luxury and privacy and space." Privacy as spatial, and as a luxury good from October 1928, A Room of One's Own,, by Virginia Woolf.

Reading

Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/30.pdf
 
Spam
Nov 2 Spamonomics

Questions to consider during Reading

How much would spam have to cost and what are the assumptions about the infrastructure? Do these assumptions correspond with the earlier readings?

Reading


Ben Laurie and Richard Clayton, Proof-of-Work Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf
Debin Liu and L Jean Camp, Proof of Work can Work, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/50.pdf
 
Nov 4 Spamalitics

Questions to consider during Reading

What is the true loss and cost of spam? Why have systemic spam responses not been adopted.

Reading

Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87, http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamscatter: Characterizing Internet Scam Hosting Infrastructure, USENIX Security Symposium, Boston, MA. 5 -10 August 2007.
http://www.cs.ucsd.edu/~savage/papers/UsenixSec07.pdf
 
ACM CCS
Nov 9 ACM CCS

Questions & Reading

Attend the ACM CCS event. If you cannot attend, then you may read the papers from one track and write a summary. If you do attend, please take clear careful notes for the tracks you attend. These notes will be your participation and weekly summary grades for this week.
 
Nov 11 ACM CCS II

Question & Reading

Attend the ACM CCS event. If you cannot attend, then you may read the papers from one track and write a summary. If you do attend, please take clear careful notes for the tracks you attend. These notes will be your participation and weekly summary grades for this week.
 
Trust in Social Networks
Nov 16 Trustonomics

Questions to consider during Reading

How do you decide which merchants to trust? Do you purchase specialized goods? How do you book travel, for example?

Reading

Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/10.pdf
Alex Tsow, Camilo Viecco, and L. Jean Camp, Privacy-Aware Architecture for Sharing Web Histories, IBM Systems Journal, provided in class.

Nov 18 Privacy in Social Networks

Questions to consider during Reading

What is the value in social networks? What are the risks for users? What is the relationship between security and information sharing?

Reading

Joseph Bonneau, Soren Preibusch The Privacy Jungle: On the Market for Data Protection in Social Networks, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
Alessandro Acquisti and Ralph Gross. "Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook" In Privacy Enhancing Technologies, LNCS 4258, pages 36 - 58. Springer Berlin / Heildelberg, 2006.
 
MedSec
Nov 23 Health Privacy - An Emerging Arena

Questions to consider during Reading

Reading

Ajit Appari, Denise Anthony, Eric Johnson HIPAA Compliance: An Examination of Institutional and Market Forces, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
M. Eric Johnson Data Hemorrhages in the Health-Care Sector, Financial Cryptography and Data Security '09, Barbados 23-26 February 2009.fc09.ifca.ai/papers/54_Data_Hemorrhages.pdf.
L. Sweeney, Information Explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies, L. Zayatz, P. Doyle, J. Theeuwes and J. Lane (eds), Urban Institute, Washington, DC, 2001 http://privacy.cs.cmu.edu/people/sweeney/explosion.html. Apparently this has been taken down because it is now in springer.
Happy Thanksgiving!

Happy Thanksgiving! Enjoy Celebrating the Second Surviving English Settlement in the Americas!
 
DRM
Nov 30 DRM

Questions to consider during Reading

What is the economic value of DRM in terms of social welfare, music consumption and pricing? How have we seen some of these predictions borne out?

Reading

Yooki Park and Suzanne Scotchmer, Digital Rights Management and the Pricing of Digital Products, Fourth Workshop on Economics of Security, available at socrates.berkeley.edu/~scotch/w11532.pdf

 
Dec 2 DRMonomics

Questions to consider during Reading

This paper combines multiple methods, using both a dynamic systems model and a regression to understand the use of illegal software. The following paper examines the opposite - why people would want to contribute to something they do not use. implications discussed in class include the lack of patch support for machines with illegal copies of software and the relative security of open vv. closed source.

Reading

C. Osorio, "A contribution to the understanding of illegal copying of software: empirical and analytical evidence against conventional wisdom" http://opensource.mit.edu/papers/osorio.pdf
Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open Source http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
 
Wireless Privacy
Dec 7 Wireless Privacy

Questions to consider during Reading

Who are the stakeholders in examination of wireless security in the first paper? How does the possibility of mid-stream injection attacks change the set of stakeholders?

Reading

Matthew Hottell and Drew Carter and Matthew Deniszczuk, "Predictors of Home-Based Wireless Security", Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/51.pdf
Steven Myers, Sid Stamm, Practice & Prevention of Home-Router Mid-Stream Injection Attacks, General Members Meeting & eCrime Researchers Summit, Atlanta 14-16 October 2008. See OnCourse.
 
Dec 9 Peer Evaluation 1

Questions to consider during Reading

How would you answer the five core questions of the class about this paper? How do topic, question, method and answer fit?

Reading

Each student or set of students will provide a draft paper 24 hours before course time to their peers.
 
Exam Sessions Peer Evaluations and Presentations con't

Questions to consider during Reading

How would you answer the five core questions of the class about this paper? How do topic, question, method and answer fit?

Reading

Each student or set of students will provide a draft paper 24 hours before course time to their peers. Students will present their work, and attend as others present.