I525: Economics of Information Security

Readings and schedule for Economics of Information Security for Fall 2009.

Professor Jean Camp
Course Prospectus



Jan. 10 Introduction and Overview
In the initial class meeting we step through the syllabus. I answer any grading queries. I describe assignments, standards and options. For the first week you have two very light assignments: a quiz and your first essay. For the quiz, I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The lectures will be designed to serve the needs of the students, and based on your answers the syllabus may also change.

Questions to consider during Reading

What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings?

 
Privacy and Security in Policy
Jan. 12 Computer Security and Privacy in the American Policy Debate
For the first essay, I am asking you to think about security and privacy in the policy realm. The three readings below seem quite long if you print them. LOOK BEFORE YOU PRINT. However, these are double-spaced and the content is easy to read. Both the FCC and the NTIA are considering issues of consumer privacy. Answer any of the open questions in your essay. Please select no more than three of these questions.

Questions to consider during Reading

What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings?

Reading

http://www.ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf The NTIA has issued a green paper (as distinguished from a white paper by its exploratory as opposed to declarative nature). http://www.ntia.doc.gov/frnotices/2010/FR_IPTFPrivacy_RequestforComments_12162010.pdf
This is the associated request for comments.
http://ftc.gov/os/2010/12/101201privacyreport.pdf. The Federal Trade Commission is currently the body that regulates privacy, to the extent it is regulated, in the United States.
 
Introductory Examples
Jan. 19 Computer Security as Economics

Questions to consider during Reading

Notice that the answer to the question "Why information security is hard?" is not because mathematics is sublime. Rather, the work on the fundamentals continues in a scientific (but unpredictable) manner, while adoption of basic solutions occurs in fits, booms, or not at all.

Reading

Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613, October 27, 2006. Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf
R. Anderson, "Why information security is hard", ACSAC 01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001|
 
Jan. 24 Economics as Applied to Computer Security

Questions to consider during Reading


Security is not a single market. Please consider three possible examples where Varian's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines?

Reading

Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, people.ischool.berkeley.edu/~hal/Papers/2004/reliability
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash
 
Jan. 26 Basic Observations in Economics of Security

Questions to consider during Reading


The reason that there is economics of security is because there are violations of security based on economics, e.g. crime. These papers address the economics of crime, the incentives and the nature of the proverbial beast. Are these numbers what you expect? Credit card number prices appear to be going down. Think about two opposite reasons why this might be the case.

Reading

Richard J. Sullivan, The Changing Nature of US Card Payment Fraud: Issues for Industry and Public Policy, The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/panel/weis2010_sullivan.pdf
Mark MacCarthy, Information Security Policy in the U.S. Retail Payments Industry, The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/panel/weis2010_maccarthy.pdf

 
Behavioral Economics
Jan. 31 Economic Behavior

Questions to consider during Reading

Why are we willing to take the risks that we take? What makes us unwilling to pay $1 for something one moment that will be worth ten times that in another? Is it true that He who hesitates is lost? or is it critical to loop before one leaps? Humans are not rational when it comes to risk -- economic or networked.

Reading

Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
L Jean Camp, "Mental Models of Security", IEEE Technology & Society, Winter, 2007
 
Rational Economics
Feb. 2 Rational Economics Basics

Questions to consider during Reading

Here we examine the classic lemonade stand market, where the goods and the market are well understood by buyer and seller. This lecture will include a basic introduction to marginal cost, marginal price, competitive and monopolistic markets.

Reading

First, there will be additional notes provided in class
Pratt and Zeckhauser, "Principals and Agents: An Overview," Chapter 1, in Principals and Agents, pp. 1-35.
Arrow, "The Economics of Agency," Chapter 2, in Principals and Agents, pp. 37-51.
 
Feb. 7 Rational Economics Applied to the Network

Questions to consider during Reading

What are transactions costs, production costs and network externalities? How do these influence investment in networked goods? Which categories of security products can be considered networked, and what can be considered stand-alone?

Reading

Nicholas Economides, "The Economics of Networks" October 1996, International Journal of Industrial Organization http://www.stern.nyu.edu/networks/94-24.pdf
 
Feb. 9 Auction Design

Questions to consider during Reading

Would it be possible to design an auction as discussed in Ozment that is immune to the factors discussed in Klemperer? What perverse incentives might be created.

Reading

Klemperer, What really matters in auction design, ideas.repec.org/p/cpr/ceprdp/2581.html
Ozment, Bug Auctions: Vulnerability Markets Reconsidered. OnCourse.

Preview of Economics of Privacy
Feb. 14 Price Discrimination

Questions to consider during Reading

Why is your privacy violated so consistently when you are online? Why does anyone care? What are the economic incentives for collecting private information?

Reading

Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf

Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
 
Economics of Vulnerabilities
Feb. 16 Vulnerabilities and the optimal Response

Questions to consider during Reading

Reading

Camp, L. Jean and Wolfram, Catherine D., Pricing Security: Vulnerabilities as Externalities. Economics of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966
Rahul Telang, and Sunil Wattal, "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation", Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/telang_wattal.pdf

 
Feb. 21 Uncertainty and Sharing Vulnerability Information

Questions to consider during reading

Why do firms share information that could be embarrassing about their security state? There are obvious costs, but even when some firms lie, there are obvious benefits. What dimensions of uncertainty exist in vulnerabilities? What strategies do different organizations, both software producers and consumers, apply to deal with these uncertainties?

Reading

D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
Esther Gal-or and Anindya Ghose The Economic Consequences of Sharing Security Information CH 8, pp 95-104
 
Feb. 23 Conceptions of Vulnerabilities

Questions to consider during Reading

The creator of the vulnerability, the party who discovers the vulnerability, the entity that creates the patch, the responsible computer-owner who patches and the rational computer owner who fails to patch are all economic agents. What are their incentives?

Reading

Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf
 
Feb 28 Patch release and Adoption

Questions to consider during Reading

Here we consider the incentives of the attackers as well as the parties listed previously. What are the incentives of attackers?

Reading

Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/5.pdf

 
Mar. 2 As The Worm Turns

Questions to consider during Reading

Does publication of a patch does not prevent worms from spreading, or rather there are periodic waves? Given the readings below, what is the optimal patch notification policy?

Reading

Ashish Arora, "Honey Pots, Impact of Vulnerability Disclosure and Patch Availability", Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN. http://www.dtc.umn.edu/weis2004/telang.pdf
William A. Arbaugh and William L. Fithen and John McHugh, Windows of Vulnerability: A Case Study Analysis, Computer, Vol. 33, 12, 2000, 52-59, IEEE Computer Society Press,
 
Economics of Privacy
Mar. 7 Pricing Personal Information

Questions to consider during Reading

How much would you pay to hide your lowest grade? How much would you accept to disclose it? Is deviance from the perceived norm a predictor of your privacy preference? Thinking of it in these terms likely results in close numbers, but that is not how mental accounting always works.

Reading

Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf.
 
Mar. 9 Privacy and Identity

Questions to consider during Reading

Should there be a special Clear line for travelers? Was the TSA correct in refusing to limit searches to those not in the Clear program?

Reading

Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007
http://weis07.infosecon.net/papers/48.pdf
Tony Vila and Rachel Greenstadt and David Molnar Why We Cannot Be Bothered to Read Privacy Policies CH 11, pp. 143-154.
 
Mar 21 Privacy as a Luxury Good

Questions to consider during Reading

If privacy is a luxury good, what would that imply about the averaging of costs for price discrimination goods? "I thought, too, of the admirable smoke and drink and the deep armchairs and the pleasant carpets: of the urbanity, the geniality, the dignity which are the offspring of luxury and privacy and space." Privacy as spatial, and as a luxury good from October 1928, A Room of One's Own,, by Virginia Woolf.

Reading

Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/30.pdf
 

 
Spam
Mar. 23 Spamalitics

Questions to consider during Reading

What is the true loss and cost of spam? Why have systemic spam responses not been adopted.

Reading

Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87, http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamscatter: Characterizing Internet Scam Hosting Infrastructure, USENIX Security Symposium, Boston, MA. 5 -10 August 2007.
http://www.cs.ucsd.edu/~savage/papers/UsenixSec07.pdf
Mar. 28 Spamonomics

Questions to consider during Reading

How much would spam have to cost and what are the assumptions about the infrastructure? Do these assumptions correspond with the earlier readings?

Reading


Ben Laurie and Richard Clayton, Proof-of-Work Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf
Debin Liu and L Jean Camp, Proof of Work can Work, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/50.pdf
 
Trust in Social Networks
Mar. 30 Trustonomics

Questions to consider during Reading

How do you decide which merchants to trust? Do you purchase specialized goods? How do you book travel, for example?

Reading

Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/10.pdf
Alex Tsow, Camilo Viecco, and L. Jean Camp, Privacy-Aware Architecture for Sharing Web Histories, IBM Systems Journal, provided in class.

Apr. 4 Privacy in Social Networks

Questions to consider during Reading

What is the value in social networks? What are the risks for users? What is the relationship between security and information sharing?

Reading

Joseph Bonneau, Soren Preibusch The Privacy Jungle: On the Market for Data Protection in Social Networks, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
Alessandro Acquisti and Ralph Gross. "Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook" In Privacy Enhancing Technologies, LNCS 4258, pages 36 - 58. Springer Berlin / Heildelberg, 2006.
 
MedSec
Apr. 6 Health Privacy - An Emerging Arena

Questions to consider during Reading

Reading

Ajit Appari, Denise Anthony, Eric Johnson HIPAA Compliance: An Examination of Institutional and Market Forces, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
M. Eric Johnson Data Hemorrhages in the Health-Care Sector, Financial Cryptography and Data Security '09, Barbados 23-26 February 2009.fc09.ifca.ai/papers/54_Data_Hemorrhages.pdf.
L. Sweeney, Information Explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies, L. Zayatz, P. Doyle, J. Theeuwes and J. Lane (eds), Urban Institute, Washington, DC, 2001 http://privacy.cs.cmu.edu/people/sweeney/explosion.html. Apparently this has been taken down because it is now in springer.

 
DRM
Apr. 11 DRM

Questions to consider during Reading

What is the economic value of DRM in terms of social welfare, music consumption and pricing? How have we seen some of these predictions borne out?

Reading

Yooki Park and Suzanne Scotchmer, Digital Rights Management and the Pricing of Digital Products, Fourth Workshop on Economics of Security, available at socrates.berkeley.edu/~scotch/w11532.pdf
Michael Smith,Rahul Telang;Competing with Free: The Impact of Movie Broadcasts on DVD Sales and Internet Piracy

 
Apr. 13 DRMonomics

Questions to consider during Reading

This paper combines multiple methods, using both a dynamic systems model and a regression to understand the use of illegal software. The following paper examines the opposite - why people would want to contribute to something they do not use. implications discussed in class include the lack of patch support for machines with illegal copies of software and the relative security of open vv. closed source.

Reading

C. Osorio, "A contribution to the understanding of illegal copying of software: empirical and analytical evidence against conventional wisdom" http://opensource.mit.edu/papers/osorio.pdf
Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open Source http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
 
Wireless Privacy
Apr. 18 Wireless Privacy

Questions to consider during Reading

Who are the stakeholders in examination of wireless security in the first paper? How does the possibility of mid-stream injection attacks change the set of stakeholders?

Reading

Matthew Hottell and Drew Carter and Matthew Deniszczuk, "Predictors of Home-Based Wireless Security", Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/51.pdf
Steven Myers, Sid Stamm, Practice & Prevention of Home-Router Mid-Stream Injection Attacks, General Members Meeting & eCrime Researchers Summit, Atlanta 14-16 October 2008. See OnCourse.
 

 
Transparency & Disclosure
Apr. 20 Disclosure

Questions to consider during Reading

The argument against privacy is that disclosure is a lightweight effective market mechanism. Is this consistent with the arguments for or against mandatory disclosure?

Reading

Mulligan, D. (2007) Information Disclosure as a light-weight regulatory mechanism, Presentation at DIMACS, Workshop on Information Security Economics, Rutgers University. http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/mulligan.ppt
Mahoney, Paul G., Mandatory Disclosure As a Solution to Agency Problems, 62 U. Chi. L. Rev. 1047 (1995), available online at heinonline.org
 
Apr. 25 Identity and Disclosure

Questions to consider during Reading

The more general cases, above, become more specific here. Do you arguments for or against privacy and event disclosure hold constant here? Is the SpyWare the result you would predict based on your previous argument? Why or why not?

Reading

Sasha Romanosky, Richard Sharp and Alessandro Acquisti, Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?, The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/session1/weis2010_romanosky.pdf
Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and Konstan., J. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University. http://www.truststc.org/pubs/63.html
 
Apr. 27 Crime and Punishment

Know Your ISP?

Questions to consider during Reading

How would you know if your ISP protected you or detects bot behavior? Is there any source of information? Could disclosure help? Do the arguments about vulnerabilities and data breaches map to this domain? Why or why not?

Reading

Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/session4/weis2010_vaneeten.pdf

 
Peer Evaluations and Presentations, Mandatory

Questions to consider during Reading

How would you answer the five core questions of the class about this paper? How do topic, question, method and answer fit?

Reading

Each student or set of students will provide a draft paper before the last class period to their peers. Students will present their work, and attend as others present.