I330: Legal and Organizational Security Informatics
Readings and schedule for Organizational Informatics for Spring 2006.
11:15 - 12:05 pm Monday and Wednesday in OP 107
Professor Jean Camp
The Course in a Nutshell
January 9
Introduction and course overview
Today we handle who, when, and why. We will introduce ourselves. I will
define course policies. I will provide information about the project,
about grade distribution, etc.
This course is about ICTs, organizations and the role of security in organizations. The course has three primary elements.
First, the readings and lectures where the minimum critical topics
for literacy in organizations and information security are introduced. The readings
and lectures will focus primarily on theory, particularly looking at
organizations through the lens of economics.
Second, the discussion section. There will be some readings
during the discussion section, primarily those that apply to the
practical training part of the course.
Third, the three examinations in the course. The first is on
organizational theory. The second is on economics of information. The
third is on organizational and economic aspects of
organizations. There is no comprehensive final.
Introduction to Organizations
An organization can be considered a
single entity, a collection of competing subsets, a group of
self-optimizing individuals, a machine following a process, or a
cultural entity. In the first section of this course we will examine
each of those models.
For three of the models the reading will be Essence of Decision
.
This book is about the interaction of nation states rather than the
interactions of businesses. However, in terms of the descriptions of
three of these models there is no other reading that is short but
informative. There are more tedious readings, and readings made terse
by assumptions of the education of the reader. Therefore, the classic
by Allison will be used to discuss the issues. I will provide a very
short introduction to rational choices, and then examine the limits of
rationality. We return to the limits of rationality topic in Economics
and Uncertainty.
What are Organizations
Jan 11: Org Theory.
Organizational Models?
Questions to consider during reading
What are organizations: individual rational actors, collections of groups or
stakeholders, and as groups of political individuals with their own
visions and power struggles. Shafritz offers a larger view. What is an
organization? To what organizations do you belong? If you were to
design an web site for two organizations to which you belong what
would be public, and what private? How much would identity management
matter at a fraternity web site versus a departmental one? How would
privacy concerns differ?
Readings
Classics of Organization Theory, (6th Edition) by Jay M. Shafritz, Steven Ott, and Yong
Suk Jang; pp 1- 26.
The Science of the Artificial, (3rd Edition) by Simon, pp. 25-50.
Jan 16: Org Theory.
Rev. Dr. Martin Luther King Jr. Day
Until 1964, single rational organizations seeking employees listed them in four
categories: white man wanted, black man wanted, white woman wanted and
black woman wanted. Listing by race was prohited by the 1964 Civil
Rights Act. By 1971, listing jobs by gender was judged to be
prohibited as well. Here is one
job listing and another. Notice in the first that typing was a female
task, and notice that Bell was hiring women as Telephone
Operators. The operation of switches became technical
and then
male. Similarly until compilers (invented by Grace Murray Hopper)
vastly simplified the process of implementing programs, programming
was overwhelming a female occupation.
Jan. 18: Org Theory.
Organizations as Single Rational Beings or
Compilations of Competing Stakeholders
Questions to consider during reading
There are three models of
organizations: individual rational actors, collections of groups or
stakeholders, and as groups of political individuals with their own
visions and power struggles. Readings
Allison Essence of Decision
, The Rational Actor, pp. 13 26.
Allison, Essence of Decision
, Model II: Organizational Behavior, pp. 143-160.
Jan 23: Org Theory.
Organizations as Cultures or Organizations as Machines
Questions to consider during reading
Americans spend most of
their waking hours are work. Workplaces are not neutral or free from
emotion. Workplaces have their own cultures, some of which are
successfully cultured by management.
Readings
Van Mannen, J. (1991) The
Smile Factory: Work at Disneyland.
, In Frost, P.J., L.E. Moore, M.R.
Louis, C.C. Lundberg and J. Martin (eds.): Reframing Organizational
Culture.
R. Hirschman, Exit, Voice, and Loyalty. Chapters 1, 2, 3, and 8 (pp. 1-20, 21-29, 30-43, 106-119)
Morgan, Gareth (1997) Ch. 6: Organizations as Machines
in Images of Organization. London: Sage,
Jan. 25: Org Theory.
Organizational Impact
Questions to consider during reading
Why is IT important in an organization? Are ICTS inherently valuable?
If not, how do ICTs illustrate their value. Unlike classic
organization theory classes, this one examines organizations and their
inteaction with ICTs. Does IT matter or is it all a matter of lobbying
and leadership?
Reading
Carr, Nicholas G., IT Doesn't Matter
, Harvard Business Review, May 2003.
Deborah Spar Ruling the Waves pp. 1-22, p.124-289
Applying Organizational Theory
Jan. 30: Case Studies
A Case Study of Business,
Government and Technology: DNS
Questions to consider during reading
What is the profit in the selling of domain names? What is the cost?
Were the concerns of these authors valid? Which ones have come to
pass, and which ones have not?
Reading:
Fool Me Once, Shame on You, A Critical Look at the Privitization of ICANN
Michael Froomkin's discussion of power concentration The
Empire Strikes Back and in particular how ICANN is a part of
this trend in
Of Governance and Governments
Feb. 1: Case Studies
Naming, Risk and Culture
Questions to consider during reading
Naming and trust are traditionally bound online in a manner that makes
sense offline. If I know you by name offline I am likely to have a
context; e.g. a social organization or neighborhood or religious
community. However, a name online does not provide the same level of
certainty. What is in a name? A rose by any other name, in theory, would
smell as sweet. However, hazelnuts are considered somewhat gourmet
while filberts were strictly for the common palette. While dried plums
could be desirable, prunes have no such connotation.
Readings
Ross Anderson, Security Engineering Naming, pp. 124-133; PKI
pp. 401- 403.
Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de
Weger, Creating a Rogue CA.
http://www.win.tue.nl/hashclash/rogue-ca/
Topical Interest
DigiNotar forced into bankruptcy
But many more and been hacked and unreported according to the EFF
Feb. 6: Exam One
Test
Feb 8: Case Studies
Deletion
Questions to consider during reading
Deletion in an organization must recall famous deletions of time
passed. We will read about four cases of the choice to delete or
not. Should an organization delete and when is it legal to do so?
Reading:
retention at work
Trustworthy vacuuming and litigation holds in long-term high-integrity records retention In Proceedings of the 13th International Conference on Extending Database Technology (EDBT '10), Ioana Manolescu, Stefano Spaccapietra, Jens Teubner, Masaru Kitsuregawa, Alain Leger, Felix Naumann, Anastasia Ailamaki, and Fatma Ozcan (Eds.).
Topical Interest
Romeny deletes emails, how common is this? does it matter?
Deletion
at Google
Feb 13: Case Studies
ACL
Questions to consider during reading
It is not organizational charts but access control that defines roles and relationships. These two readings address two questions. First, what is access control? Second, is there any chance it is being used correctly.
Reading:
Security textbook to be determined based on course experience
Maxion & Reeder, Improving user-interface dependability through mitigation of human error
International Journal of Human-Computer Studies
Volume 63, Issues 1-2, July 2005, Pages 25-50
Feb 15: Case Studies
Great Failures in ACL
Questions to consider during reading
Why has the insider threat proven such a difficult problem, given the
capacity for auditing and access control? Why were these insiders able to take such great risks?
Reading:
Bellovin, The Insider Attack Problem Nature and Scope
, Advances in Information Security, 2008, Volume 39, 1-4.
T.Wilson. Insider may have breached more than 10000 patient records at johns hopkins, May
2009.
The biggest rogue traders in history, in 2011
Topical Interest
Police Charge UBS Trader With Fraud
ACL Lab
Feb 20: Case Studies
Identity
Questions to consider during reading
What is identity? How does identity interact with authentication?
Reading:
the so-called Laws of Identity
Report of the Identity Workshop
Topical Interest
Can a copy own an employee's linked-in account?
Feb 22: Case Studies
Single Signon & Federated Identity
Questions to consider during reading
Why did Microsoft passport fail while Google and Facebook appear to be succeeding? Do you agree with this assertion in the reading, having a single sign-on mechanism is not much different from using the same username and password on every Web site
?
Reading:
Passport morphed into the Identity Metasystem which has now evolved into the NET framework.
Single sign-on Facebook v Google
David Recordon and Drummond Reed. 2006. OpenID 2.0: a platform for user-centric identity management In Proceedings of the second ACM workshop on Digital identity management (DIM '06). ACM, New York, NY,
Topical Interest
Single Sign-on with Facebook LinkedIn GMail a short overview.
Open ID Lab
Feb 27: Info Econ.
Digital is Different
Questions to consider during reading
Fundamental assumptions underlie market economics. How does digital challenge those assumptions.
Readings
Delong and Froomkin (1997) The Next Economy?
Internet Publishing
and Beyond: The Economics of Digital Information and Intellectual
Property. Edited by B Kahin and H Varian. Cambridge, MA MIT Press.
http://www.law.miami.edu/~froomkin/articles/newecon.htm
Feb 29: The (Ir)rational Market
Games Companies Play
Questions to consider during reading
Another fundamental assumption about markets is that they are
rational. This is clearly not the case.
Readings
Tversky and Kahneman, Rational Choice and the Framing of
Decisions
in Rational Choice, Hogarth and Reder, eds., pp. 67-94.
Advances in Experimental Social Psychology, Volume 20
edited by Leonard Berkowitz, Attitudes, Traits, and Actions
by Icek Ajzen.
Mar 5: Info Econ & Orgs
Social Security
Questions to consider during reading
Social networking brings security as well as privacy risk. Have you
ever refused a friend on FaceBook.
Readings
A. Acquisti and R. Gross. Imagined communities: Awareness, information sharing, and privacy on the
Facebook. In Privacy Enhancing Technologies, pages 36-58. Springer, 2006.
H. Jones and J. Soltren. Facebook: Threats to privacy. Project MAC: MIT Project on Mathematics and
Computing,
FTC decision and customer pushback
Mar 7: Info Econ & Orgs.
Who Needs Anonymity?
Questions to consider during reading
Under what conditions are you anonymous?
Readings
Tor:
The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson,
and Paul Syverson, 13th USENIX Security Symposium, August 2004.
Blackhat on Tor
Mar 16 - 18
Spring Break
Economics of Information
Mar 19: Info Econ.
Interconnection and Network Effects
Questions to consider during reading
Feedback is a critical concept in the economics of networks and in network-based competition.
Reading
Noam, Interconnecting the Network of Networks, MIT Press, 2001. pp. 1-25, 54-68
Optional Reading
The Economics of Networks, by Nicholas
Economides, International Journal of Industrial Organization, Vol. 16,
no. 4, pp. 673-699 (October 1996). Available on-line
Tor Lab
Mar 21: Info Econ.
Lock-in and feedback
Questions to consider during reading
Network economics implies feedback. Feedback can cause lock-in. How easy will it be for you to get a new email? A new phone?
Readings
W. B. Arthur, "Competing
Technologies, Increasing returns and Lock-in by Historical Events", The
Economic Journal, Vol 99, Issue 394, pp116-131
P. A. David "Clio and the Economics of Qwerty" The American
Economic Review, Vol 75, Issue 2, Papers and Proceedings of the 97th
Annual Review of the American Economic Association, May 1985, pp.
332-337.
Mar 26: Info Econ.
Versioning
Questions to consider during reading
What is versioning? How does digital change versioning?
MLS listings on-line http://www.realtor.com and http://www.targetmls.com/
Amazon.com and www.barnes and noble.com and www.reiters.com
Readings
Information
Rules, Shapiro, Carl. & Varian, Hal, , Harvard Business School Press,
(Boston, MA) , c1999, pages 53-81
Mar 28: Info Econ.
Intermediation & Disintermediation
Questions to consider during reading
What is disintermediation?
Re-intermediation? How does a bookstore inherently bring together
certain business lines by virtue of physical location? Think about your
favorite sites or consider these sites:
The Hunger Site -- http://www.thehungersite.com -- could this work off line?
Readings
Laudon & Traver, "E-commerce" second edition. pp. 136 - 162 pages 28-33
Whinston & Kalakota, "Electronic Commerce" pp. 21 - 23
Apr. 2: Info Econ.
NPV and Options
Questions to consider during reading
Net present value and options theory are different ways of looking at
the same situation. When is one preferable? In class we will discuss
how security can be an investment, with NPV, or an option.
Readings
Luehman, What's It Worth?: A General Manager's Guide to Valuation
HBR May - June pp. 133-141
Apr. 4: Info Econ.
Second Test
Apr 9: Info Econ & Orgs.
Code and Control
Questions to consider during reading
The organization is the environment and, according to an early reading, the environment determines design. What kinds of controls are to be expected in different domains? In this course we will look at the requirements for three different domains: breath analyzers for DUI; casinos; and voting machines. Which do you expect to bemost secure? What are the risks of failues for each?
Readings
I hope that these serve as interesting palceholders. I need to locate the Nevada controls on casinos, the latest rules on voting machines in Indiana, and the Ohio court case on drunk driving and breath analyzers.
Casinos
Voting
Drunk
Driving and on the software used by manufacturers for example, all interrupts are ignored
Apr. 11: Info Econ & Orgs.
Free Software as Strategy
Questions to consider during reading
Open code, free software and open source are categories of a radical
new way (or the old tried and true way) of organizing a market. What
are the differences or ways of organizing a software or information
market?
Readings
Lerner, Josh & Triole, Jean
2000 - 03
The Simple Economics of Open Source
http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
Tuomi,
I. (2001). Internet, innovation, and open source: Actors in the network
.First Monday ,6(1). Retrieved October 6, 2001, from http://firstmonday.org/issues/issue6_1/tuomi/index.html
Apr. 16: Info Econ & Orgs.
Trusting TRUSTe
Questions to consider during reading
organizational rather than technical considerations appear to be at
theart of the decisions by TRUSTe to offer certification to online organizations.
Readings
Benjamin Edelman, Adverse Selection in Online 'Trust'
Certifications, Fifth Workshop on the Economics of Information Security,
2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/10.pdf
Nevena Vratonjic
Julien Freudiger, ":The Inconvenient Truth about Web Certificates" http://weis2011.econinfosec.org/papers/The%20Inconvenient%20Truth%20about%20Web%20Certificates.pdf
Reinforcing bad behavrio
Apr. 18: Info Econ & Orgs.
Privacy and Price Discrimination
Questions to consider during reading
Have you experienced price discrimination? How would you know?
Readings
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
Apr. 23: Info Econ & Orgs.
EULA
Questions to consider during reading
How are markets organized?
What were the inherent assumptions about markets in the readings from
last week? Where do markets come from? Who participates in defining the
rules of a market? What are EULA and UCITA?
Readings
The Uniform Computer Information Transactions Act: A Well Built Fence or Barbed Wire Around the Intellectual Commons?
uts.cc.utexas.edu/~lbjjpa/2001/bowman.pdf
Information Rules , Shapiro, Carl. & Varian, Hal, , Harvard
Business School Press, (Boston, MA) , c1999, also available as an
e-book, pp. 1-50
Optional Readings
National Academy of Science, The Digital
Dilemma: Intellectual Property in the Information Age. National Academy
Press, Washington, DC (2000); (contents completely available on-line)
pp. 1-75
Apr. 25: Info Econ & Orgs.
Security and Competition
Questions to consider during reading
What are the goals of security in theory? How does this differ from how
it is used in practice? Would the security strategies discussed in
Anderson work with open code?
Readings
Ross Anderson, Cryptography and Competition Policy: Issues with Trusted
Computing, http://www.cl.cam.ac.uk/ftp/users/rja14/tcpa.pdf
Schneier, 2002 Computer Security: Its the Economics, Stupid: Economics and Information Security Workshop, Berkeley, CA.
http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/18.doc
Exam Period: Info Econ & Orgs
Test