Readings
Back to prospectus, at
http://www.ljean.com/classes/13_14/525_Prospectus_13.html
Introductory Examples
The first two weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either.
In the initial class meeting we step through the syllabus. I answer any grading queries. I describe assignments, standards and options. For the first week you have two very light assignments: a quiz and your first essay. For the quiz, I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The lectures will be designed to serve the needs of the students, and based on your answers the syllabus may also change. More about crime? Voting?
Jan. 13 Introduction and Overview
What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings?
How does the value of email change your perspective on pricing security?
Syllabus provided in class.
A short article on monetization of email for discussion is here:
http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
Jan. 15 An Overview of Economic Thought
ÊSecurity is not a single market. Please consider three possible examples where Varian's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines?
Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, http://people.ischool.berkeley.edu/~hal/Papers/2004/reliability
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash"
Ê
Jan. 20 Rev. Dr. Martin Luther King Jr Day
Jan. 22 Security As Economics
These papers will introduce the basic idea of security as a good. One argues that security is a public good, the other that insecurity has externalities. Most of the vocabulary will be defined in this session.
Anderson, Ross. Why information security is hard-an economic perspective. Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual. IEEE, 2001.
www.acsac.org/2001/papers/110.pdf
Vaibhav Garg, Sameer Patil , Apu Kapadia, and L Jean Camp, Peer-produced Privacy Protection: A Common-pool Approach, The IEEE International Symposium on Technology and Society (ISTAS) (Toronto, ON) 27-29 July 2013.
http://www.ljean.com/files/CommonPools.pdf
Jan. 27 Cost of Insecurity
Ross Anderson, Chris Barton, Rainer Boehme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, Stefan Savage, Measuring the Cost of Cybercrime
weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf
Chris Hall(Highwayman Associates), Ross Anderson(University of Cambridge), Richard Clayton(University of Cambridge), Evangelos Ouzounis(European Network and Information Security Agency), and Panagiotis
Trimintzios (European Network and Information Security Agency): Resilience of the Internet Interconnection Ecosystem, The Tenth Workshop on the Economics of Information Security (WEIS 2011), George Mason University, USA 14-15 June 2011
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/inter-x/interx/report
Rational Microeconomics
The vocabulary and mental model of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other? Basic economic concepts are introduced. Examples of rational economic models are applied to vulnerability disclosure.
Jan. 29 Rational Economics
Pratt and Zeckhauser, Principals and Agents: An Overview, Chapter 1, in Principals and Agents, pp. 1-35. OnCourse in Resources.
Arrow, The Economics of Agency, Chapter 2, in Principals and Agents, pp. 37-51.
http://classwebs.spea.indiana.edu/kenricha/Oxford/Archives/Courses%202010/Governance%202010/Articles/Arrow.pdf
Feb. 3 Vulnerabilities I
For the papers on vulnerabilities consider the chracteristics of the systems and cost/benefit payoff. How can these be compared with home electronics? Routers? Cars? Medical devices?
Rahul Telang, and Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at
http://infosecon.net/workshop/pdf/telang_wattal.pdf
Sam Ransbotham, Sabyasachi Mitra, The Impact of Immediate Disclosure on Attack Diffusion and Volume, WEIS 2011,
http://weis2011.econinfosec.org/papers/TheImpactofImmediateDisclosureonAttackDiffusionand.pdf
Feb. 5 Vulnerabilities II
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at
http://weis2006.econinfosec.org/docs/35.pdf
Economics of Privacy
Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy. This section considers privacy in its own right, as well as interactions with identification.
Feb. 10 Privacy as Rational, Luxury Good
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at
http://www.dtc.umn.edu/weis2004/varian.pdf
Feb. 12 Privacy I
Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007
http://weis07.infosecon.net/papers/48.pdf
Feb. 17 Privacy as Rational, Luxury Good II
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.
http://weis07.infosecon.net/papers/30.pdf
Behavioral Economics
Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics. Behavioral economics is then applied to privacy.
Feb. 19 Economic Behavior
West, Ryan. "The psychology of security." Communications of the ACM 51.4 (2008): 34-40.
http://delta.cs.cinvestav.mx/~francisco/ssi/p34-west.pdf
V. Garg, and L. Jean Camp, Heuristics and Biases: Implications for Security Design, IEEE Technology & Society,
Mar. 2013.
http://www.ljean.com/files/Biases.pdf
Feb. 24 Human Behavior and Security
Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
Feb. 26 Behavior & Privacy I
Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and Konstan., J. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University.
http://www.truststc.org/pubs/63.html
Bernhard Debatin, Jennette P. Lovejoy, Ann-Kathrin Horn, Brittany N. Hughes, Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences
Journal of Computer-Mediated Communication 15 (2009) 83Ð108 © 2009 International Communication Association
http://onlinelibrary.wiley.com/doi/10.1111/j.1083-6101.2009.01494.x/full
Mar. 3 Behavior & Privacy II
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at
http://infosecon.net/workshop/pdf/7.pdf.
Mar. 5 Behavior & Privacy III
Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at
http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
weis2007.econinfosec.org/papers/66.pdf
Crime
Why are Nigeria email scams Nigerian? How does ecrime vary across crime types? How is the industry organized? How are people targeted?
Mar. 10 Crime I
Cormac Herley, Why do Nigerian Scammers Say They are from Nigeria?Ó,
http://research.microsoft.com/pubs/167719/whyfromnigeria.pdf
L Jean Camp, Reliable, Usable Signaling to Defeat Masquerade Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK
http://weis2006.econinfosec.org/docs/48.pdf
Mar. 12 Crime II
Damon McCoy, Andreas Pitsillidis, Grant Jordan, Nicholas Weaver, Christian Kreibich, Brian Krebs, Geoffrey M. Voelker, Stefan Savage, and Kirill Levchenko, PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs, Proceedings of the USENIX Security Symposium, Bellevue, WA, August 2012.
http://cseweb.ucsd.edu/~savage/papers/UsenixSec12.pdf
Mar. 17, 19 Spring Break
Mar. 24 Crime III
Vaibhav Garg, Nathaniel Husted, & L. Jean Camp. Organized Digital Crime: Smuggling Theory Approach. E-Crime ResearcherÕs Summit, San Diego, CA, November 8-9, 2011.Ê
Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010,
http://weis2010.econinfosec.org/papers/session4/weis2010_vaneeten.pdf
Spam
Spam is an economic problem with technical symptoms. How is charging for spam possible in the technical sense? Why might it work in the real world?
Mar. 26 Spam I
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87,
http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
Zhenhai Duan , Kartik Gopalan, Xin Yuan An empirical study of behavioral characteristics of spammers: Findings and implications Computer Communications Vol. 34, Iss. 14, September 1 2011, 1764-1776,
http://www.cs.fsu.edu/~duan/publications/icc2007.pdf
Mar. 31 Spam II
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Communications of the ACM, Vol. 52 No. 9, Pages 99-107
http://cacm.acm.org/magazines/2009/9/38908-spamalytics-an-empirical-analysis-of-spam-marketing-conversion/abstract
Christian Kreibich, Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, Spamcraft: An Inside Look at Spam Campaign Orchestration. Proceedings of the USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, MA, April 2009, pages 4:1Ð4:9.
https://www.usenix.org/legacy/event/leet09/tech/full_papers/kreibich/kreibich.pdf
Apr. 2 Spam III
C. Dwork and M. Naor,
Pricing via Processing or Combating Junk Mail
, 1992. In E. F. Brick (Ed.): Advances in Cryptology-CRYPTO 1992, Springer-Verlag, pp. 139-147.
http://web.cs.dal.ca/~abrodsky/7301/readings/DwNa93.pdf
Debin Liu and L. Jean Camp, Proof of Work Can Work, WEIS 2006 (Cambridge, UK) 26-28 June 2006.
http://weis2006.econinfosec.org/docs/50.pdf
Trust in Social Networks
One domain where the interaction of security and privacy behaviors are of particular importance is in the power of social networks. Social networks can be used to enhance security or undermine it. One day the readings will focus on the value of social networks and information sharing to empower individuals as opposed to stakeholders with perverse incentives. The second day will address the risks of social networking.
Apr. 7 Social Networks I
We will go over the payment chain in a credit card payment in class.
Sasse, M. A., Kirlappos, I. (2012). Familiarity breeds con-victims: Why we need more effective trust signaling. Springer-Verlag New York Inc.
http://link.springer.com/chapter/10.1007%2F978-3-642-22200-9_2
Apr. 9 Social Networks II
Huseyin Cavusoglu, Tuan Phan, Hasan Cavusoglu , Privacy Controls and Information Disclosure Behavior of Online Social Network Users, WEIS 2013 Georgetown University, Washington, D.C. June 11-12, 2013
weis2013.econinfosec.org/papers/CavusogluWEIS2013.pdf
Catherine Tucker , Social Networks, Personalized Advertising, and Privacy Controls,
http://weis2011.econinfosec.org/papers/Social%20Networks,%20Personalized%20Advertising,%20and%20Privacy%20Cont.pdf
Apr. 14 Social Networks, Security, Social Capital
Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open Source
http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
David Modic , Ross J. Anderson Reading this May Harm Your Computer: The Psychology of Malware Warnings,
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2374379
Apr. 16 Certificates and Trust
Nevena Vratonjic, Julien Freudiger, Vincent Bindschaedler, and Jean-Pierre Hubaux (all EPFL, Switzerland), The Inconvenient Truth about Web Certificates, The Tenth Workshop on the Economics of Information Security (WEIS 2011), GMU, 14-15 June 2011,
http://infoscience.epfl.ch/record/165676/files/WEIS11-Vratonjic.pdf
Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK,
http://weis2006.econinfosec.org/docs/10.pdf
Decisions at Home: Wireless Security
Wireless security was initially seen as not a topic of particular interest in economics of security because it initially appeared that this is a domain where the risks are born by the decision-maker: the homeowner. However, research at Indiana University has shown that this is not always the case. (Note that repeating this experiment is a clear option for those who would like a well-defined project with an early start.)
Apr. 21 Home-Based Security
Sandvig, C. & Shah, R. (2005). Defaults as De Facto Regulation: The Case of Wireless Access Points. Paper presented at the 33rd Telecommunications Policy Research Conference (TPRC) on Communication, Information, and Internet Policy, Arlington, VA
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=964950"
Matthew Hottell and Drew Carter and Matthew Deniszczuk, Predictors of Home-Based Wireless Security, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at
http://weis2006.econinfosec.org/docs/51.pdf
Apr. 23 Home-Based Security II
Richard Mortier and Tom Rodden and Peter Tolmie and Tom Lodge and Robert Spencer and Andy Crabtree and Joe Sventek and Alexandros Koliousis, Homework: putting interaction into the infrastructure, UIST, pp. 197-206, ACM, 2012.
http://dl.acm.org/citation.cfm?id=2380143&dl=ACM&camp;oll=DL&CFID=398994419
Dallas Wood and Brent Rowe (both RTI International): Assessing Home Internet Users' Demand for Security: Will They Pay ISPs?, The Tenth Workshop on the Economics of Information Security (WEIS 2011), George Mason University, 14-15 June 2011 http://weis2011.econinfosec.org/papers/Assessing%20Home%20Internet%20Users%20Demand%20for%20Security%20-%20Will%20T.pdf
Bitcoin
What is Bitcoin, how does it work? What are the arguments for and against Bitcoin? How is it used?
Apr. 28 Bitcoin by Design
Nakamoto, Satoshi (24 May 2009). Bitcoin: A Peer-to-Peer Electronic Cash System. Retrieved 14 December 2010, http://bitcoin.org/bitcoin.pdf
http://bitcoin.org/bitcoin.pdf
Apr. 30 Bitcoin in Practice
Danny Yuxing Huang, Hitesh Dharmdasaniy, Sarah Meiklejohn, Vacha Dave, Chris Grier, Damon McCoyy, Stefan Savage, Nicholas Weaver, Alex C. Snoeren and Kirill Levchenko, Botcoin: Monetizing Stolen Cycles
http://cseweb.ucsd.edu/~snoeren/papers/botcoin-ndss14.pdf
E Androulaki, G Karame, M Roeschlin, Evaluating User Privacy in Bitcoin, IACR Cryptology
http://book.itep.ru/depository/bitcoin/User_privacy_in_bitcoin.pdf"
Final Presentations and Topics
For those students obtaining doctoral credit, there is a required presentation. All students are required to attend and complete an evaluation.