Readings
Introductory Examples
The first two weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either.
In the initial class meeting we step through the syllabus. I answer any grading queries. I describe assignments, standards and options. For the first week you have two very light assignments: a quiz and your first essay. For the quiz, I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The lectures will be designed to serve the needs of the students, and based on your answers the syllabus may also change. More about crime? Voting?
Aug. 25 Introduction and Overview
What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings?
How does the value of email change your perspective on pricing security?
Syllabus provided in class.
A short article on monetizing of email for discussion is here:
http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
Aug. 27 An Economic Perspective on Security
This book chapter will introduce the basic argument for security as economic. Most of the vocabulary will be defined in this session. The same book is usually used in the core security course, but that chapter will be addressed here.
Ross Anderson. Ch. 7 Economics, Security Engineering, The Book. http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c07.pdf
Sept 1. Labor Day
Sept. 3 Security As Economics
Security is not a single kind of good, and design can change the type of good. Please consider three possible examples where Karin's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines?
Similarly, how might these markets be changed by design?
Hal Varian, System Reliability and Free Riding, eds. N. Sadden, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, http://people.ischool.berkeley.edu/~hal/Papers/2004/reliability
Sept. 8 Email as Money
C. Dower and M. Na-or, Pricing via Processing or Combating Junk Mail
, 1992. In E. F. Brick (Ed.): Advances in Cryptology-CRYPTO 1992, Springer-Verlag, pp. 139-147.http://web.cs.dal.ca/~abrodsky/7301/readings/DwNa93.pdf
Ben Laurie and Richard Clayton, Proof-of-Work Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf
Debin Liu and L. Jean Camp, Proof of Work Can Work, WEIS 2006 (Cambridge, UK) 26-28 June 2006.
http://weis2006.econinfosec.org/docs/50.pdf
Sept. 10 Email as a Second Order Problem
Security products are useless without something to protect. Security is only even
Michael L. Katz, and Carl Shapiro. "Systems competition and network effects." The Journal of Economic Perspectives (1994): 93-115. http://brousseau.info/pdf/cours/Katz-Shapiro%5B1994%5D.pdf
Rational Microeconomics
The vocabulary and models of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other? Basic economic concepts are introduced. Examples of rational economic models are applied to vulnerability disclosure.
Sept. 15 Vulnerabilities I
For the papers on vulnerabilities consider the characteristics of the systems and cost/benefit payoff. How can these be compared with home electronics? Routers? Cars? Medical devices?
Rahul Telang, and Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at
http://infosecon.net/workshop/pdf/telang_wattal.pdf
Sam Ransbotham, Sabyasachi Mitra, The Impact of Immediate Disclosure on Attack Diffusion and Volume, WEIS 2011,
http://weis2011.econinfosec.org/papers/TheImpactofImmediateDisclosureonAttackDiffusionand.pdf
Sept. 15 Real World Fraud
Sept. 22 Vulnerabilities II
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at
http://weis2006.econinfosec.org/docs/35.pdf
Economics of Privacy
Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy. This section considers privacy in its own right, as well as interactions with identification.
Sept. 24 Privacy as Rational, Luxury Good
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at
http://www.dtc.umn.edu/weis2004/varian.pdf
Sept. 29 Privacy I
Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007
http://weis07.infosecon.net/papers/48.pdf
Oct. 1 Privacy as Rational, Luxury Good II
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.
http://weis07.infosecon.net/papers/30.pdf
Behavioral Economics
Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics. Behavioral economics is then applied to privacy.
Oct. 6 Economic Behavior
Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
An alternative for those scheduled to take fall break is an equivalent online presentation:
http://research.microsoft.com/apps/video/default.aspx?id=158037
Oct. 8 Rational Acts and Human Behavior in Security
Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and Konstan., J. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University.
http://www.truststc.org/pubs/63.html
Bernhard Debatin, Jennette P. Lovejoy, Ann-Kathrin Horn, Brittany N. Hughes, Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences
Journal of Computer-Mediated Communication 15 (2009) 83 - 108.
http://onlinelibrary.wiley.com/doi/10.1111/j.1083-6101.2009.01494.x/full
Oct. 13 Behavior & Privacy I
West, Ryan. "The psychology of security." Communications of the ACM 51.4 (2008): 34-40.
http://delta.cs.cinvestav.mx/~francisco/ssi/p34-west.pdf
V. Garg, and L. Jean Camp, Heuristics and Biases: Implications for Security Design, IEEE Technology & Society,
Mar. 2013.
http://www.ljean.com/files/Biases.pdf
Oct. 15 Behavior & Privacy II
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at
http://infosecon.net/workshop/pdf/7.pdf.
Oct. 20 Behavior & Privacy III
Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at
http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
weis2007.econinfosec.org/papers/66.pdf
Crime
Why are Nigeria email scams Nigerian? How does ecrime vary across crime types? How is the industry organized? How are people targeted?
Oct. 22 Crime I
Vaibhav Garg, Nathaniel Husted, & L. Jean Camp. Organized Digital Crime: Smuggling Theory Approach. E-Crime Researcher’s Summit, San Diego, CA, November 8-9, 2011.
Oct. 27 Crime II
Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010,
http://weis2010.econinfosec.org/papers/session4/weis2010_vaneeten.pdf
Oct. 29 Crime III Understanding Phishing
Lastdrager, Elmer EH.
Achieving a Consensual Definition of Phishing Based on a Systematic Review of the Literature
Crime Science 3 (2014): 16.
http://doc.utwente.nl/91167/
Moore, Tyler.
Phishing and the economics of e-crime
Infosecurity 4.6 (2007): 34-37.
http://www.sciencedirect.com/science/article/pii/S1754454807701481
Spam
Spam is an economic problem with technical symptoms. How is charging for spam possible in the technical sense? Why might it work in the real world?
Nov. 3 Spam I
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87,
http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
Zhenhai Duan , Kartik Gopalan, Xin Yuan An empirical study of behavioral characteristics of spammers: Findings and implications Computer Communications Vol. 34, Iss. 14, September 1 2011, 1764-1776,
http://www.cs.fsu.edu/~duan/publications/icc2007.pdf
Nov. 5 Spam II
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Communications of the ACM, Vol. 52 No. 9, Pages 99-107
http://cacm.acm.org/magazines/2009/9/38908-spamalytics-an-empirical-analysis-of-spam-marketing-conversion/abstract
Christian Kreibich, Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, Spamcraft: An Inside Look at Spam Campaign Orchestration. Proceedings of the USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, MA, April 2009, pages 4:1 - 4:9.
https://www.usenix.org/legacy/event/leet09/tech/full_papers/kreibich/kreibich.pdf
Signaling
One domain where the interaction of security and privacy behaviors are of particular importance is in the power of social networks. Social networks can be used to enhance security or undermine it. One day the readings will focus on the value of social networks and information sharing to empower individuals as opposed to stakeholders with perverse incentives. The second day will address the risks of social networking.
Nov. 10 Fraud Signals
We will go over the payment chain in a credit card payment in class.
Sasse, M. A., Kirlappos, I. (2012). Familiarity breeds con-victims: Why we need more effective trust signaling. Springer-Verlag New York Inc.http://link.springer.com/chapter/10.1007%2F978-3-642-22200-9_2
Cormac Herley, Why do Nigerian Scammers Say They are from Nigeria?”, http://research.microsoft.com/pubs/167719/whyfromnigeria.pdf
Nov. 12 Mobile Signaling
Chia, Pern Hui, Yusuke Yamamoto, and N. Asokan. "Is this app safe?: a large scale study on application permissions and risk signals." Proceedings of the 21st international conference on World Wide Web. ACM, 2012.
http://www.academia.edu/download/30629969/www2012.pdf
Benton, Kevin, L. Jean Camp, and Vaibhav Garg. "Studying the effectiveness of android application permissions requests." Pervasive Computing and Communications Workshops (PERCOM Workshops), 2013 IEEE International Conference on. IEEE, 2013. http://www.ljean.com/files/AndriodEyeballs.pdf
Background: Felt, Adrienne Porter, et al. Android permissions demystified.
Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011.http://fanfq-android-demo.googlecode.com/svn-history/r168/trunk/doc/android_permissions.pdf
Nov. 17 Privacy Signals
Huseyin Cavusoglu, Tuan Phan, Hasan Cavusoglu , Privacy Controls and Information Disclosure Behavior of Online Social Network Users, WEIS 2013 Georgetown University, Washington, D.C. June 11-12, 2013
weis2013.econinfosec.org/papers/CavusogluWEIS2013.pdf
Catherine Tucker , Social Networks, Personalized Advertising, and Privacy Controls,
http://weis2011.econinfosec.org/papers/Social%20Networks,%20Personalized%20Advertising,%20and%20Privacy%20Cont.pdf
Nov. 19 Web Signaling
L Jean Camp, Reliable, Usable Signaling to Defeat Masquerade Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK http://weis2006.econinfosec.org/docs/48.pdf
David Modic , Ross J. Anderson Reading this May Harm Your Computer: The Psychology of Malware Warnings, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2374379
Nov. 24 and Nov. 26 Thanksgiving Break
Dec. 1 Certificates and Trust Signaling
Nevena Vratonjic, Julien Freudiger, Vincent Bindschaedler, and Jean-Pierre Hubaux (all EPFL, Switzerland), The Inconvenient Truth about Web Certificates, The Tenth Workshop on the Economics of Information Security (WEIS 2011), GMU, 14-15 June 2011, http://infoscience.epfl.ch/record/165676/files/WEIS11-Vratonjic.pdf
Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, http://weis2006.econinfosec.org/docs/10.pdf
Dec. 3 NGP: Routes as Products, and Lemons
Vicente Segura, Javier Lahuerta, Modeling the economic incentives of DDoS attacks: femtocell case study
http://weis09.infosecon.net/files/113/paper113.pdf
Hall, C., Anderson, R., Clayton, R., Ouzounis, E., & Trimintzios, P. (2013). Resilience of the internet interconnection ecosystem. In Economics of Information Security and Privacy III (pp. 119-148). Springer New York.
http://link.springer.com/chapter/10.1007/978-1-4614-1981-5_6#page-1
Passwords and Humans
Passwords are one of the choices
in which every person is in control of his or her own security.
Dec. 8 Passwords
Brainard, J., Juels, A., Rivest, R. L., Szydlo, M., & Yung, M. (2006, October). Fourth-factor authentication: somebody you know. In ACM conference on computer and communications security (pp. 168-178).
http://www.szydlo.com/ccs084-juels.pdf
Katz, Jonathan, Rafail Ostrovsky, and Moti Yung. "Efficient password-authenticated key exchange using human-memorable passwords." Advances in Cryptology—Eurocrypt 2001. Springer Berlin Heidelberg, 2001. 475-494. https://www.iacr.org/archive/eurocrypt2001/20450473.pdf
Inglesant, Philip G., and M. Angela Sasse. The true cost of unusable password policies: password use in the wild.
, Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2010.
Dec. 10 Bitcoin by Design
Nakamoto, Satoshi (24 May 2009). Bitcoin: A Peer-to-Peer Electronic Cash System.
http://bitcoin.org/bitcoin.pdf
Danny Yuxing Huang, Hitesh Dharmdasaniy, Sarah Meiklejohn, Vacha Dave, Chris Grier, Damon McCoyy, Stefan Savage, Nicholas Weaver, Alex C. Snoeren and Kirill Levchenko, Botcoin: Monetizing Stolen Cycles
http://cseweb.ucsd.edu/~snoeren/papers/botcoin-ndss14.pdf
E Androulaki, G Karame, M Roeschlin, Evaluating User Privacy in Bitcoin, IACR Cryptology
http://book.itep.ru/depository/bitcoin/User_privacy_in_bitcoin.pdf"
Final Presentations and Topics
For those students obtaining doctoral credit, there is a required presentation. All students are required to attend and complete an evaluation.