I590 (525): Economics of Information Security

Policies and schedule for Economics of Information Security for spring 2006.
1:00 pm Tuesdays and Thursdays.
Professor Jean Camp
readings and schedule available here

Overview:Why Economics of Security?

The Internet is critical to all sectors of the economy and integrated into government. Security technologies do exist, and capable programmers can implement secure code. Programming projects and operating systems based on secure design principles populate research databases. Yet the network can be sabotaged by a creative teenager with limited programming experience.


Clearly the answer to this question must include more than technology. There is a problem in the economics of security, and more broadly in the economics of information control. These problems emerge as security violations, spam, "private" databases indexed by Google, and products based on practices exposed as snake oil decades before.

The Economics of Information Security by Springer/Kluwer. Most of these papers are from the series of workshops in the Economics of Information Security. Most the content is available at www.infosecon.net or in the IU library. You can succeed in the course without buying the book.

The Course in a Nutshell

Overview and Grading

Introduction and course overview

In the initial class meeting I ask that you write down what particularly interest you in the topic, and what you would change about the syllabus. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? Therefore the rest of the syllabus is more a sketch than a course description. The course will be designed to serve the needs of the students in it. I will also provide my cv, and very short discussion of the state of economics of information security.

The course has two primary elements. There is in-class discussion and the production of a research paper. You may choose to be graded either on your ocntinuous understanding of the material produced; or upon the integration of material into a research proposal.

In the first option, the readings and class discussion are inherently distributed over the semester. Each class will include the discussion of one or two papers. We will go over derivations as needed, or ignore them as unneeded depending on the discussion. The weekly essays are only 600 words, and can discuss any of the reading. These function as feedback as well as proof of reading.

The second alternative is a research paper. The research paper is a large part of the grade, and takes the place of the final. There are two interim deadlines, for the topic selection and the bibliography. The purpose of the topic selection and bibliography is more feedback than marking. The paper should be equivalent to the sum of the short writings during the semester.

An alternative to the research paper is a final exam. The exam would cover the materials covered in the course, ask about the results of papers, and require an illustration of mastery of the topic.


25% class participation in class discussions of the readings
75% weekly essays due every Friday, approximately 600 words that summarizes the reading or identifies an open research question that arises from the reading
75% Final project:
  10% topic selection and abstract The topic should be selected and the abstract should be drafted by the fourth week of the semester
  10% bibliography The bibliography should be roughly complete by the middle of the semester, but of course there will be other material added as the semester progresses. This bibliography will serve as the foundation for your research paper.
  55% research paper The research paper is the culmination of the semester.

Economics of Security

The language of computer security suggest the range of analogies. A virus is a medical problem, while an invasive worm brings to mind the problems of ecosystems. Computer crime and intrusion detection argue that the problem is one of criminal behavior. Firewalls suggest that the network itself is a hostile force, that must be segregated into the conflagration beyond and the safety within. The construction of demilitarized zones (DMZs) between trusty local area networks and the wider network beyond argues that it is war, not flames, on the network. Yet for all that is involved in computer security, and all that is lost, there is a single potential measure: dollars.

Economics of information security is not an exercise in analogy. It is the application of the tools of economics to computer security. The class has a set of basic topics, and each topic will be explored and examined according to the interest of the students.


Topic 1: Fundamentals of the Economics of Security
What does it mean to say that economics is an externality or public good? How can the language of economics and the language of computer security be brought to bear in a consistent manner? What does it mean to treat security as a good?

These are the fundamental conceptual questions that must be answered to think about security as an economic topic. As much as reading papers or even writing one, this course depends on thinking about both economics and security in a new way.


Topic 2: Security Technologies and the Individual
Economics has a unique way of framing individuals choices. Incentives, utility, and availability of information all play important roles in the conception of the economic individual. Security technologies may ideal for the firm, yet be subverted by the individual employees.


Topic 3: Security in the Firm
When should an organization share information? Should firms share more or less information in highly competitive markets? How much should a company invest in information? While there are not absolute answers to these questions, there are preliminary findings. These findings illustrate not only dimensions of the information security market, but also illustrate the methods economists use to examine the question - game theoretic and formal modeling.


Topic 4: Economics of Privacy
The privacy paradox is that individuals express strong concerns about privacy, but will readily share information. Experimental economics allows us to parse and to some degree resolve the privacy paradox. Privacy policies are not only not worth readings, in terms of being reliable, but also are unlikely to reach the status of worthwhile without intervention. People discount privacy risks, just as they discount the risks of jay-walking. The methodological focus of this class will be on designing experiments for useful outcomes. After we discuss the specific privacy experiments, we will have guest speakers on the topics of experiment design.


Topic 5: Digital Rights Management
In the case of digital rights management, the customer is inherently in opposition to the security technology. People want to share music, make back-up copies, have computers read audio books aloud, and generally use the content they have purchased like owners. Content producers want consumers to pay for each individual use, use material only in the proscribed manner, and comply with the producers' business plans. The economics of security are quite different when the opponent is not a hacker, but the other party in a transaction.


Topic 6: The Vulnerability Market
One of the earliest publications on the economics of security, using careful economic definitions, defined vulnerabilities as a "good". Vulnerabilities are now widely considered the medium of exchange in the various theoretical constructions of security markets. Vulnerabilities were defined in this work as tradable externalities. Today, the market in vulnerabilities is quite real, with the purchase of a zero day exploit by 3Com from an anonymous hacker in October. In fact, the existence for the vulnerabilities market is well understood and widely examined.


Topic 7: Emerging Work, Student Work, Student-Selected Papers
In the course of the semester we will address one or two papers each session. However, many papers will be considered only as references or tangents. Simultaneously with the class, there will be another semester of research on the economics of information security across the academy. The students will select from among these papers, or use their own work as the basis for discussion.


Exam Period --Student Presentations
The exam period will be used for class presentations, particularly for those students who want to submmit their work for presentations at venues both internal and external to IU.

Attending the exam period is not required.