Economics of Information Security

L Jean Camp
Scheduled for Fall 2007
Monday and Wednesday 11:15A-12:30P
Class rescheduled for Monday and Wednesday 1:00-2:15 in Informatics 105
Detailed Course Listing

Office Hours
Informatics Building 200
Mondays 3-5pm

until the second eight week session: 3-5pm
during the second eight week session: 2-4pm

The course will use the tools of economics to better understand computer security. This is not a course in economics research in that no new tools will be discovered and no new ground will be broken in economic theory. The understanding of economics required for this course is modest, and a strong mathematical background with no economics will certainly suffice. There is no textbook. The course will be based on a series of research papers, primarily drawn for the series of Workshops on Economics of Information Security.


Grading Guidelines
25% class participation in class discussions of the readings
75% weekly essays due every Friday, approximately 750 words that summarizes the reading or identifies an open research question that arises from the reading
75% Final project:
  10% topic selection and abstract The topic should be selected and the abstract should be drafted by the fourth week of the semester
  10% bibliography The bibliography should be roughly complete by the middle of the semester, but of course there will be other material added as the semester progresses. This bibliography will serve as the foundation for your research paper.
  55% research paper The research paper is the culmination of the semester.


The language of computer security suggest the range of analogies. A virus is a medical problem, while an invasive worm brings to mind the problems of ecosystems. Computer crime and intrusion detection argue that the problem is one of criminal behavior. Firewalls suggest that the network itself is a hostile force, that must be segregated into the conflagration beyond and the safety within. The construction of demilitarized zones (DMZs) between trusty local area networks and the wider network beyond argues that it is war, not flames, on the network. Yet for all that is involved in computer security, and all that is lost, there is a single potential measure: dollars.

Economics of information security is not an exercise in analogy. It is the application of the tools of economics to computer security. The class has a set of basic topics, and each topic will be explored and examined according to the interest of the students.


Students with successful, accepted submissions to these conferences will receive an A, even if this requires a grade change.


Topics and Sessions

Economics Intro

The class is assumes no background in economics, and therefore must begin with some very basic economics. After this it is divided into major topics, with sessions organized under those themes. These first part of the class will provide the minimal microeconomics necessary to understand the remainder of the term. Concepts of utility and optimization are introduced.

Economics Basics

The vocabulary and mental model of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other?

Economic Modeling

An economic model has a few basics: first it identifies the participants, it defines the constraints, and then it evaluates the implications. We will look at a few economic models which use game theory.

Behavioral Economics

Economics may also include issues of behavior, where individuals do not act as self-optimizing rational beings. This will include a few of the foundational Stockholm prize articles, as well as some recent works.

Economic of Vulnerabilities

One of the most hotly contested issues in security economics is the disclosure of vulnerabilities. Should there be a market for disclosure? If so, in what form?


Beginning with very few articles to introduce the concepts of insurance, such as shared risk and moral hazards, we then look at the theory and reality of cyber insurance.

Return on Security Investment

If there is an intrusion avoided or a recovery from intrusion the question of cost can be hotly contested. How to begin to balance and argue those costs is the issue in these sessions.

Economics of Privacy

Privacy, like security, is the control of information. The economics of privacy can explain some otherwise arbitrary consumer behavior.


Spam is an economic problem with technical symptoms. How charging for spam is possible in the technical sense, and why it won't work in the real world.

Final Presentations and Topics