Readings and schedule for Economics of Information Security for Fall 2009.
Professor Jean Camp
Course Prospectus
Aug. 31*
Introduction and Overview
In the initial class meeting I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The course will be designed to serve the needs of the students.
Questions to consider during Reading
What would be your ideal outcome for this course? What do you hope to learn? Can you imagine applying this at this time?
Reading
Questionnaire: Learning Economics of Security - provided in OnCourse
Introductory Examples
Sept. 2*
Computer Security as Economics
Questions to consider during Reading
Notice that the answer to the question "Why information security is hard?" is not because mathematics is sublime. Rather, the work on the fundamentals continues in a scientific (but unpredictable) manner, while adoption of basic solutions occurs in fits, booms, or not at all.
Reading
Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613,
October 27, 2006. Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf
R. Anderson, "Why information security is hard", ACSAC 01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001|
Sept 7
Economics as Applied to Computer Security
Questions to consider during Reading
Security is not a single market. Please consider three possible examples where Varian's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines?
Reading
Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, people.ischool.berkeley.edu/~hal/Papers/2004/reliability
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash
Sept 9*
Basic Observations in Economics of Security
Questions to consider during Reading
The reason that there is economics of security is because there are violations of security based on economics, e.g. crime. These papers address the economics of crime, the incentives and the nature of the proverbial beast. Are these numbers what you expect? Credit card number prices appear to be going down. Think about two opposite reasons why this might be the case.
Reading
Jason Franklin, Vern Paxon, Adrian Perrig, and Stefan Savage, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS '07, Alexandria, VA. 29 http://www.cs.ucsd.edu/~savage/papers/CCS07.pdf
Cormac Herley, Dinei Florencio Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
Behavioral Economics
Sept 14*
Economic Behavior
Questions to consider during Reading
Why are we willing to take the risks that we take? What makes us unwilling to pay $1 for something one moment that will be worth ten times that in another? Is it true that He who hesitates is lost?
or is it critical to loop before one leaps? Humans are not rational when it comes to risk -- economic or networked.
Reading
Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
L Jean Camp, "Mental Models of Security", IEEE Technology & Society, Winter, 2007
Rational Economics
Sept 16
Rational Economics Basics
Questions to consider during Reading
Here we examine the classic lemonade stand market, where the goods and
the market are well understood by buyer and seller. This lecture will
include a basic introduction to marginal cost, marginal price,
competitive and monopolistic markets.
Reading
First, there will be additional notes provided in class
Pratt and Zeckhauser, "Principals and Agents: An Overview," Chapter 1, in Principals and Agents, pp. 1-35.
Arrow, "The Economics of Agency," Chapter 2, in Principals and Agents, pp. 37-51.
Sept 21
Rational Economics Applied to the Network
Questions to consider during Reading
What are transactions costs, production costs and network externalities? How do these influence investment in networked goods? Which categories of security products can be considered networked, and what can be considered stand-alone?
Reading
Nicholas Economides, "The Economics of Networks"
October 1996, International Journal of Industrial Organization
http://www.stern.nyu.edu/networks/94-24.pdf
Economics of Vulnerabilities
Sept 23
Sharing Vulnerability Information
Questions to consider during reading
Why do firms share information that could be embarrassing about their
security state? There are obvious costs, but even when some firms lie,
there are obvious benefits. Note these are somewhat classic articles now.
Readings
Esther Gal-or and Anindya Ghose The Economic Consequences of Sharing Security Information
CH 8, pp 95-104
Lawrence A. Gordon, An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence
, Workshop on the Economics of Information Security, 2002,Berkeley, CA.
Sept 28
Uncertainty In Decision-Making in terms of Patching
Questions to consider during Reading
What dimensions of uncertainty exist in vulnerabilities? What strategies do different organizations, both software producers and consumers, apply to deal with these uncertainties?
Reading
Rainer Boehme, Tyler Moore The Iterated Weakest Link - A Model of Adaptive Security Investment, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
Sept 30
Vulnerabilities and the optimal Response
Questions to consider during Reading
Reading
Camp, L. Jean and Wolfram, Catherine D., Pricing Security: Vulnerabilities as Externalities. Economics of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966
Rahul Telang, and Sunil Wattal, "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation", Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/telang_wattal.pdf
Oct 5
Conceptions of Vulnerabilities
Questions to consider during Reading
The creator of the vulnerability, the party who discovers the vulnerability, the entity that creates the patch, the responsible computer-owner who patches and the rational computer owner who fails to patch are all economic agents. What are their incentives?
Reading
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf
Oct 7
Patch release and Adoption
Questions to consider during Reading
Here we consider the incentives of the attackers as well as the parties listed previously. What are the incentives of attackers?
Reading
Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/5.pdf
T. Maillart, D. Sornette, http://arxiv.org/abs/0803.2256 Heavy-Tailed Distribution of Cyber-Risks, Physics and Society
Oct 12
As The Worm Turns
Questions to consider during Reading
Does publication of a patch does not prevent worms from spreading, or rather there are periodic waves? Given the readings below, what is the optimal patch notification policy?
Reading
Ashish Arora, "Honey Pots, Impact of Vulnerability Disclosure and Patch Availability", Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN. http://www.dtc.umn.edu/weis2004/telang.pdf
William A. Arbaugh and William L. Fithen and John McHugh, Windows of Vulnerability: A Case Study Analysis
, Computer, Vol. 33, 12, 2000, 52-59, IEEE Computer Society Press,
Oct 14
Auction Design
Questions to consider during Reading
Would it be possible to design an auction as discussed in Ozment that is immune to the factors discussed in Klemperer? What perverse incentives might be created.
Reading
Klemperer, What really matters in auction design, ideas.repec.org/p/cpr/ceprdp/2581.html
Ozment, Bug Auctions: Vulnerability Markets Reconsidered. OnCourse.
Economics of Privacy
Oct 19
Price Discrimination
Questions to consider during Reading
Why is your privacy violated so consistently when you are online? Why does anyone care? What are the economic incentives for collecting private information?
Reading
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
Oct 21
Pricing Personal Information
Questions to consider during Reading
How much would you pay to hide your lowest grade? How much would you accept to disclose it? Is deviance from the perceived norm a predictor of your privacy preference? Thinking of it in these terms likely results in close numbers, but that is not how mental accounting always works.
Reading
Jens Grossklags, Alessandro Acquisti, When 25 Cents is
too much: An Experiment on Willingness-To-Sell and
Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop
on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf.
Oct 26
Privacy and Identity
Questions to consider during Reading
Should there be a special Clear line for travelers? Was the TSA correct in refusing to limit searches to those not in the Clear program?
Reading
Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007
http://weis07.infosecon.net/papers/48.pdf
Tony Vila and Rachel Greenstadt and David Molnar Why We Cannot Be Bothered to Read Privacy Policies
CH 11, pp. 143-154.
Oct 28
Privacy as a Luxury Good
Questions to consider during Reading
If privacy is a luxury good, what would that imply about the averaging of costs for price discrimination goods?
"I thought, too, of the admirable smoke and drink and the deep armchairs and the pleasant carpets: of the urbanity, the geniality, the dignity which are the offspring of luxury and privacy and space."
Privacy as spatial, and as a luxury good from October 1928, A Room of One's Own,, by Virginia Woolf.
Reading
Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/30.pdf
Spam
Nov 2
Spamonomics
Questions to consider during Reading
How much would spam have to cost and what are the assumptions about the infrastructure? Do these assumptions correspond with the earlier readings?
Reading
Ben Laurie and Richard Clayton, Proof-of-Work Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf
Debin Liu and L Jean Camp, Proof of Work can Work, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/50.pdf
Nov 4
Spamalitics
Questions to consider during Reading
What is the true loss and cost of spam? Why have systemic spam responses not been adopted.
Reading
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87, http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamscatter: Characterizing Internet Scam Hosting Infrastructure, USENIX Security Symposium, Boston, MA. 5 -10 August 2007.
http://www.cs.ucsd.edu/~savage/papers/UsenixSec07.pdf
ACM CCS
Nov 9
ACM CCS
Questions & Reading
Attend the ACM CCS event. If you cannot attend, then you may read the papers from one track and write a summary. If you do attend, please take clear careful notes for the tracks you attend. These notes will be your participation and weekly summary grades for this week.
Nov 11
ACM CCS II
Question & Reading
Attend the ACM CCS event. If you cannot attend, then you may read the papers from one track and write a summary. If you do attend, please take clear careful notes for the tracks you attend. These notes will be your participation and weekly summary grades for this week.
Trust in Social Networks
Nov 16
Trustonomics
Questions to consider during Reading
How do you decide which merchants to trust? Do you purchase specialized goods? How do you book travel, for example?
Reading
Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/10.pdf
Alex Tsow, Camilo Viecco, and L. Jean Camp, Privacy-Aware Architecture for Sharing Web Histories, IBM Systems Journal, provided in class.
Nov 18
Privacy in Social Networks
Questions to consider during Reading
What is the value in social networks? What are the risks for users? What is the relationship between security and information sharing?
Reading
Joseph Bonneau, Soren Preibusch The Privacy Jungle: On the Market for Data Protection in Social Networks, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
Alessandro Acquisti and Ralph Gross. "Imagined Communities: Awareness, Information Sharing,
and Privacy on the Facebook" In Privacy Enhancing Technologies, LNCS 4258, pages 36 - 58.
Springer Berlin / Heildelberg, 2006.
MedSec
Nov 23
Health Privacy - An Emerging Arena
Questions to consider during Reading
Reading
Ajit Appari, Denise Anthony, Eric Johnson HIPAA Compliance: An Examination of Institutional and Market Forces, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
M. Eric Johnson Data Hemorrhages in the Health-Care Sector, Financial Cryptography and Data Security '09, Barbados 23-26 February 2009.fc09.ifca.ai/papers/54_Data_Hemorrhages.pdf.
L. Sweeney, Information Explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical
Applications for Statistical Agencies, L. Zayatz, P. Doyle, J. Theeuwes and J. Lane (eds), Urban Institute,
Washington, DC, 2001 http://privacy.cs.cmu.edu/people/sweeney/explosion.html. Apparently this has been taken down because it is now in springer.
Happy
Thanksgiving!
Happy Thanksgiving! Enjoy Celebrating the Second Surviving English Settlement in the Americas!
DRM
Nov 30
DRM
Questions to consider during Reading
What is the economic value of DRM in terms of social welfare, music consumption and pricing? How have we seen some of these predictions borne out?
Reading
Yooki Park and Suzanne Scotchmer, Digital Rights Management and the Pricing of Digital Products, Fourth Workshop on Economics of Security, available at socrates.berkeley.edu/~scotch/w11532.pdf
Dec 2
DRMonomics
Questions to consider during Reading
This paper combines multiple methods, using both a dynamic systems model and a regression to understand the use of illegal software. The following paper examines the opposite - why people would want to contribute to something they do not use. implications discussed in class include the lack of patch support for machines with illegal copies of software and the relative security of open vv. closed source.
Reading
C. Osorio, "A contribution to the understanding of illegal copying of software:
empirical and analytical evidence against conventional wisdom"
http://opensource.mit.edu/papers/osorio.pdf
Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open
Source
http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
Wireless Privacy
Dec 7
Wireless Privacy
Questions to consider during Reading
Who are the stakeholders in examination of wireless security in the first paper? How does the possibility of mid-stream injection attacks change the set of stakeholders?
Reading
Matthew Hottell and Drew Carter and Matthew Deniszczuk, "Predictors of Home-Based Wireless Security", Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/51.pdf
Steven Myers, Sid Stamm, Practice & Prevention of Home-Router Mid-Stream Injection Attacks, General Members Meeting & eCrime Researchers Summit, Atlanta 14-16 October 2008. See OnCourse.
Dec 9
Peer Evaluation 1
Questions to consider during Reading
How would you answer the five core questions of the class about this paper? How do topic, question, method and answer fit?
Reading
Each student or set of students will provide a draft paper 24 hours before course time to their peers.
Exam Sessions
Peer Evaluations and Presentations con't
Questions to consider during Reading
How would you answer the five core questions of the class about this paper? How do topic, question, method and answer fit?
Reading
Each student or set of students will provide a draft paper 24 hours before course time to their peers. Students will present their work, and attend as others present.