I525: Economics of Information Security

L Jean Camp
Scheduled for Fall 2009
Detailed Listing of Readings

Office Hours
Informatics Building 200
Mondays 3-5pm
Wednesdays 2-4pm

The course will use the tools of economics to better understand computer security. This is not a course in economics research in that no new tools will be discovered and no new ground will be broken in economic theory. The understanding of economics required for this course is modest, and a strong mathematical background with no economics will certainly suffice. There is no textbook. The course will be based on a series of research papers, primarily drawn for the series of Workshops on Economics of Information Security.

The basic issue we will explore is how to answer human, organizational or social questions about security and privacy behaviors of people, groups, firms or even nations. The fundamental pedagogical approach in this class is that of a research seminar, with after an introductory period the class is based on shared learning. Students are expected to come prepared to answer the basic questions. For each paper we answer a set of questions in class. First, what is the big cosmic question? That is, where in the world of open questions, does this paper fit? Second, what is the smaller question? Obviously no paper, monograph, or person can answer the big questions about life, the universe, privacy, and everything. So questions are broken down into smaller elements. Some of these papers are position papers, and argue that questions should be broken down in a particular manner. Third, what is the method of the paper? Essentially this is a definition of the method the authors have chosen to answer the small question and may be an experimental approach, mathematical modeling, simulation, and often combinations of different methods. Fourth, how does this method (or methodology) match and fail to match both the larger question and the immediate issue at hand? Clearly these last two apply less to position papers and course sessions where the topic is tutorial. Fifth, what are the findings of the papers? Finally, with those five questions answered, we respectfully argue about the implications of those findings. Concurrence with class opinion is not a requirement!

 

Grading Guidelines
25% class participation in class discussions of the readings.
75% weekly essays due every Friday, approximately 750 words that summarizes the reading or identifies an open research question that arises from the reading
Required For Those Earning Doctoral Degree Credit in Security, Optional for Others
25% class participation in class discussions of the readings
75% Final project
  10% topic selection and abstract The topic should be selected and the abstract should be drafted by the fourth week of the semester
  15% bibliography The bibliography should be roughly complete by the middle of the semester, but of course there will be other material added as the semester progresses. This bibliography will serve as the foundation for your research paper.
  10% five questions In the class we ask five questions. What is the big idea? What is the researchable question? What is the method? Why? What conclusion is expected?
  40% research paper The research paper is the culmination of the semester.

 

Overview
The language of computer security suggest the range of analogies. A virus is a medical problem, while an invasive worm brings to mind the problems of ecosystems. Computer crime and intrusion detection argue that the problem is one of criminal behavior. Firewalls suggest that the network itself is a hostile force, that must be segregated into the conflagration beyond and the safety within. The construction of demilitarized zones (DMZs) between trusty local area networks and the wider network beyond argues that it is war, not flames, on the network. Yet for all that is involved in computer security, and all that is lost, there is a single potential measure: dollars.

Economics of information security is not an exercise in analogy. It is the application of the tools of economics to computer security. The class has a set of basic topics, and each topic will be explored and examined according to the interest of the students.

 

Students with successful, accepted submissions to these conferences will receive an A, even if this requires a change from my initial grade.

 

Topics and Sessions

Introductory Examples

The first two weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either.

Behavioral Economics

Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics.

Rational Economics

The vocabulary and mental model of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other? Concepts of utility and optimization are introduced, as are lemons markets.

Economic of Vulnerabilities

Among the most carefully explored issues in security economics is the disclosure of vulnerabilities. Should there be a market for disclosure? How might the market fail the public interest or common good? What form of market is optimal?

Economics of Privacy

Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy. Yet mandatory disclosure of information weaken security and privacy. This section considers privacy in its own right, as well as interactions with identification.

Spam

Spam is an economic problem with technical symptoms. How charging for spam is possible in the technical sense, and why it won't work in the real world.

ACM CCS

As the flagship ACM security conference is in Chicago this year, students will be asked to attend the conference. Financial assistance is being sought from multiple sources. Those who cannot attend will be asked to select sessions that would be attended, and write summaries of the papers.

Trust in Social Networks

One domain where the interaction of security and privacy behaviors are of particular importance is in the power of social networks. Social networks can be used to enhance security or undermine it. One day the readings will focus on the value of social networks and information sharing to empower individuals as opposed to stakeholders with perverse incentives. The second day will address the risks of social networking.

Medical Security

A brief update on an area which is ripe for investigation using the tools of modeling: health information online.

DRM

DRM research has been as conclusive as the market itself for mass-produced consumer content: purposefully breaking your content is not a market advantage. However, the applications in code, and embedded devices are not as clear.

Wireless Security

Wireless security was initially seen as not a topic of particular interest in economics of security because it initially appeared that this is a domain where the risks are born by the decision-maker: the homeowner. However, research at Indiana University has shown that this is not always the case. (Note that repeating this experiment is a clear option for those who would like a well-defined project with an early start.)

Final Presentations and Topics

For those students obtaining doctoral credit, there is a required presentation. All students are required to attend and complete an evaluation.