Readings and schedule for Economics of Information Security for Fall 2009.
Professor Jean Camp
Course Prospectus
Jan. 10
Introduction and Overview
In the initial class meeting we step through the syllabus. I answer any grading queries. I describe assignments, standards and options. For the first week you have two very light assignments: a quiz and your first essay. For the quiz, I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The lectures will be designed to serve the needs of the students, and based on your answers the syllabus may also change.
Questions to consider during Reading
What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings?
Privacy and Security in Policy
Jan. 12
Computer Security and Privacy in the American Policy Debate
For the first essay, I am asking you to think about security and privacy in the policy realm. The three readings below seem quite long if you print them. LOOK BEFORE YOU PRINT. However, these are double-spaced and the content is easy to read. Both the FCC and the NTIA are considering issues of consumer privacy. Answer any of the open questions in your essay. Please select no more than three of these questions.
Questions to consider during Reading
What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings?
Reading
http://www.ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf The NTIA has issued a green paper (as distinguished from a white paper by its exploratory as opposed to declarative nature).
http://www.ntia.doc.gov/frnotices/2010/FR_IPTFPrivacy_RequestforComments_12162010.pdf
This is the associated request for comments.
http://ftc.gov/os/2010/12/101201privacyreport.pdf. The Federal Trade Commission is currently the body that regulates privacy, to the extent it is regulated, in the United States.
Introductory Examples
Jan. 19
Computer Security as Economics
The Literature Search
Questions to consider during Reading
Notice that the answer to the question "Why information security is hard?" is not because mathematics is sublime. Rather, the work on the fundamentals continues in a scientific (but unpredictable) manner, while adoption of basic solutions occurs in fits, booms, or not at all.
Reading
Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613,
October 27, 2006. Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf
R. Anderson, "Why information security is hard", ACSAC 01: Proceedings of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, Washington, DC. 2001|
Jan. 24
Economics as Applied to Computer Security
Questions to consider during Reading
Security is not a single market. Please consider three possible examples where Varian's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines?
Reading
Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, people.ischool.berkeley.edu/~hal/Papers/2004/reliability
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash
Jan. 26
Basic Observations in Economics of Security
Questions to consider during Reading
The reason that there is economics of security is because there are violations of security based on economics, e.g. crime. These papers address the economics of crime, the incentives and the nature of the proverbial beast. Are these numbers what you expect? Credit card number prices appear to be going down. Think about two opposite reasons why this might be the case.
Reading
Richard J. Sullivan, The Changing Nature of US Card Payment Fraud: Issues for Industry and Public Policy, The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/panel/weis2010_sullivan.pdf
Mark MacCarthy, Information Security Policy in the U.S. Retail Payments Industry, The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/panel/weis2010_maccarthy.pdf
Behavioral Economics
Jan. 31
Economic Behavior
Questions to consider during Reading
Why are we willing to take the risks that we take? What makes us unwilling to pay $1 for something one moment that will be worth ten times that in another? Is it true that He who hesitates is lost?
or is it critical to loop before one leaps? Humans are not rational when it comes to risk -- economic or networked.
Reading
Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
L Jean Camp, "Mental Models of Security", IEEE Technology & Society, Winter, 2007
Rational Economics
Feb. 2
Rational Economics Basics
Topic and Abstract Due Feb. 4
Questions to consider during Reading
Here we examine the classic lemonade stand market, where the goods and
the market are well understood by buyer and seller. This lecture will
include a basic introduction to marginal cost, marginal price,
competitive and monopolistic markets.
Reading
First, there will be additional notes provided in class
Pratt and Zeckhauser, "Principals and Agents: An Overview," Chapter 1, in Principals and Agents, pp. 1-35.
Arrow, "The Economics of Agency," Chapter 2, in Principals and Agents, pp. 37-51.
Feb. 7
Rational Economics Applied to the Network
Questions to consider during Reading
What are transactions costs, production costs and network externalities? How do these influence investment in networked goods? Which categories of security products can be considered networked, and what can be considered stand-alone?
Reading
Nicholas Economides, "The Economics of Networks"
October 1996, International Journal of Industrial Organization
http://www.stern.nyu.edu/networks/94-24.pdf
Feb. 9
Auction Design
Questions to consider during Reading
Would it be possible to design an auction as discussed in Ozment that is immune to the factors discussed in Klemperer? What perverse incentives might be created.
Reading
Klemperer, What really matters in auction design, ideas.repec.org/p/cpr/ceprdp/2581.html
Ozment, Bug Auctions: Vulnerability Markets Reconsidered. OnCourse.
Preview of Economics of Privacy
Feb. 14
Price Discrimination
Questions to consider during Reading
Why is your privacy violated so consistently when you are online? Why does anyone care? What are the economic incentives for collecting private information?
Reading
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
Economics of Vulnerabilities
Feb. 16
Vulnerabilities and the optimal Response
Questions to consider during Reading
Reading
Camp, L. Jean and Wolfram, Catherine D., Pricing Security: Vulnerabilities as Externalities. Economics of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966
Rahul Telang, and Sunil Wattal, "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation", Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/telang_wattal.pdf
Feb. 21
Uncertainty and Sharing Vulnerability Information
Questions to consider during reading
Why do firms share information that could be embarrassing about their
security state? There are obvious costs, but even when some firms lie,
there are obvious benefits.
What dimensions of uncertainty exist in vulnerabilities? What strategies do different organizations, both software producers and consumers, apply to deal with these uncertainties?
Reading
D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
Esther Gal-or and Anindya Ghose The Economic Consequences of Sharing Security Information
CH 8, pp 95-104
Feb. 23
Conceptions of Vulnerabilities
Bibliography due the 25th
Questions to consider during Reading
The creator of the vulnerability, the party who discovers the vulnerability, the entity that creates the patch, the responsible computer-owner who patches and the rational computer owner who fails to patch are all economic agents. What are their incentives?
Reading
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf
Feb 28
Patch release and Adoption
Questions to consider during Reading
Here we consider the incentives of the attackers as well as the parties listed previously. What are the incentives of attackers?
Reading
Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/5.pdf
Mar. 2
As The Worm Turns
Questions to consider during Reading
Does publication of a patch does not prevent worms from spreading, or rather there are periodic waves? Given the readings below, what is the optimal patch notification policy?
Reading
Ashish Arora, "Honey Pots, Impact of Vulnerability Disclosure and Patch Availability", Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN. http://www.dtc.umn.edu/weis2004/telang.pdf
William A. Arbaugh and William L. Fithen and John McHugh, Windows of Vulnerability: A Case Study Analysis
, Computer, Vol. 33, 12, 2000, 52-59, IEEE Computer Society Press,
Economics of Privacy
Mar. 7
Pricing Personal Information
Questions to consider during Reading
How much would you pay to hide your lowest grade? How much would you accept to disclose it? Is deviance from the perceived norm a predictor of your privacy preference? Thinking of it in these terms likely results in close numbers, but that is not how mental accounting always works.
Reading
Jens Grossklags, Alessandro Acquisti, When 25 Cents is
too much: An Experiment on Willingness-To-Sell and
Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop
on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf.
Mar. 9
Privacy and Identity
Questions to consider during Reading
Should there be a special Clear line for travelers? Was the TSA correct in refusing to limit searches to those not in the Clear program?
Reading
Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007
http://weis07.infosecon.net/papers/48.pdf
Tony Vila and Rachel Greenstadt and David Molnar Why We Cannot Be Bothered to Read Privacy Policies
CH 11, pp. 143-154.
Mar 21
Privacy as a Luxury Good
5 Questions & Outline due the 25th
Questions to consider during Reading
If privacy is a luxury good, what would that imply about the averaging of costs for price discrimination goods?
"I thought, too, of the admirable smoke and drink and the deep armchairs and the pleasant carpets: of the urbanity, the geniality, the dignity which are the offspring of luxury and privacy and space."
Privacy as spatial, and as a luxury good from October 1928, A Room of One's Own,, by Virginia Woolf.
Reading
Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/30.pdf
Spam
Mar. 23
Spamalitics
Questions to consider during Reading
What is the true loss and cost of spam? Why have systemic spam responses not been adopted.
Reading
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87, http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamscatter: Characterizing Internet Scam Hosting Infrastructure, USENIX Security Symposium, Boston, MA. 5 -10 August 2007.
http://www.cs.ucsd.edu/~savage/papers/UsenixSec07.pdf
Mar. 28
Spamonomics
Questions to consider during Reading
How much would spam have to cost and what are the assumptions about the infrastructure? Do these assumptions correspond with the earlier readings?
Reading
Ben Laurie and Richard Clayton, Proof-of-Work Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf
Debin Liu and L Jean Camp, Proof of Work can Work, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/50.pdf
Trust in Social Networks
Mar. 30
Trustonomics
Questions to consider during Reading
How do you decide which merchants to trust? Do you purchase specialized goods? How do you book travel, for example?
Reading
Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/10.pdf
Alex Tsow, Camilo Viecco, and L. Jean Camp, Privacy-Aware Architecture for Sharing Web Histories, IBM Systems Journal, provided in class.
Apr. 4
Privacy in Social Networks
Questions to consider during Reading
What is the value in social networks? What are the risks for users? What is the relationship between security and information sharing?
Reading
Joseph Bonneau, Soren Preibusch The Privacy Jungle: On the Market for Data Protection in Social Networks, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
Alessandro Acquisti and Ralph Gross. "Imagined Communities: Awareness, Information Sharing,
and Privacy on the Facebook" In Privacy Enhancing Technologies, LNCS 4258, pages 36 - 58.
Springer Berlin / Heildelberg, 2006.
MedSec
Apr. 6
Health Privacy - An Emerging Arena
Questions to consider during Reading
Reading
Ajit Appari, Denise Anthony, Eric Johnson HIPAA Compliance: An Examination of Institutional and Market Forces, The Eighth Workshop on the Economics of Information Security (WEIS 2009), University College London, UK 24-25 June 2009
M. Eric Johnson Data Hemorrhages in the Health-Care Sector, Financial Cryptography and Data Security '09, Barbados 23-26 February 2009.fc09.ifca.ai/papers/54_Data_Hemorrhages.pdf.
L. Sweeney, Information Explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical
Applications for Statistical Agencies, L. Zayatz, P. Doyle, J. Theeuwes and J. Lane (eds), Urban Institute,
Washington, DC, 2001 http://privacy.cs.cmu.edu/people/sweeney/explosion.html. Apparently this has been taken down because it is now in springer.
DRM
Apr. 11
DRM
Questions to consider during Reading
What is the economic value of DRM in terms of social welfare, music consumption and pricing? How have we seen some of these predictions borne out?
Reading
Yooki Park and Suzanne Scotchmer, Digital Rights Management and the Pricing of Digital Products, Fourth Workshop on Economics of Security, available at socrates.berkeley.edu/~scotch/w11532.pdf
Michael Smith,Rahul Telang;Competing with Free: The Impact of Movie Broadcasts on DVD Sales and Internet Piracy
Apr. 13
DRMonomics
Questions to consider during Reading
This paper combines multiple methods, using both a dynamic systems model and a regression to understand the use of illegal software. The following paper examines the opposite - why people would want to contribute to something they do not use. implications discussed in class include the lack of patch support for machines with illegal copies of software and the relative security of open vv. closed source.
Reading
C. Osorio, "A contribution to the understanding of illegal copying of software:
empirical and analytical evidence against conventional wisdom"
http://opensource.mit.edu/papers/osorio.pdf
Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open
Source
http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
Wireless Privacy
Apr. 18
Wireless Privacy
Questions to consider during Reading
Who are the stakeholders in examination of wireless security in the first paper? How does the possibility of mid-stream injection attacks change the set of stakeholders?
Reading
Matthew Hottell and Drew Carter and Matthew Deniszczuk, "Predictors of Home-Based Wireless Security", Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/51.pdf
Steven Myers, Sid Stamm, Practice & Prevention of Home-Router Mid-Stream Injection Attacks, General Members Meeting & eCrime Researchers Summit, Atlanta 14-16 October 2008. See OnCourse.
Transparency & Disclosure
Apr. 20
Disclosure
Questions to consider during Reading
The argument against privacy is that disclosure is a lightweight effective market mechanism. Is this consistent with the arguments for or against mandatory disclosure?
Reading
Mulligan, D. (2007) Information Disclosure as a light-weight regulatory mechanism, Presentation at DIMACS, Workshop on Information Security Economics, Rutgers University. http://dimacs.rutgers.edu/Workshops/InformationSecurity/slides/mulligan.ppt
Mahoney, Paul G.,
Mandatory Disclosure As a Solution to Agency Problems, 62 U. Chi. L. Rev. 1047 (1995), available online at heinonline.org
Apr. 25
Identity and Disclosure
Questions to consider during Reading
The more general cases, above, become more specific here. Do you arguments for or against privacy and event disclosure hold constant here? Is the SpyWare the result you would predict based on your previous argument? Why or why not?
Reading
Sasha Romanosky, Richard Sharp and Alessandro Acquisti, Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?, The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/session1/weis2010_romanosky.pdf
Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and Konstan., J. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University. http://www.truststc.org/pubs/63.html
Apr. 27
Crime and Punishment
Know Your ISP?
Questions to consider during Reading
How would you know if your ISP protected you or detects bot behavior? Is there any source of information? Could disclosure help? Do the arguments about vulnerabilities and data breaches map to this domain? Why or why not?
Reading
Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/session4/weis2010_vaneeten.pdf
Peer Evaluations and Presentations, Mandatory
Questions to consider during Reading
How would you answer the five core questions of the class about this paper? How do topic, question, method and answer fit?
Reading
Each student or set of students will provide a draft paper before the last class period to their peers. Students will present their work, and attend as others present.