I525: Economics of Information Security
L Jean Camp
Scheduled for Spring 2011
Detailed Listing of Readings
901 E 10th St. Room 200
Mondays 9:00-11 am
Fridays 9:30- 11:30am
The course will use the tools of economics to better understand
computer security. This is not a course in economics research in that
no new tools will be discovered and no new ground will be broken in
economic theory. The understanding of economics required for this
course is modest, and a strong mathematical background with no
economics will certainly suffice. There is no textbook. The course will
be based on a series of research papers, primarily drawn for the series
of Workshops on Economics of Information Security.
The basic issue we will explore is how to answer human, organizational or social questions about security and privacy behaviors of people, groups, firms or even nations. The fundamental pedagogical approach in this class is that of a research seminar, with after an introductory period the class is based on shared learning. Students are expected to come prepared to answer the basic questions. For each paper we answer a set of questions in class. First, what is the big cosmic question? That is, where in the world of open questions, does this paper fit? Second, what is the smaller question? Obviously no paper, monograph, or person can answer the big questions about life, the universe, privacy, and everything. So questions are broken down into smaller elements. Some of these papers are position papers, and argue that questions should be broken down in a particular manner. Third, what is the method of the paper? Essentially this is a definition of the method the authors have chosen to answer the small question and may be an experimental approach, mathematical modeling, simulation, and often combinations of different methods. Fourth, how does this method (or methodology) match and fail to match both the larger question and the immediate issue at hand? Clearly these last two apply less to position papers and course sessions where the topic is tutorial. Fifth, what are the findings of the papers? Finally, with those five questions answered, we respectfully argue about the implications of those findings. Concurrence with class opinion is not a requirement!
|| class participation
||in class discussions of the readings.
||due every Friday, approximately 750 words that summarizes the
reading or identifies an open research question that arises from the
||Required For Those Earning Doctoral Degree Credit in Security, Optional for Others
|| class participation
||in class discussions of the readings
||topic selection and abstract
||The topic should be selected and the abstract should be drafted by the fourth week of the semester
||The bibliography should be roughly complete by the middle of the
semester, but of course there will be other material added as the
semester progresses. This bibliography will serve as the foundation for
your research paper.
||In the class we ask five questions. What is the big idea? What is the researchable question? What is the method? Why? What conclusion is expected?
||The research paper is the culmination of the semester.
The language of computer security
suggest the range of analogies. A virus is a medical problem, while an
invasive worm brings to mind the problems of ecosystems. Computer crime
and intrusion detection argue that the problem is one of criminal
behavior. Firewalls suggest that the network itself is a hostile force,
that must be segregated into the conflagration beyond and the safety
within. The construction of demilitarized zones (DMZs) between trusty
local area networks and the wider network beyond argues that it is war,
not flames, on the network. Yet for all that is involved in computer
security, and all that is lost, there is a single potential measure:
Economics of information security is not an exercise in analogy. It is
the application of the tools of economics to computer security. The
class has a set of basic topics, and each topic will be explored and
examined according to the interest of the students.
Students with successful, accepted submissions to these conferences will receive an
A, even if this requires a change from my initial grade.
- WEIS is the flagship venue for this interdiscipline, and has a submission date of 2/28.
- ACM CCS has a submission date in April. This is a flagship conference for all of the security domain.
- IEEE Security and Privacy Magazine, Special Issue on Living with Insecurity may be a very good fit with projects in this course. The issue is for November/December 2011 with submission Due 23 February 2011.
- PETS 11th Privacy Enhancing Technologies Symposium, Waterloo, ON, Canada, July 2729, 2011. (Submissions due 28 February 2011) is extremely competitive but also an excellent venue.
- If you choose to continue working and successfully submit at another previously-approved event, I will change your grade.
Topics and Sessions
The first weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either. This year we have a unique opportunity to turn our essays into commentary that may inform the public debate; while also learning about non-technical, political conceptions of privacy.
Privacy and Security in the Political Realm
Cybersecurity is a highly contested domain in the public sphere. Is it military or economic? Is it crime or terror? Happily for the purposes of this course, there is an open comment period on a document on data security, which is the common focus on economics of security issues.
Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics.
The vocabulary and mental model of rational
economics. Why should items be sold at marginal cost? When there are
two lemonade stands on the beach, why are they right next to each
other? Concepts of utility and
optimization are introduced, as are lemons markets.
Economic of Vulnerabilities
Among the most carefully explored issues in security economics is the
disclosure of vulnerabilities. Should there be a market for disclosure? How might the market fail the public interest or common good? What form of market is optimal?
Economics of Privacy
Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy. Yet mandatory disclosure of information weaken security and privacy. This section considers privacy in its own right, as well as interactions with identification.
Spam is an economic problem with technical symptoms. How
charging for spam is possible in the technical sense, and why it won't
work in the real world.
Trust in Social Networks
One domain where the interaction of security and privacy behaviors are of particular importance is in the power of social networks. Social networks can be used to enhance security or undermine it. One day the readings will focus on the value of social networks and information sharing to empower individuals as opposed to stakeholders with perverse incentives. The second day will address the risks of social networking.
A brief update on an area which is ripe for investigation using the tools of modeling: health information online.
DRM research has been as conclusive as the market itself for mass-produced consumer content: purposefully breaking your content is not a market advantage. However, the applications in code, and embedded devices are not as clear. Will Andriod vs. Apple end like Microsoft vs. Apple, or will Andriod be the betamax of telephony? Can economics predict the outcome?
Wireless security was initially seen as not a topic of particular interest in economics of security because it initially appeared that this is a domain where the risks are born by the decision-maker: the homeowner. However, research at Indiana University has shown that this is not always the case. (Note that repeating this experiment is a clear option for those who would like a well-defined project with an early start.)
Transparency enables pricing for consumers. Is more information always good? Three domains are the subject of three days in the course: data breaches, botnet responses, and spyware.
Final Presentations and Topics
For those students obtaining doctoral credit, there is a required presentation. All students are required to attend and complete an evaluation.