I525: Economics of Information Security

L Jean Camp
Lindley 230
Office Hours:
Tuesdays 1-2:45 pm or by appointment

The course will use the tools of economics to better understand computer security. This is not a course in economics research in that no new tools will be discovered and no new ground will be broken in economic theory. The understanding of economics required for this course is modest, and a strong mathematical background with no economics will certainly suffice. There is no textbook. The course will be based on a series of research papers, primarily drawn for the series of Workshops in Economics of Security.

Detailed readings at http://www.ljean.com/classes/13_14/525_readings_13.html

Grading Guidelines

15%		class participation	in class discussions of the readings.
85%		weekly essays	due every Friday, approximately 750 words that summarizes the reading or identifies an open research question that arises from the reading
	Required For Those Earning Doctoral Degree Credit in Security, Optional for Others
15%		class participation	in class discussions of the readings
85%		Final project
	15%	topic and method	In the class we ask five questions. What is the big idea? What is the researchable question? What is the method? Why? What conclusion is expected? In this short assignment you will attempt to begin forming your own work.
	15%	topic selection and abstract	The topic should be selected and the abstract should be drafted by the fourth week of the semester
	15%	bibliography	The bibliography should be roughly complete by the middle of the semester, but of course there will be other material added as the semester progresses. This bibliography will serve as the foundation for your research paper.
	40%	research paper	The research paper is the culmination of the semester.

The purpose of participation is three-fold:

to ensure that the lecture is aligned with the level of understanding of the material for the class;
to assist other students to refine their understanding of the material; and
to illustrate that the material has been read.

Therefore you simply cannot earn an A in this class without participating.

Overview

At its core, this course should improve your decision-making for any organizations requires for its security professionals. In addition to the fundamental language of decision-making, the course will identify the dimensions of organizational and economic behavior that impinge upon the success of organizational technical choices.

The literature on which the course is based addresses human, organizational or social questions about security and privacy behaviors of people, groups, firms or even nations. The fundamental pedagogical approach in this class is that of a research seminar, with after an introductory period the class is based on shared learning. Students are expected to come prepared to answer the basic questions.

For each paper we answer a set of questions in class. First, what is the larger question, in what greater domain of inquiry does this research lie? That is, where in the world of open questions, does this paper fit? Second, what is the identified researchable question? Obviously no paper, monograph, or person can answer the big questions about life, the universe, privacy, and everything. So research is decomposed into smaller elements. Some of these papers are position papers, arguing that questions should be broken down in a particular manner. Third, what is the method of the paper? Essentially this is a definition of the method the authors have chosen to answer the researchable question and may be experimental, modeling, simulation, and often combinations of different methods. Fourth, how does this method (or methodology) address and fail to address both the larger question and the immediate issue at hand? Fifth, what are the findings of the papers? Finally, with those five questions answered, we respectfully argue about the implications of those findings. Concurrence with class perspective is not a requirement!

Security is more than technical. Framing computer security questions is a core issue in this course. The language of computer security suggests the range of analogies. A virus is a medical problem, while an invasive worm brings to mind the problems of ecosystems. Computer crime and intrusion detection argue that the problem is one of criminal behavior. Firewalls suggest that the network itself is a hostile force, one that must be segregated into the conflagration beyond and the safety within. The construction of demilitarized zones (DMZs) between trusty local area networks and the wider network beyond argues that it is war, not flames, on the network. Yet for all that is involved in computer security, and all that is lost, there is a single potential measure: dollars.

Economics of information security is not an exercise in analogy. It is the application of the tools of economics to computer security. The class has a set of basic topics, and each topic will be explored and examined according to the interest of the students.

Students with successful, accepted submissions to these conferences will receive an A, even if this requires a change from my initial grade. If you complete the paper and believe your grade is incorrect, then polish the work and submit it to one of these domains. You will receive both an improved grade and, if you like, even an apology.

NSA Best Paper: honorable mention rates an A http://www.ieee-security.org/Calendar/cfps/cfp-NSABestPaper2013.html
The 5th International Conference on Emerging Ubiquitous Systems and Pervasive Networks may be a fit. http://www.wikicfp.com/cfp/servlet/event.showcfp?eventid=35265©ownerid=59938
USENIX Security is extremely competitive, and I recommend submitting instead to associated workshops, often with May deadlines. https://www.usenix.org/conference/usenixsecurity14

Goals

Immediate Educational Goals

Basic economic vocabulary
Understand security and privacy as rational, competitive economic phenomena
Understand security and privacy behavioral, human economic phenomena
Be able to critique a research paper, with a particular emphasis of scope of conclusions

Larger, Long term Goals within the Curriculum

A well defined bridge between concentrations in the economics and social sciences with security informatics
A minimal exposure to interdisciplinary approaches to security
The ability to effectively summarize and communicate interdisciplinary research

Topics and Sessions

Introductory Examples

The first two weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either.

Rational Microeconomics

The vocabulary and mental model of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other? Concepts of utility and optimization are introduced, as are lemons markets.

Behavioral Economics

Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics.

Economic of Vulnerabilities

Among the most carefully explored issues in security economics is the disclosure of vulnerabilities. Should there be a market for disclosure? How might the market fail the public interest or common good? What form of market is optimal?

Macroeconomics of Crime

Why are Nigeria email scams Nigerian? How does ecrime vary across crime types? How is the industry organized?

Economics of Privacy

Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy. Yet mandatory disclosure of information weaken security and privacy. This section considers privacy in its own right, as well as interactions with identification.

Spam

Spam is an economic problem with technical symptoms. How charging for spam is possible in the technical sense, and why it won't work in the real world.

Trust in Social Networks

One domain where the interaction of security and privacy behaviors are of particular importance is in the power of social networks. Social networks can be used to enhance security or undermine it. One day the readings will focus on the value of social networks and information sharing to empower individuals as opposed to stakeholders with perverse incentives. The second day will address the risks of social networking.

Bitcoin

What is Bitcoin, how does it work? What are the arguments for and against Bitcoin? How is it used?

DRM

DRM research has been as conclusive as the market itself for mass-produced consumer content: purposefully breaking your content is not a market advantage. However, the applications in code, and embedded devices are not as clear.

Wireless Security

Wireless security was initially seen as not a topic of particular interest in economics of security because it initially appeared that this is a domain where the risks are born by the decision-maker: the homeowner. However, research at Indiana University has shown that this is not always the case. (Note that repeating this experiment is a clear option for those who would like a well-defined project with an early start.)

Final Presentations and Topics

For those students obtaining doctoral credit, there is a required presentation. All students are required to attend and complete an evaluation.

Policies

These policies are in addition to and not a substitute for University Academic Conduct policies.

Quizzes are on OnCourse and have a deadline. That deadline is firm. Please do keep up with the coursework.

Of course, links change. If there is a link change between now and when the assignment is due, I have provided adequate information to locate a copy. If you notice a link that is no longer working, please let me know.

Video and audio recording of the course is not allowed. The class time is focused on discussion. I expect the class participants, as graduate students, to be able to answer the questions and engage fully in classroom exercises. This means that there will be moments of disagreement, and even intellectual struggle or conflict. Experience indicates and research does not contradict the assertion that recording will only not help but will hinder discussion and education. A violation of this class policy will be treated as a violation of academic integrity.