Readings

Back to prospectus, at http://www.ljean.com/classes/13_14/525_Prospectus_13.html
 

The first two weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either.
 
In the initial class meeting we step through the syllabus. I answer any grading queries. I describe assignments, standards and options. For the first week you have two very light assignments: a quiz and your first essay. For the quiz, I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The lectures will be designed to serve the needs of the students, and based on your answers the syllabus may also change. More about crime? Voting?

What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings? How does the value of email change your perspective on pricing security? Syllabus provided in class. A short article on monetization of email for discussion is here: http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/

ÊSecurity is not a single market. Please consider three possible examples where Varian's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines?
 
Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, http://people.ischool.berkeley.edu/~hal/Papers/2004/reliability
 
Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ. http://dimacs.rutgers.edu/Workshops/InformationSecurity/abstracts.html#wash" Ê

 

These papers will introduce the basic idea of security as a good. One argues that security is a public good, the other that insecurity has externalities. Most of the vocabulary will be defined in this session.
 
Anderson, Ross. Why information security is hard-an economic perspective. Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual. IEEE, 2001. www.acsac.org/2001/papers/110.pdf‎
 
Vaibhav Garg, Sameer Patil , Apu Kapadia, and L Jean Camp, Peer-produced Privacy Protection: A Common-pool Approach, The IEEE International Symposium on Technology and Society (ISTAS) (Toronto, ON) 27-29 July 2013. http://www.ljean.com/files/CommonPools.pdf

 

Ross Anderson, Chris Barton, Rainer Boehme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, Stefan Savage, Measuring the Cost of Cybercrime weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf Chris Hall(Highwayman Associates), Ross Anderson(University of Cambridge), Richard Clayton(University of Cambridge), Evangelos Ouzounis(European Network and Information Security Agency), and Panagiotis
 
Trimintzios (European Network and Information Security Agency): Resilience of the Internet Interconnection Ecosystem, The Tenth Workshop on the Economics of Information Security (WEIS 2011), George Mason University, USA 14-15 June 2011 http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/inter-x/interx/report
 

The vocabulary and mental model of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other? Basic economic concepts are introduced. Examples of rational economic models are applied to vulnerability disclosure.

 

Pratt and Zeckhauser, Principals and Agents: An Overview, Chapter 1, in Principals and Agents, pp. 1-35. OnCourse in Resources.
 
Arrow, The Economics of Agency, Chapter 2, in Principals and Agents, pp. 37-51. http://classwebs.spea.indiana.edu/kenricha/Oxford/Archives/Courses%202010/Governance%202010/Articles/Arrow.pdf
 
For the papers on vulnerabilities consider the chracteristics of the systems and cost/benefit payoff. How can these be compared with home electronics? Routers? Cars? Medical devices?
 
Rahul Telang, and Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/telang_wattal.pdf
 
Sam Ransbotham, Sabyasachi Mitra, The Impact of Immediate Disclosure on Attack Diffusion and Volume, WEIS 2011, http://weis2011.econinfosec.org/papers/TheImpactofImmediateDisclosureonAttackDiffusionand.pdf
 
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
 
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf
 
Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy. This section considers privacy in its own right, as well as interactions with identification.
 
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
 
Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf
 
Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007 http://weis07.infosecon.net/papers/48.pdf
 
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/30.pdf
 
Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics. Behavioral economics is then applied to privacy.
 
West, Ryan. "The psychology of security." Communications of the ACM 51.4 (2008): 34-40. http://delta.cs.cinvestav.mx/~francisco/ssi/p34-west.pdf
 
V. Garg, and L. Jean Camp, Heuristics and Biases: Implications for Security Design, IEEE Technology & Society, Mar. 2013. http://www.ljean.com/files/Biases.pdf
 
Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
 
D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
 
Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and Konstan., J. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University. http://www.truststc.org/pubs/63.html
 
Bernhard Debatin, Jennette P. Lovejoy, Ann-Kathrin Horn, Brittany N. Hughes, Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences Journal of Computer-Mediated Communication 15 (2009) 83Ð108 © 2009 International Communication Association http://onlinelibrary.wiley.com/doi/10.1111/j.1083-6101.2009.01494.x/full
 
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
 
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf.
 
Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
 
Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. weis2007.econinfosec.org/papers/66.pdf
 
Why are Nigeria email scams Nigerian? How does ecrime vary across crime types? How is the industry organized? How are people targeted?
 
Cormac Herley, Why do Nigerian Scammers Say They are from Nigeria?Ó, http://research.microsoft.com/pubs/167719/whyfromnigeria.pdf
 
L Jean Camp, Reliable, Usable Signaling to Defeat Masquerade Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK http://weis2006.econinfosec.org/docs/48.pdf
 
Damon McCoy, Andreas Pitsillidis, Grant Jordan, Nicholas Weaver, Christian Kreibich, Brian Krebs, Geoffrey M. Voelker, Stefan Savage, and Kirill Levchenko, PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs, Proceedings of the USENIX Security Symposium, Bellevue, WA, August 2012. http://cseweb.ucsd.edu/~savage/papers/UsenixSec12.pdf
 

 
Vaibhav Garg, Nathaniel Husted, & L. Jean Camp. Organized Digital Crime: Smuggling Theory Approach. E-Crime ResearcherÕs Summit, San Diego, CA, November 8-9, 2011.Ê
 
Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/session4/weis2010_vaneeten.pdf
 
Spam is an economic problem with technical symptoms. How is charging for spam possible in the technical sense? Why might it work in the real world?
 
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87,http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
 
Zhenhai Duan , Kartik Gopalan, Xin Yuan An empirical study of behavioral characteristics of spammers: Findings and implications Computer Communications Vol. 34, Iss. 14, September 1 2011, 1764-1776, http://www.cs.fsu.edu/~duan/publications/icc2007.pdf
 
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Communications of the ACM, Vol. 52 No. 9, Pages 99-107 http://cacm.acm.org/magazines/2009/9/38908-spamalytics-an-empirical-analysis-of-spam-marketing-conversion/abstract
 
Christian Kreibich, Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, Spamcraft: An Inside Look at Spam Campaign Orchestration. Proceedings of the USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, MA, April 2009, pages 4:1Ð4:9. https://www.usenix.org/legacy/event/leet09/tech/full_papers/kreibich/kreibich.pdf
 
C. Dwork and M. Naor, Pricing via Processing or Combating Junk Mail, 1992. In E. F. Brick (Ed.): Advances in Cryptology-CRYPTO 1992, Springer-Verlag, pp. 139-147.http://web.cs.dal.ca/~abrodsky/7301/readings/DwNa93.pdf
 
Debin Liu and L. Jean Camp, Proof of Work Can Work, WEIS 2006 (Cambridge, UK) 26-28 June 2006.http://weis2006.econinfosec.org/docs/50.pdf
 
One domain where the interaction of security and privacy behaviors are of particular importance is in the power of social networks. Social networks can be used to enhance security or undermine it. One day the readings will focus on the value of social networks and information sharing to empower individuals as opposed to stakeholders with perverse incentives. The second day will address the risks of social networking.
 
We will go over the payment chain in a credit card payment in class. Sasse, M. A., Kirlappos, I. (2012). Familiarity breeds con-victims: Why we need more effective trust signaling. Springer-Verlag New York Inc.http://link.springer.com/chapter/10.1007%2F978-3-642-22200-9_2
 
Huseyin Cavusoglu, Tuan Phan, Hasan Cavusoglu , Privacy Controls and Information Disclosure Behavior of Online Social Network Users, WEIS 2013 Georgetown University, Washington, D.C. June 11-12, 2013 weis2013.econinfosec.org/papers/CavusogluWEIS2013.pdf
 
Catherine Tucker , Social Networks, Personalized Advertising, and Privacy Controls, http://weis2011.econinfosec.org/papers/Social%20Networks,%20Personalized%20Advertising,%20and%20Privacy%20Cont.pdf
 
Lerner, Josh & Triole, Jean 2000 - 03 The Simple Economics of Open Source http://opensource.mit.edu/papers/JoshLernerandJeanTriole-TheSimpleEconomicsofOpenSource.pdf
 
David Modic , Ross J. Anderson Reading this May Harm Your Computer: The Psychology of Malware Warnings, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2374379
 
Nevena Vratonjic, Julien Freudiger, Vincent Bindschaedler, and Jean-Pierre Hubaux (all EPFL, Switzerland), The Inconvenient Truth about Web Certificates, The Tenth Workshop on the Economics of Information Security (WEIS 2011), GMU, 14-15 June 2011, http://infoscience.epfl.ch/record/165676/files/WEIS11-Vratonjic.pdf
 
Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, http://weis2006.econinfosec.org/docs/10.pdf
 
Wireless security was initially seen as not a topic of particular interest in economics of security because it initially appeared that this is a domain where the risks are born by the decision-maker: the homeowner. However, research at Indiana University has shown that this is not always the case. (Note that repeating this experiment is a clear option for those who would like a well-defined project with an early start.)
 
Sandvig, C. & Shah, R. (2005). Defaults as De Facto Regulation: The Case of Wireless Access Points. Paper presented at the 33rd Telecommunications Policy Research Conference (TPRC) on Communication, Information, and Internet Policy, Arlington, VA http://papers.ssrn.com/sol3/papers.cfm?abstract_id=964950"
 
Matthew Hottell and Drew Carter and Matthew Deniszczuk, Predictors of Home-Based Wireless Security, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/51.pdf
 
Richard Mortier and Tom Rodden and Peter Tolmie and Tom Lodge and Robert Spencer and Andy Crabtree and Joe Sventek and Alexandros Koliousis, Homework: putting interaction into the infrastructure, UIST, pp. 197-206, ACM, 2012.http://dl.acm.org/citation.cfm?id=2380143&dl=ACM&camp;oll=DL&CFID=398994419
 
Dallas Wood and Brent Rowe (both RTI International): Assessing Home Internet Users' Demand for Security: Will They Pay ISPs?, The Tenth Workshop on the Economics of Information Security (WEIS 2011), George Mason University, 14-15 June 2011 http://weis2011.econinfosec.org/papers/Assessing%20Home%20Internet%20Users%20Demand%20for%20Security%20-%20Will%20T.pdf
 

Bitcoin

What is Bitcoin, how does it work? What are the arguments for and against Bitcoin? How is it used?
 

Apr. 28 Bitcoin by Design

Nakamoto, Satoshi (24 May 2009). Bitcoin: A Peer-to-Peer Electronic Cash System. Retrieved 14 December 2010, http://bitcoin.org/bitcoin.pdf http://bitcoin.org/bitcoin.pdf
 

Apr. 30 Bitcoin in Practice

Danny Yuxing Huang, Hitesh Dharmdasaniy, Sarah Meiklejohn, Vacha Dave, Chris Grier, Damon McCoyy, Stefan Savage, Nicholas Weaver, Alex C. Snoeren and Kirill Levchenko, Botcoin: Monetizing Stolen Cycles http://cseweb.ucsd.edu/~snoeren/papers/botcoin-ndss14.pdf
 
E Androulaki, G Karame, M Roeschlin, Evaluating User Privacy in Bitcoin, IACR Cryptology http://book.itep.ru/depository/bitcoin/User_privacy_in_bitcoin.pdf"
 

Final Presentations and Topics

 
For those students obtaining doctoral credit, there is a required presentation. All students are required to attend and complete an evaluation.