Readings

The first two weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either. In the initial class meeting we step through the syllabus. I answer any grading queries. I describe assignments, standards and options. For the first week you have two very light assignments: a quiz and your first essay. For the quiz, I ask that you write down what particularly interest you in the topic. Are you more interested in the methods or the findings? Is your heart in HCI or are you the soul of business? What level of mathematical discussion is appropriate for the course? The lectures will be designed to serve the needs of the students, and based on your answers the syllabus may also change. More about crime? Voting?

What would be your ideal outcome for this course? What do you hope to learn? What topic is missing, is too lightly covered, or is too heavily considered in the following readings? How does the value of email change your perspective on pricing security? Syllabus provided in class. A short article on monetizing of email for discussion is here: http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/

This book chapter will introduce the basic argument for security as economic. Most of the vocabulary will be defined in this session. The same book is usually used in the core security course, but that chapter will be addressed here.
 
Ross Anderson. Ch. 7 Economics, Security Engineering, The Book. http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c07.pdf

 

Security is not a single kind of good, and design can change the type of good. Please consider three possible examples where Karin's model holds in each. For example, in the internal market within a firm, what kind of model would be appropriate for patching individual machines? Similarly, how might these markets be changed by design?
 
Hal Varian, System Reliability and Free Riding, eds. N. Sadden, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY, http://people.ischool.berkeley.edu/~hal/Papers/2004/reliability
 

C. Dower and M. Na-or, Pricing via Processing or Combating Junk Mail, 1992. In E. F. Brick (Ed.): Advances in Cryptology-CRYPTO 1992, Springer-Verlag, pp. 139-147.http://web.cs.dal.ca/~abrodsky/7301/readings/DwNa93.pdf

Ben Laurie and Richard Clayton, Proof-of-Work Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf

Debin Liu and L. Jean Camp, Proof of Work Can Work, WEIS 2006 (Cambridge, UK) 26-28 June 2006.http://weis2006.econinfosec.org/docs/50.pdf

Security products are useless without something to protect. Security is only even

Michael L. Katz, and Carl Shapiro. "Systems competition and network effects." The Journal of Economic Perspectives (1994): 93-115. http://brousseau.info/pdf/cours/Katz-Shapiro%5B1994%5D.pdf

The vocabulary and models of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other? Basic economic concepts are introduced. Examples of rational economic models are applied to vulnerability disclosure.

 
For the papers on vulnerabilities consider the characteristics of the systems and cost/benefit payoff. How can these be compared with home electronics? Routers? Cars? Medical devices?
 
Rahul Telang, and Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/telang_wattal.pdf
 
Sam Ransbotham, Sabyasachi Mitra, The Impact of Immediate Disclosure on Attack Diffusion and Volume, WEIS 2011, http://weis2011.econinfosec.org/papers/TheImpactofImmediateDisclosureonAttackDiffusionand.pdf
 

 
Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008.papers.ssrn.com/sol3/papers.cfm?abstract_id=1133779
 
Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf
 
Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy. This section considers privacy in its own right, as well as interactions with identification.
 
Odlyzko, Privacy and Price Discrimination CH 15, pp 187-21 www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf
 
Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf
 
Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007 http://weis07.infosecon.net/papers/48.pdf
 
Rainer Bohme and Sven Koble, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007. http://weis07.infosecon.net/papers/30.pdf
 
Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics. Behavioral economics is then applied to privacy.
 
Zeckhauser, Richard, "Behavioral versus Rational Economics," in Rational Choice: The Contrast between Economics and Psychology, Robin M. Hogarth and Melvin W. Reder, eds., Chicago: University of Chicago Press, 1986, pp. 251-265
 
D. Kahneman, Paul Slovic & Amos Tversky (1982) Judgment Under Uncertainty: Heuristics and Biases (Cambridge University Press). (excerpt)
 
An alternative for those scheduled to take fall break is an equivalent online presentation: http://research.microsoft.com/apps/video/default.aspx?id=158037
 
Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and Konstan., J. Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University. http://www.truststc.org/pubs/63.html
 
Bernhard Debatin, Jennette P. Lovejoy, Ann-Kathrin Horn, Brittany N. Hughes, Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences Journal of Computer-Mediated Communication 15 (2009) 83 - 108. http://onlinelibrary.wiley.com/doi/10.1111/j.1083-6101.2009.01494.x/full
 
West, Ryan. "The psychology of security." Communications of the ACM 51.4 (2008): 34-40. http://delta.cs.cinvestav.mx/~francisco/ssi/p34-west.pdf
 
V. Garg, and L. Jean Camp, Heuristics and Biases: Implications for Security Design, IEEE Technology & Society, Mar. 2013. http://www.ljean.com/files/Biases.pdf
 
Prelec and Loewenstein, "The Red and the Black: Mental Accounting of Savings and Debt," Marketing Science, vol. 17, no. 1, pp. 4-28.
 
Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf.
 
Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf
 
Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2008. weis2007.econinfosec.org/papers/66.pdf
 
Why are Nigeria email scams Nigerian? How does ecrime vary across crime types? How is the industry organized? How are people targeted?
 

Vaibhav Garg, Nathaniel Husted, & L. Jean Camp. Organized Digital Crime: Smuggling Theory Approach. E-Crime Researcher’s Summit, San Diego, CA, November 8-9, 2011. 

 
Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data The Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, 7-8 June 2010, http://weis2010.econinfosec.org/papers/session4/weis2010_vaneeten.pdf
 
Lastdrager, Elmer EH. Achieving a Consensual Definition of Phishing Based on a Systematic Review of the Literature Crime Science 3 (2014): 16.http://doc.utwente.nl/91167/
 
Moore, Tyler. Phishing and the economics of e-crime Infosecurity 4.6 (2007): 34-37.http://www.sciencedirect.com/science/article/pii/S1754454807701481
 
Spam is an economic problem with technical symptoms. How is charging for spam possible in the technical sense? Why might it work in the real world?
 
Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87,http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
 
Zhenhai Duan , Kartik Gopalan, Xin Yuan An empirical study of behavioral characteristics of spammers: Findings and implications Computer Communications Vol. 34, Iss. 14, September 1 2011, 1764-1776, http://www.cs.fsu.edu/~duan/publications/icc2007.pdf
 
David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Communications of the ACM, Vol. 52 No. 9, Pages 99-107 http://cacm.acm.org/magazines/2009/9/38908-spamalytics-an-empirical-analysis-of-spam-marketing-conversion/abstract
 
Christian Kreibich, Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, Spamcraft: An Inside Look at Spam Campaign Orchestration. Proceedings of the USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, MA, April 2009, pages 4:1 - 4:9. https://www.usenix.org/legacy/event/leet09/tech/full_papers/kreibich/kreibich.pdf
 
One domain where the interaction of security and privacy behaviors are of particular importance is in the power of social networks. Social networks can be used to enhance security or undermine it. One day the readings will focus on the value of social networks and information sharing to empower individuals as opposed to stakeholders with perverse incentives. The second day will address the risks of social networking.
 

We will go over the payment chain in a credit card payment in class. Sasse, M. A., Kirlappos, I. (2012). Familiarity breeds con-victims: Why we need more effective trust signaling. Springer-Verlag New York Inc.http://link.springer.com/chapter/10.1007%2F978-3-642-22200-9_2

Cormac Herley, Why do Nigerian Scammers Say They are from Nigeria?”, http://research.microsoft.com/pubs/167719/whyfromnigeria.pdf

Chia, Pern Hui, Yusuke Yamamoto, and N. Asokan. "Is this app safe?: a large scale study on application permissions and risk signals." Proceedings of the 21st international conference on World Wide Web. ACM, 2012. http://www.academia.edu/download/30629969/www2012.pdf

Benton, Kevin, L. Jean Camp, and Vaibhav Garg. "Studying the effectiveness of android application permissions requests." Pervasive Computing and Communications Workshops (PERCOM Workshops), 2013 IEEE International Conference on. IEEE, 2013. http://www.ljean.com/files/AndriodEyeballs.pdf

Background: Felt, Adrienne Porter, et al. Android permissions demystified. Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011.http://fanfq-android-demo.googlecode.com/svn-history/r168/trunk/doc/android_permissions.pdf

Huseyin Cavusoglu, Tuan Phan, Hasan Cavusoglu , Privacy Controls and Information Disclosure Behavior of Online Social Network Users, WEIS 2013 Georgetown University, Washington, D.C. June 11-12, 2013 weis2013.econinfosec.org/papers/CavusogluWEIS2013.pdf
 
Catherine Tucker , Social Networks, Personalized Advertising, and Privacy Controls, http://weis2011.econinfosec.org/papers/Social%20Networks,%20Personalized%20Advertising,%20and%20Privacy%20Cont.pdf
 

L Jean Camp, Reliable, Usable Signaling to Defeat Masquerade Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK http://weis2006.econinfosec.org/docs/48.pdf
 
David Modic , Ross J. Anderson Reading this May Harm Your Computer: The Psychology of Malware Warnings, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2374379