I525: Economics of Information Security



Readings and schedule for Economics of Information Security for Fall 2014.

Office Hours
901 E 10th St. Room 300
Mondays 10:00 - 12:00
Fridays by appointment
Course Schedule and Readings

Professor Jean Camp

The course will use the tools of economics to better understand computer security. This is not a course in economics research in that no new tools will be discovered and no new ground will be broken in economic theory. The understanding of economics required for this course is modest, and a strong mathematical background with no economics will certainly suffice. There is no textbook. The course will be based on a series of research papers, primarily drawn for the series of Workshops on Economics of Information Security.

At its core, this course should improve your decision-making for any organizations requires for its security professionals. In addition to the fundamental language of decision-making, the course will identify the dimensions of organizational and economic behavior that impinge upon the success of organizational technical choices.

For each paper we answer a set of questions in class. First, what is the larger question, in what greater domain of inquiry does this research lie? That is, where in the world of open questions, does this paper fit? Second, what is the identified researchable question? Obviously no paper, monograph, or person can answer the big questions about life, the universe, privacy, and everything. So research is decomposed into smaller elements. Some of these papers are position papers, arguing that questions should be broken down in a particular manner. Third, what is the method of the paper? Essentially this is a definition of the method the authors have chosen to answer the researchable question and may be experimental, modeling, simulation, and often combinations of different methods. Fourth, how does this method (or methodology) address and fail to address both the larger question and the immediate issue at hand? Fifth, what are the findings of the papers? Finally, with those five questions answered, we respectfully argue about the implications of those findings. Concurrence with class perspective is not a requirement!

These policies are in addition to and  not a substitute for University Academic Conduct policies.

Video and audio recording of the course is not allowed. The class time is focused on discussion. I expect the class participants, as graduate students, to be able to answer the questions and engage fully in classroom exercises.  This means that there will be moments of disagreement, and even intellectual struggle or conflict.  Experience indicates and research does not contradict the assertion that recording will only not help but will hinder discussion and education.   A violation of this class policy will be treated as a violation of academic integrity.

The class has a set of basic topics, and each topic will be explored and examined according to the interest of the students. Students with successful, accepted submissions to these conferences will receive an A, even if this requires a change from my initial grade. If you complete the paper and believe your grade is incorrect, then polish the work and submit it to one of these domains. You will receive both an improved grade and, if you like, even an apology.

Grading Guidelines

15% class participation in class discussions of the readings.
85% weekly assignments Assignments are due every Friday Either short essays, short answer to a set of questions, or possibly a simple quiz. Short essays are approximately 500 words that summarizes the reading or identifies an open research question that arises from the reading. There may also be in-class short quizzes.
Required For Those Earning Doctoral Degree Credit in Security, Optional for Others
15% class participation in class discussions of the readings
85% Final project
  15% topic and method In the class we ask five questions. What is the big idea? What is the researchable question? What is the method? Why? What conclusion is expected? In this short assignment you will attempt to begin forming your own work.
  15% topic selection and abstract The topic should be selected and the abstract should be drafted by the fourth week of the semester
  15% bibliography The bibliography should be roughly complete by the middle of the semester, but of course there will be other material added as the semester progresses. This bibliography will serve as the foundation for your research paper.
  40% research paper The research paper is the culmination of the semester.



Immediate Educational Goals

Basic economic vocabulary
Understand security and privacy as rational, competitive economic phenomena
Understand security and privacy behavioral, human economic phenomena
Examine any proposed protocol of technology to understands its basic costs/benefit proposal, including which parties bear the cost and which get the benefit.
Evaluate there relationship between assumptions and modeling in security engineering analysis.
Be able to critique a research paper, with a particular emphasis of scope of conclusions

Larger Goals within the Curriculum 

The higher level goals are as follows:
A well defined bridge between concentrations in the economics and social sciences with security informatics;
A minimal exposure to interdisciplinary approaches to security; and
The ability to effectively summarize and communicate interdisciplinary research.

Topics and Sessions

Introduction & Examples
The first two weeks of the class will cover some fundamental examples, very early works in economics of security. These are chosen to bring the topics of both computer security and economics together for students who lack familiarity in either.

Rational Microeconomics
The vocabulary and mental model of rational economics. Why should items be sold at marginal cost? When there are two lemonade stands on the beach, why are they right next to each other? Basic economic concepts are introduced. Examples of rational economic models are applied to vulnerability disclosure.

Economics of Privacy
Privacy, identity and security are all tightly intertwined. Privacy, like security, is the control of information. Identification for security purposes often requires decreases in privacy.  This section considers privacy in its own right, as well as interactions with identification.

Behavioral Economics
Economics in computer security focuses to no small degree on behavior. Individuals do not act as self-optimizing rational beings. The limits of the applicability of the model of homo economicus will be used to discuss both decision-making by firms in network security and individuals with respect to privacy. Concepts of risk aversion and risk perception will be introduced. By beginning with the framework of behavioral economics, it may be easier to understand the framework that underlies rational economics. Behavioral economics is then applied to privacy.

Spam is an economic problem with technical symptoms. How is charging for spam possible in the technical sense?  Why might it work in the real world?

Signaling: Knowing who to Trust
At this point in the class the need for reliable information for functioning markets will be clear. Signals are information that distinguishes otherwise indistinguishable goods.

Final Presentations and Topics
For those students obtaining doctoral credit, there is a required presentation. All students are required to attend and complete an evaluation.