Internet Security

An economic perspective has yielded invaluable insights into the analysis and design of information security mechanisms. Systems often fail because the organizations that defend them do not bear the full costs of failure. This simple insight has profound consequences for a growing number of industries, and it extends to dependability as well as security. For instance, utilities reduce direct, measurable costs by routing control messaging over the Internet; this can raise the risk of service failure, whose costs are mainly borne by its customers. Another example comes from anti-virus software; since infected machines often cause trouble for other machines rather than their owners, expenditures on protection tend to be suboptimal. Online crime is growing rapidly; for example, the most recent British Crime Survey shows that more than twice as many citizens now fall victim to fraud each year as to traditional acquisitive crime such as house burglary and vehicle theft. There is no purely technical solution to growing vulnerability and increasing crime: law must allocate liability so that those parties in a position to fix problems have an incentive to do so. But at present it frequently does not; and this policy gap is widening as systems become global and acquire a myriad of competing stakeholders. In this chapter, we discuss the economic challenges facing information security in greater detail: misaligned incentives, information asymmetries, and externalities. We then describe several key areas of active research: modeling attack and defense, breaches of personal information, the burgeoning underground markets for online criminal services, and the security of the payment system. We also describe the state of the art using three broad approaches: theoretical, empirical, and behavioral analysis. Finally, because economic analysis has revealed significant barriers to the provision of information security, policy must play a role in any fundamental improvements. So we discuss proposed policy interventions. Researchers can make a significant impact by informing the policy debate in critical areas, which we try to identify.

[1]  Cormac Herley,et al.  Evaluating a trial deployment of password re-use for phishing prevention , 2007, eCrime '07.

[2]  Peter Fischer,et al.  The psychology of scams: Provoking and committing errors of judgement , 2009 .

[3]  George A. Akerlof,et al.  The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[4]  William Roberds,et al.  Data Breaches and Identity Theft , 2008, WEIS.

[5]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[6]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[7]  Eric A. Posner,et al.  Holding Internet Service Providers Accountable , 2006, Supreme Court Economic Review.

[8]  A. Acquisti,et al.  Privacy Costs and Personal Data Protection: Economic and Legal Perspectives , 2009 .

[9]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[10]  Tyler Moore,et al.  The consequence of non-cooperation in the fight against phishing , 2008, 2008 eCrime Researchers Summit.

[11]  Ross J. Anderson Can We Fix the Security Economics of Federated Authentication? , 2011, Security Protocols Workshop.

[12]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[13]  Catherine Tucker,et al.  Encryption and Data Loss , 2010, WEIS.

[14]  George Danezis,et al.  Economics of Information Security , 2005 .

[15]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[16]  Johannes M. Bauer,et al.  The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data , 2010, WEIS.

[17]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[18]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[19]  Richard J. Sullivan The Benefits of Collecting and Reporting Payment Fraud Statistics for the United States , 2009 .

[20]  Richard J. Sullivan The changing nature of U.S. card payment fraud: industry and public policy options , 2010 .

[21]  Shameek Konar,et al.  Information As Regulation: The Effect of Community Right to Know Laws on Toxic Emissions , 1997 .

[22]  Alessandro Acquisti,et al.  Do Data Breaches Disclosure Laws Reduce Identity Theft? , 2010, WEIS.

[23]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[24]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[25]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[26]  Steven J. Murdoch,et al.  Thinking Inside the Box: System-Level Failures of Tamper Proofing , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[27]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[28]  Jens Grossklags,et al.  Blue versus Red: Towards a Model of Distributed Security Attacks , 2009, Financial Cryptography.

[29]  Nicolas Christin,et al.  Dissecting one click frauds , 2010, CCS '10.

[30]  Sam Ransbotham,et al.  An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software , 2010, WEIS.

[31]  Felix Leder,et al.  A Case Study in Ethical Decision Making Regarding Remote Mitigation of Botnets , 2010, Financial Cryptography Workshops.

[32]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[33]  Team Cymru,et al.  The Underground Economy: Priceless , 2006, login Usenix Mag..

[34]  L. Jean Camp,et al.  Pricing Security - A Market in Vulnerabilities , 2004, Economics of Information Security.

[35]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[36]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[37]  J. Hirshleifer From weakest-link to best-shot: The voluntary provision of public goods , 1983 .

[38]  Cormac Herley,et al.  The Plight of the Targeted Attacker in a World of Scale , 2010, WEIS.

[39]  Xin Zhao,et al.  The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution , 2010, LEET.

[40]  Alessandro Acquisti,et al.  Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal? , 2010, WEIS.

[41]  Richard Clayton Might Governments Clean-Up Malware? , 2010, WEIS.

[42]  Ross J. Anderson,et al.  The Economics of Online Crime , 2009 .

[43]  Tyler Moore,et al.  The Impact of Incentives on Notice and Take-down , 2008, WEIS.

[44]  Seung-Huyn Kim,et al.  Cyber Attacks: Cross-Country Interdependence and Enforcement , 2009, WEIS.

[45]  Tyler Moore,et al.  Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing , 2009, Financial Cryptography.

[46]  Mark MacCarthy Information Security Policy in the U.S. Retail Payments Industry , 2010, WEIS.

[47]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[48]  J. Bauer,et al.  Economics of Malware: Security Decisions, Incentives and Externalities , 2008 .

[49]  D. Carlton Externalities in Payment Card Networks: Theory and Evidence , 2010 .

[50]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[51]  Tyler Moore,et al.  Would a 'cyber warrior' protect us: exploring trade-offs between attack and defense of information systems , 2010, NSPW '10.

[52]  An Examination of the Fraud Liability Shift in Consumer Card-Based Payment Systems , 2009 .

[53]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[54]  Rachel Greenstadt,et al.  Reinterpreting the Disclosure Debate for Web Infections , 2008, WEIS.

[55]  J. Rochet,et al.  Externalities and Regulation in Card Payment Systems , 2006 .