Information security: where computer science, economics and psychology meet

Until ca. 2000, information security was seen as a technological discipline, based on computer science but with mathematics helping in the design of ciphers and protocols. That perspective started to change as researchers and practitioners realized the importance of economics. As distributed systems are increasingly composed of machines that belong to principals with divergent interests, incentives are becoming as important to dependability as technical design. A thriving new field of information security economics provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam and phishing, but into more general areas of system dependability and policy. This research programme has recently started to interact with psychology. One thread is in response to phishing, the most rapidly growing form of online crime, in which fraudsters trick people into giving their credentials to bogus websites; a second is through the increasing importance of security usability; and a third comes through the psychology-and-economics tradition. The promise of this multidisciplinary research programme is a novel framework for analysing information security problems—one that is both principled and effective.

[1]  George A. Akerlof The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[2]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[3]  Steven D. Levitt,et al.  Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack , 1997 .

[4]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[5]  Tyler Moore,et al.  Countering Hidden-Action Attacks on Networked Systems , 2005, WEIS.

[6]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[7]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[8]  S. Atran Genesis of Suicide Terrorism , 2003, Science.

[9]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[10]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[11]  Alessandro Acquisti,et al.  Privacy and Rationality: Preliminary Evidence from Survey Data , 2004 .

[12]  Jan Sousedek Why Johnny Can ' t Encrypt : A Usability Study of PGP , 2008 .

[13]  Philip G. Zimbardo,et al.  The Lucifer Effect , 2017 .

[14]  Shishir Nagarja The topology of covert conflict , 2006 .

[15]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[16]  L. J. Camp Pricing Security , 2000 .

[17]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[18]  Mark E. J. Newman,et al.  The Structure and Function of Complex Networks , 2003, SIAM Rev..

[19]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[20]  S. Milgram Obedience to Authority: An Experimental View , 1975 .

[21]  Shishir Nagaraja,et al.  The Topology of Covert Conflict , 2005, WEIS.

[22]  Andrew M. Odlyzko,et al.  Privacy, economics, and price discrimination on the Internet , 2003, ICEC '03.

[23]  George Danezis,et al.  Economics of Information Security , 2005 .

[24]  Markus Jakobsson,et al.  Phishing and Countermeasures , 2006 .

[25]  Ruthann Knechel Johansen The Impact of Vulnerability , 2002 .

[26]  R. Anderson Open and Closed Systems Are Equivalent (that Is, in an Ideal World) , 2004 .

[27]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[28]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[29]  Nicholas Bohm,et al.  Electronic Commerce: Who Carries the Risk of Fraud? , 2000, J. Inf. Law Technol..

[30]  Massimo Marchiori,et al.  Error and attacktolerance of complex network s , 2004 .

[31]  Benjamin Edelman,et al.  Adverse selection in online "trust" certifications , 2009, WEIS.

[32]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[33]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.