The Economics of Information Security : A Survey and Open Questions

The economics of information security has recently become a thriving and fastmoving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, we find incentives becoming as important to dependability as technical design is. The new field provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability (the design of peer-to-peer systems and the optimal balance of effort by programmers and testers), policy (particularly digital rights management) and more general security questions (such as law-enforcement strategy).

[1]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[2]  J. Zittrain,et al.  Spam Works: Evidence from Stock Touts and Corresponding Market Activity , 2007 .

[3]  Felix Oberholzer-Gee,et al.  The Effect of File Sharing on Record Sales: An Empirical Analysis , 2007, Journal of Political Economy.

[4]  George A. Akerlof,et al.  The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[5]  Benjamin Edelman,et al.  Adverse selection in online "trust" certifications , 2009, WEIS.

[6]  Barry M. Horowitz,et al.  The potential for underinvestment in internet security: implications for regulatory policy , 2006, WEIS.

[7]  Maxim Raya,et al.  DOMINO: Detecting MAC Layer Greedy Behavior in IEEE 802.11 Hotspots , 2006, IEEE Transactions on Mobile Computing.

[8]  Hans Degryse,et al.  Opt in Versus Opt Out: A Free-Entry Analysis of Privacy Policies , 2006, WEIS.

[9]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[10]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[11]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[12]  Rainer Böhme,et al.  The Effect of Stock Spam on Financial Markets , 2006, WEIS.

[13]  Shishir Nagaraja,et al.  The Topology of Covert Conflict , 2005, WEIS.

[14]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[15]  Tyler Moore The Economics of Digital Forensics , 2006, WEIS.

[16]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[17]  Anindya Ghose,et al.  The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare , 2006, WEIS.

[18]  Rahul Telang,et al.  Competitive and Strategic Effects in the Timing of Patch Release , 2006, WEIS.

[19]  Nick Mathewson,et al.  Anonymity Loves Company: Usability and the Network Effect , 2006, WEIS.

[20]  R. Kranton,et al.  Strategic Experimentation in Networks , 2005 .

[21]  James Aspnes,et al.  Inoculation strategies for victims of viruses and the sum-of-squares partition problem , 2005, SODA '05.

[22]  Amrita Dhillon,et al.  Group Formation in Economics; Networks, Clubs and Coalition , 2005 .

[23]  George Danezis,et al.  Economics of Information Security , 2005 .

[24]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[25]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[26]  Glenn Woroch,et al.  The demographics of the do-not-call list [security of data] , 2005, IEEE Security & Privacy.

[27]  Richard Clayton,et al.  Modeling Incentives for Email Blocking Strategies , 2005, WEIS.

[28]  Tyler Moore,et al.  Countering Hidden-Action Attacks on Networked Systems , 2005, WEIS.

[29]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[30]  Douglas A. Barnes Deworming the Internet , 2004 .

[31]  Tim Roughgarden,et al.  The price of stability for network design with fair cost allocation , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[32]  Laurent Massoulié,et al.  Faithfulness in internet algorithms , 2004, PINS '04.

[33]  Walter Willinger,et al.  A first-principles approach to understanding the internet's router-level topology , 2004, SIGCOMM '04.

[34]  Vahab S. Mirrokni,et al.  On spectrum sharing games , 2004, PODC '04.

[35]  Rick Wash,et al.  An economic answer to unsolicited communication , 2004, EC '04.

[36]  Ion Stoica,et al.  Robust incentive techniques for peer-to-peer networks , 2004, EC '04.

[37]  Yves Zenou,et al.  Who's Who in Crime Network. Wanted the Key Player , 2004 .

[38]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[39]  Carl E. Landwehr Improving Information Flow in the Information Security Market - DoD Experience and Future Directions , 2004, Economics of Information Security.

[40]  Ben Laurie,et al.  \Proof-of-Work" Proves Not to Work , 2004 .

[41]  Anindya Ghose,et al.  The Economic Consequences of Sharing Security Information , 2004, Economics of Information Security.

[42]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[43]  Karthik N. Kannan,et al.  An Economic Analysis of Market for Software Vulnerabilities , 2004 .

[44]  Ross J. Anderson,et al.  On dealing with adversaries fairly , 2004 .

[45]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[46]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[47]  Andrew M. Odlyzko,et al.  Privacy, economics, and price discrimination on the Internet , 2003, ICEC '03.

[48]  Ross J. Anderson Cryptography and competition policy: issues with 'trusted computing' , 2003, PODC '03.

[49]  Scott Shenker,et al.  On a network creation game , 2003, PODC '03.

[50]  Éva Tardos,et al.  Near-optimal network design with selfish agents , 2003, STOC '03.

[51]  Dale A. Stirling,et al.  Information rules , 2003, SGMD.

[52]  Peter P. Swire Efficient Confidentiality for Privacy, Security, and Confidential Business Information , 2003 .

[53]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[54]  Mark E. J. Newman,et al.  The Structure and Function of Complex Networks , 2003, SIAM Rev..

[55]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[56]  H. Varian,et al.  Conditioning Prices on Purchase History , 2005 .

[57]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[58]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[59]  Joan Feigenbaum,et al.  A BGP-based mechanism for lowest-cost routing , 2002, PODC '02.

[60]  P. Samuelson,et al.  The Law and Economics of Reverse Engineering , 2002 .

[61]  Lawrence A. Gordon,et al.  An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence , 2002 .

[62]  Srinivasan Seshan,et al.  Selfish behavior and stability of the internet:: a game-theoretic analysis of TCP , 2002, SIGCOMM '02.

[63]  N. Nisan,et al.  The Communication Complexity of Efficient Allocation Problems , 2002 .

[64]  E. Hippel Open source software projects as user innovation networks , 2002 .

[65]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[66]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[67]  Tim Roughgarden,et al.  How bad is selfish routing? , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[68]  Nicholas Bohm,et al.  Electronic Commerce: Who Carries the Risk of Fraud? , 2000, J. Inf. Law Technol..

[69]  Albert-László Barabási,et al.  Error and attack tolerance of complex networks , 2000, Nature.

[70]  L. J. Camp Pricing Security , 2000 .

[71]  Noam Nisan,et al.  Algorithmic mechanism design (extended abstract) , 1999, STOC '99.

[72]  Christos H. Papadimitriou,et al.  Worst-case Equilibria , 1999, STACS.

[73]  Michael Mastanduno,et al.  Economics and Security in Statecraft and Scholarship , 1998, International Organization.

[74]  Steven D. Levitt,et al.  Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack , 1997 .

[75]  R. Anderson The Eternity Service , 1996 .

[76]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[77]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[78]  R. Sah Social Osmosis and Patterns of Crime , 1991, Journal of Political Economy.

[79]  Bill Curtis,et al.  A field study of the software design process for large systems , 1988, CACM.

[80]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[81]  J. Hirshleifer From weakest-link to best-shot: The voluntary provision of public goods , 1983 .

[82]  J. Hirshleifer Privacy: Its Origin, Function, and Future , 1980, The Journal of Legal Studies.

[83]  Richard A. Posner,et al.  Privacy, Secrecy, and Reputation , 1978 .