Information Security Economics - and Beyond

The economics of information security has recently become a thriving and fast-moving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, incentives are becoming as important to dependability as technical design. The new field provides valuable insights not just into 'security' topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability (the design of peer-to-peer systems and the optimal balance of effort by programmers and testers), and policy (particularly digital rights management). This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and sociology. Most recently it has started to interact with psychology, both through the psychology-and-economics tradition and in response to phishing. The promise of this research program is a novel framework for analyzing information security problems - one that is both principled and effective.

[1]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[2]  J. Hirshleifer From weakest-link to best-shot: The voluntary provision of public goods , 1983 .

[3]  Richard A. Posner,et al.  Privacy, Secrecy, and Reputation , 1978 .

[4]  Brian Fitzgerald,et al.  Open and Closed Systems Are Equivalent (That Is, in an Ideal World) , 2007 .

[5]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[6]  Srinivasan Seshan,et al.  Selfish behavior and stability of the internet:: a game-theoretic analysis of TCP , 2002, SIGCOMM '02.

[7]  H. Varian,et al.  Conditioning Prices on Purchase History , 2005 .

[8]  Michael Mastanduno,et al.  Economics and Security in Statecraft and Scholarship , 1998, International Organization.

[9]  Tyler Moore The Economics of Digital Forensics , 2006, WEIS.

[10]  Yves Zenou,et al.  Who's Who in Crime Network. Wanted the Key Player , 2004 .

[11]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[12]  Tim Roughgarden,et al.  How bad is selfish routing? , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[13]  R. Sah Social Osmosis and Patterns of Crime , 1991, Journal of Political Economy.

[14]  S. Milgram Obedience to Authority: An Experimental View , 1975 .

[15]  R. Anderson Open and Closed Systems Are Equivalent (that Is, in an Ideal World) , 2004 .

[16]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[17]  Richard Clayton,et al.  Modeling Incentives for Email Blocking Strategies , 2005, WEIS.

[18]  Tim Roughgarden,et al.  The price of stability for network design with fair cost allocation , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[19]  S. Scotchmer,et al.  The Law and Economics of Reverse Engineering , 2002 .

[20]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[21]  Walter Willinger,et al.  A first-principles approach to understanding the internet's router-level topology , 2004, SIGCOMM '04.

[22]  Douglas A. Barnes Deworming the Internet , 2004 .

[23]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[24]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[25]  Ben Laurie,et al.  \Proof-of-Work" Proves Not to Work , 2004 .

[26]  Hans Degryse,et al.  Opt in Versus Opt Out: A Free-Entry Analysis of Privacy Policies , 2006, WEIS.

[27]  Karthik N. Kannan,et al.  An Economic Analysis of Market for Software Vulnerabilities , 2004 .

[28]  S. Baron-Cohen The Essential Difference: Men, Women and the Extreme Male Brain , 2007 .

[29]  Rainer Böhme,et al.  The Effect of Stock Spam on Financial Markets , 2006, WEIS.

[30]  R. Posner Philosophical Dimensions of Privacy: An economic theory of privacy , 1984 .

[31]  R. Byrne,et al.  Machiavellian intelligence : social expertise and the evolution of intellect in monkeys, apes, and humans , 1990 .

[32]  Dale A. Stirling,et al.  Information rules , 2003, SGMD.

[33]  Scott Shenker,et al.  On a network creation game , 2003, PODC '03.

[34]  N. Nisan,et al.  The Communication Complexity of Efficient Allocation Problems , 2002 .

[35]  Rahul Telang,et al.  Competitive and Strategic Effects in the Timing of Patch Release , 2006, WEIS.

[36]  George Danezis,et al.  The Economics of Mass Surveillance and the Questionable Value of Anonymous Communications , 2006, WEIS.

[37]  R. Anderson The Eternity Service , 1996 .

[38]  S. Fiske,et al.  Social psychology , 2019, Islamic Psychology.

[39]  J. Zittrain,et al.  Spam Works: Evidence from Stock Touts and Corresponding Market Activity , 2007 .

[40]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[41]  Lawrence A. Gordon,et al.  An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence , 2002 .

[42]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[43]  Peter Gutmann,et al.  Security Usability , 2005, IEEE Secur. Priv..

[44]  Nicholas Bohm,et al.  Electronic Commerce: Who Carries the Risk of Fraud? , 2000, J. Inf. Law Technol..

[45]  Christos H. Papadimitriou,et al.  Worst-case Equilibria , 1999, STACS.

[46]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[47]  Benjamin Edelman,et al.  Adverse selection in online "trust" certifications , 2009, WEIS.

[48]  Peter P. Swire Efficient Confidentiality for Privacy, Security, and Confidential Business Information , 2003 .

[49]  Steven D. Levitt,et al.  Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack , 1997 .

[50]  Tim Roughgarden,et al.  How bad is selfish routing? , 2002, JACM.

[51]  L. J. Camp Pricing Security , 2000 .

[52]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[53]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[54]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[55]  Laurent Massoulié,et al.  Faithfulness in internet algorithms , 2004, PINS '04.

[56]  Ion Stoica,et al.  Robust incentive techniques for peer-to-peer networks , 2004, EC '04.

[57]  Chrysanthos Dellarocas,et al.  Analyzing the economic efficiency of eBay-like online reputation reporting mechanisms , 2011, EC '01.

[58]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[59]  James Aspnes,et al.  Inoculation strategies for victims of viruses and the sum-of-squares partition problem , 2005, SODA '05.

[60]  Bill Curtis,et al.  A field study of the software design process for large systems , 1988, CACM.

[61]  Noam Nisan,et al.  Algorithmic mechanism design (extended abstract) , 1999, STOC '99.

[62]  Simon Baron-Cohen,et al.  The Essential Difference , 2003 .

[63]  Barry M. Horowitz,et al.  The potential for underinvestment in internet security: implications for regulatory policy , 2006, WEIS.

[64]  Nick Mathewson,et al.  Anonymity Loves Company: Usability and the Network Effect , 2006, WEIS.

[65]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[66]  von Hippel,et al.  Sloan School of Management Working Paper 4366-02 June 2002 Open source projects as horizontal innovation networks-by and for users , 2003 .

[67]  Amrita Dhillon,et al.  Group Formation in Economics; Networks, Clubs and Coalition , 2005 .

[68]  Mark E. J. Newman,et al.  The Structure and Function of Complex Networks , 2003, SIAM Rev..

[69]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[70]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[71]  Matthew O. Jackson,et al.  The Economics of Social Networks , 2005 .

[72]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[73]  Anindya Ghose,et al.  The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare , 2006, WEIS.

[74]  Philip G. Zimbardo,et al.  The Lucifer Effect , 2017 .

[75]  D. Kahneman,et al.  Heuristics and Biases: The Psychology of Intuitive Judgment , 2002 .

[76]  Glenn Woroch,et al.  The demographics of the do-not-call list [security of data] , 2005, IEEE Security & Privacy.

[77]  Tyler Moore,et al.  Countering Hidden-Action Attacks on Networked Systems , 2005, WEIS.

[78]  E. Hippel Open source software projects as user innovation networks , 2002 .

[79]  Felix Oberholzer-Gee,et al.  The Effect of File Sharing on Record Sales: An Empirical Analysis , 2007, Journal of Political Economy.

[80]  Carl E. Landwehr Improving Information Flow in the Information Security Market - DoD Experience and Future Directions , 2004, Economics of Information Security.

[81]  Albert-László Barabási,et al.  Error and attack tolerance of complex networks , 2000, Nature.

[82]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[83]  Éva Tardos,et al.  Near-optimal network design with selfish agents , 2003, STOC '03.

[84]  R. Kranton,et al.  Strategic Experimentation in Networks , 2005 .

[85]  Steven A. LeBlanc,et al.  Constant Battles: Why We Fight , 2003 .

[86]  Tim Roughgarden,et al.  The Price of Stability for Network Design with Fair Cost Allocation , 2004, FOCS.

[87]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[88]  Joan Feigenbaum,et al.  A BGP-based mechanism for lowest-cost routing , 2002, PODC '02.

[89]  Scott A. Hissam,et al.  Open Source Software Projects as User Innovation Networks , 2007 .

[90]  Vahab S. Mirrokni,et al.  On spectrum sharing games , 2004, PODC '04.

[91]  Ross J. Anderson,et al.  On dealing with adversaries fairly , 2004 .

[92]  Ross J. Anderson Closing the phishing hole: fraud, risk, and nonbanks , 2007 .

[93]  J. Hirshleifer Privacy: Its Origin, Function, and Future , 1980, The Journal of Legal Studies.

[94]  Ross J. Anderson Cryptography and competition policy: issues with 'trusted computing' , 2003, PODC '03.

[95]  Andrew M. Odlyzko,et al.  Privacy, economics, and price discrimination on the Internet , 2003, ICEC '03.

[96]  Ryan West,et al.  The psychology of security , 2008, CACM.

[97]  George Danezis,et al.  Economics of Information Security , 2005 .

[98]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[99]  Anindya Ghose,et al.  The Economic Consequences of Sharing Security Information , 2004, Economics of Information Security.

[100]  Shishir Nagaraja,et al.  The Topology of Covert Conflict , 2005, WEIS.

[101]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[102]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.