Abstract
The economics of information security has recently become a thriving and fast-moving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, incentives are becoming as important to dependability as technical design. The new field provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability (the design of peer-to-peer systems and the optimal balance of effort by programmers and testers), and policy (particularly digital rights management). This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and sociology. Most recently it has started to interact with psychology, both through the psychology-and-economics tradition and in response to phishing. The promise of this research program is a novel framework for analyzing information security problems – one that is both principled and effective.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Mastanduno, M.: Economics and Security in Statecraft and Scholarship. International Organization 52(4) (1998)
Anderson, R.: Why Cryptosystems Fail. Communications of the ACM 37(11), 32–40 (1994)
Ayres, I., Levitt, S.: Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack, NBER Working Paper no W5928; also in The Quarterly Journal of Economics. 113, 43–77
Camp, J., Wolfram, C.: Pricing Security. In: Proceedings of the CERT Information Survivability Workshop, pp. 31–39 (October 24-26, 2000)
Varian, H.: Managing Online Security Risks, Economic Science Column. The New York Times (June 1, 2000)
Bohm, N., Brown, I., Gladman, B.: Electronic Commerce: Who Carries the Risk of Fraud? Journal of Information, Law and Technology 3 (2000)
Anderson, R.: Closing the Phishing Hole – Fraud, Risk and Nonbanks. In: Nonbanks in the Payment System, Santa Fe (May 2007)
Moore, T.: Countering Hidden-Action Attacks on Networked Systems. In: Fourth Workshop on the Economics of Information Security, Harvard (2005)
Anderson, R.: The Eternity Service. In: Pragocrypt 96 (1996)
Danezis, G., Anderson, R.: The Economics of Resisting Censorship. IEEE Security & Privacy 3(1), 45–50 (2005)
Goodhart, D.: Too Diverse? In: Prospect (February 2004), at http://www.guardian.co.uk/race/story/0,11374,1154684,00.html
Anderson, R.J.: Why Information Security is Hard – An Economic Perspective. In: 17th Annual Computer Security Applications Conference (December 2001), and at http://www.cl.cam.ac.uk/users/rja14/Papers/econ.pdf
Hirshleifer, J.: From weakest-link to best-shot: the voluntary provision of public goods. Public Choice 41, 371–386 (1983)
Varian, H.: System Reliability and Free Riding. In: Economics of Information Security, pp. 1–15. Kluwer, Dordrecht (2004)
Kunreuther, H., Heal, G.: Interdependent Security. Journal of Risk and Uncertainty 26(2–3), 231–249 (2003)
Katz, M., Shapiro, C.: Network Externalities, Competition, and Compatibility. The American Economic Review 75(3), 424–440 (1985)
Ozment, A., Schechter, S.: Bootstrapping the Adoption of Internet Security Protocols. In: Fifth Workshop on the Economics of Information Security, Cambridge, UK (June 26–28)
Anderson, R.: Open and Closed Systems are Equivalent (that is, in an ideal world). In: Perspectives on Free and Open Source Software, pp. 127–142. MIT Press, Cambridge (2005)
Rescorla, E.: Is Finding Security Holes a Good Idea? In: Third Workshop on the Economics of Information Security (2004)
Ozment, A.: The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting. In: Fourth Workshop on the Economics of Information Security (2005)
Ozment, A., Schechter, S.: Milk or Wine: Does Software Security Improve with Age? In: 15th Usenix Security Symposium (2006)
Arora, A., Telang, R., Xu, H.: Optimal Policy for Software Vulnerability Disclosure. In: Third Workshop on the Economics of Information Security, Minneapolis, MN (May 2004)
Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of Vulnerability Disclosure and Patch Availability – An Empirical Analysis. In: Third Workshop on the Economics of Information Security (2004)
Curtis, B., Krasner, H., Iscoe, N.: A Field Study of the Software Design Process for Large Systems. Communications of the ACM 31(11), 1268–1287 (1988)
Shapiro, C., Varian, H.: Information Rules. Harvard Business School Press (1998)
Akerlof, G.: The Market for ‘Lemons: Quality Uncertainty and the Market Mechanism. The Quarterly Journal of Economics 84(3), 488–500 (1970)
Anderson, R.: Cryptography and Competition Policy – Issues with Trusted Computing. In: Second Workshop on Economics and Information Security (2003)
VISA, PIN Management Requirements: PIN Entry Device Security Requirements Manual (2004)
Schechter, S.: Computer Security Strength & Risk: A Quantitative Approach. Harvard University (May 2004)
Kannan, K., Telang, R.: Economic Analysis of Market for Software Vulnerabilities. In: Third Workshop on the Economics of Information Security (2004)
Böhme, R.: A Comparison of Market Approaches to Software Vulnerability Disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298–311. Springer, Heidelberg (2006)
Ozment, A.: Bug Auctions: Vulnerability Markets Reconsidered. In: Third Workshop on the Economics of Information Security (2004)
Böhme, R., Kataria, G.: Models and Measures for Correlation in Cyber-Insurance. In: Fifth Workshop on the Economics of Information Security (2006)
Ogut, H., Menon, N., Raghunathan, S.: Cyber Insurance and IT Security Investment: Impact of Interdependent Risk. In: Fourth Workshop on the Economics of Information Security (2005)
Posner, R.: An Economic Theory of Privacy. Regulation, 19–26 (1978)
Posner, R.: Privacy, Secrecy and Reputation. Buffalo Law Review 28(1) (1979)
Hirshleifer, J.: Privacy: its Origin, Function and Future. Journal of Legal Studies 9, 649–664 (1980)
Varian, H.: Economic Apects of Personal Privacy. In: Privacy and Self-Regulation in the Information Age, National Telecommunications and Information Administration report (1996)
Odlyzko, A.: Privacy, economics, and price discrimination on the Internet. In: ICEC ’03: Proceedings of the 5th international conference on Electronic commerce, pp. 355–366
Acquisti, A., Varian, H.: Conditioning Prices on Purchase History. Marketing Science 24(3) (2005)
Acquisti, A., Grossklags, J.: Privacy and Rationality: Preliminary Evidence from Pilot Data. In: Third Workshop on the Economics of Information Security, Minneapolis, Mn (2004)
Vila, T., Greenstadt, R., Molnar, D.: Why we can’t be bothered to read privacy policies. In: Economics of Information Security, pp. 143–154. Kluwer, Dordrecht (2004)
Swire, P.: Efficient Confidentiality for Privacy, Security, and Confidential Business Information. Brookings-Wharton Papers on Financial Services Brookings (2003)
Campbell, K., Gordon, L., Loeb, M., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003)
Acquisti, A., Friedman, A., Telang, R.: Is There a Cost to Privacy Breaches? In: Fifth Workshop on the Economics of Information Security (2006)
Bouckaert, J., Degryse, H.: Opt In Versus Opt Out: A Free-Entry Analysis of Privacy Policies. In: Fifth Workshop on the Economics of Information Security (2006)
Varian, H., Wallenberg, F., Woroch, G.: The Demographics of the Do-Not-Call List. IEEE Security & Privacy 3(1), 34–39 (2005)
Dingledine, R., Matthewson, N.: Anonymity Loves Company: Usability and the Network Effect. In: Workshop on Usable Privacy and Security Software (2004)
Varian, H.: New chips and keep a tight rein on consumers, even after they buy a product. New York Times (July 4, 2002)
Samuelson, P., Scotchmer, S.: The Law and Economics of Reverse Engineering. Yale Law Journal (2002)
von Hippel, E.: Open Source Software Projects as User Innovation Networks. Open Source Software Economics (Toulouse) (2002)
Lookabaugh, T., Sicker, D.: Security and Lock-In: The Case of the U.S. Cable Industry. In: Workshop on the Economics of Information Security, also in Economics of Information Security. Advances in Information Security, vol. 12, pp. 225–246. Kluwer, Dordrecht (2003)
Oberholzer, F., Strumpf, K.: The Effect of File Sharing on Record Sales – An Empirical Analysis. Cambridge, MA (2004)
Varian, H.: Keynote address to the Third Digital Rights Management Conference, Berlin, Germany (January 13, 2005)
Cobb, S.: The Economics of Spam. ePrivacy Group (2003), http://www.spamhelp.org/articles/economics_of_spam.pdf
Böhme, R., Holz, T.: The Effect of Stock Spam on Financial Markets. In: Workshop on the Economics of Information Security (2006)
Frieder, L., Zittrain, J.: Spam Works: Evidence from Stock Touts and Corresponding Market Activity. Berkman Center Research Publication No. 2006-11 (2006)
Akella, A., Seshan, S., Karp, R., Shenker, S., Papadimitriou, C.: Selfish Behavior and Stability of the Internet: A Game-Theoretic Analysis of TCP. ACM SIGCOMM, 117–130
Koutsoupias, E., Papadimitriou, C.: Worst-case equilibria. In: 16th STOC. Springer LNCS, vol. 1563, pp. 387–396
Roughgarden, T., Tardos, É.: How bad is selfish routing? Journal of the ACM 49(2), 236–259 (2002)
Fabrikant, A., Luthra, A., Maneva, E., Papadimitriou, C., Shenker, S.: On a network creation game. In: 22nd PODC, pp. 347–351 (2003)
Anshelevich, E., Dasgupta, A., Tardos, É., Wexler, T.: Near-optimal network design with selfish agents. In: 35th STOC, pp. 511–520 (2003)
Anshelevich, E., Dasgupta, A., Kleinberg, J., Tardos, É., Wexler, T., Roughgarden, T.: The price of stability for network design with fair cost allocation. In: 45th FOCS, pp. 295–304 (2004)
Halldórsson, M.M., Halpern, J., Li, L., Mirrokni, V.: On spectrum sharing games. In: 23rd PODC, pp. 107–114 (2004)
Aspnes, J., Chang, K., Yampolskiy, A.: Inoculation strategies for victims of viruses and the sum-of-squares partition problem. In: 16th ACM-SIAM Symposium on Discrete Algorithms, pp. 43–52 (2005)
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Crypto 92, pp. 139–147.
Laurie, B., Clayton, R.: Proof-of-Work’ Proves Not to Work. In: Third Workshop on the Economics of Information Security (2004)
Serjantov, A., Clayton, R.: Modeling Incentives for Email Blocking Strategies. In: Fourth Workshop on the Economics of Information Security (2005)
Feldman, M., Lai, K., Stoica, I., Chuang, J.: Robust Incentive Techniques for Peer-to-Peer Networks. In: Fifth ACM Conference on Electronic Commerce (2004)
Dellarocas, C.: Analyzing the economic efficiency of eBay-like online reputation mechanisms. In: Third ACM Conference on Electronic Commerce (2001)
Serjantov, A., Anderson, R.: On dealing with adversaries fairly. In: Third Workshop on the Economics of Information Security (2004)
Landwehr, C.: Improving Information Flow in the Information Security Market. In: Economics of Information Security, pp. 155–164. Kluwer, Dordrecht (2004)
Anderson, R.: Security Engineering. Wiley, Chichester (2001)
European Commission proposal for a Council framework decision on attacks against information systems (April 2002)
German Federal Government’s Comments on the TCG and NGSCB in the Field of Trusted Computing (2004), at http://www.bsi.bund.de/sichere_plattformen/index.htm
Barnes, D.: Deworming the Internet. Texas Law Journal 83(279), 279–329 (2004)
Garcia, A., Horowitz, B.: The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy. In: Fifth Workshop on the Economics of Information Security (2006)
Moore, T.: The Economics of Digital Forensics. In: Fifth Workshop on the Economics of Information Security (2006)
Ghose, A., Rajan, U.: The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare. In: Fifth Workshop on the Economics of Information Security (2006)
Edelman, B.: Adverse Selection in Online ‘Trust’ Certificates. In: Fifth Workshop on the Economics of Information Security (2006)
Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A.: Timing the Application of Security Patches for Optimal Uptime. In: LISA 2002, pp. 233–242 (2002)
Arora, A., Forman, C., Nandkumar, A., Telang, R.: Competitive and Strategic Effects in the Timing of Patch Release. In: Fifth Workshop on the Economics of Information Security (2006)
Gal-Or, E., Ghose, A.: Economic Consequences of Sharing Security Information. In: Information System Research, pp. 186–208 (2005)
Gordon, L., Loeb, M., Lucyshyn, W.: An Economics Perspective on the Sharing of Information Related to Security Breaches. In: First Workshop on the Economics of Information Security, Berkeley, CA (May 16-17 2002)
Nisan, N., Ronen, A.: Algorithmic mechanism design (extended abstract). In: STOC ’99, pp. 129–140 (1999)
Nisan, N., Segal, I.: The communication complexity of efficient allocation problems. Draft. Second version (March 5, 2002)
Feigenbaum, J., Papadimitriou, C., Sami, R., Shenker, S.: A BGP-based mechanism for lowest-cost routing. In: PODC ’02, pp. 173–182 (2002)
Shneidman, J., Parkes, D.C., Massouli, L.: Faithfulness in internet algorithms. In: PINS ’04: Proceedings of the ACM SIGCOMM workshop on Practice and theory of Incentives in Networked Systems (2004)
Newman, M.: The structure and function of complex networks. SIAM Review 45, 167–256
Sah, R.: Social osmosis and patterns of crime. Journal of Political Economy 99(6), 1272–1295 (1991)
Ballester, C., Calvó-Armengol, A., Zenou, Y.: ‘Who’s, who in crime networks? Wanted – The Key Player, No 617, Working Paper Series from Research Institute of Industrial Economics
Bramoulle, Y., Kranton, R.: Strategic experimentation in networks. NajEcon Working Paper no. 784828000000000417 from http://www.najecon.org
Jackson, M.: The economics of social networks. CalTech Division of the Humanities and Social Sciences Working Paper 1237. In: Proceedings of the 9th World Congress of the Econometric Society CUP (2006)
Demange, G., Wooders, M.: Group formation in economics: networks, clubs and coalitions. Cambridge University Press, Cambridge (2005)
Albert, R., Jeong, H.: Error and attack tolerance of complex networks. Nature 406(1), 387–482 (2000)
Nagaraja, S., Anderson, R.: The Topology of Covert Conflict. In: Fifth Workshop on the Economics of Information Security, UK (2006)
Li, L., Alderson, D., Willinger, W., Doyle, J.: A first-principles approach to understanding the internet’s router-level topology. In: SIGCOMM 2004, pp. 3–14 (2004)
Danezis, G., Wittneben, B.: The Economics of Mass Surveillance. In: Fifth Workshop on the Economics of Information Security (2006)
Harley, J.: keynote talk, Government UK IT Summit (May 2007)
SE Asch. Social Psychology. OUP (1952)
Milgram, S.: Obedience to Authority: An Experimental View. HarperCollins (1974, reprinted 2004)
Zimbardo, P.: The Lucifer Effect. Random House (2007)
Wolfson, A.: A hoax most cruel. The Courier-Journal (2005)
Cranor, L.: Security Usability. O’Reilly (2005)
Schneier, B.: The Psychology of Security. In: RSA (2007), at http://www.schneier.com
Gilbert, D.: If only gay sex caused global warming, LA Times (July 2, 2006)
Baron-Cohen, S.: The Essential Difference: Men, Women, and the Extreme Male Brain. Penguin (2003) ISBN 0141011017
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Anderson, R., Moore, T. (2007). Information Security Economics – and Beyond. In: Menezes, A. (eds) Advances in Cryptology - CRYPTO 2007. CRYPTO 2007. Lecture Notes in Computer Science, vol 4622. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74143-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-74143-5_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74142-8
Online ISBN: 978-3-540-74143-5
eBook Packages: Computer ScienceComputer Science (R0)