Information Security Economics – and Beyond

  • Ross Anderson
  • Tyler Moore
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)

Abstract

The economics of information security has recently become a thriving and fast-moving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, incentives are becoming as important to dependability as technical design. The new field provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability (the design of peer-to-peer systems and the optimal balance of effort by programmers and testers), and policy (particularly digital rights management). This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and sociology. Most recently it has started to interact with psychology, both through the psychology-and-economics tradition and in response to phishing. The promise of this research program is a novel framework for analyzing information security problems – one that is both principled and effective.

References

  1. 1.
    Mastanduno, M.: Economics and Security in Statecraft and Scholarship. International Organization 52(4) (1998)Google Scholar
  2. 2.
    Anderson, R.: Why Cryptosystems Fail. Communications of the ACM 37(11), 32–40 (1994)CrossRefGoogle Scholar
  3. 3.
    Ayres, I., Levitt, S.: Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack, NBER Working Paper no W5928; also in The Quarterly Journal of Economics. 113, 43–77Google Scholar
  4. 4.
    Camp, J., Wolfram, C.: Pricing Security. In: Proceedings of the CERT Information Survivability Workshop, pp. 31–39 (October 24-26, 2000)Google Scholar
  5. 5.
    Varian, H.: Managing Online Security Risks, Economic Science Column. The New York Times (June 1, 2000)Google Scholar
  6. 6.
    Bohm, N., Brown, I., Gladman, B.: Electronic Commerce: Who Carries the Risk of Fraud? Journal of Information, Law and Technology 3 (2000)Google Scholar
  7. 7.
    Anderson, R.: Closing the Phishing Hole – Fraud, Risk and Nonbanks. In: Nonbanks in the Payment System, Santa Fe (May 2007)Google Scholar
  8. 8.
    Moore, T.: Countering Hidden-Action Attacks on Networked Systems. In: Fourth Workshop on the Economics of Information Security, Harvard (2005)Google Scholar
  9. 9.
    Anderson, R.: The Eternity Service. In: Pragocrypt 96 (1996)Google Scholar
  10. 10.
    Danezis, G., Anderson, R.: The Economics of Resisting Censorship. IEEE Security & Privacy 3(1), 45–50 (2005)CrossRefGoogle Scholar
  11. 11.
    Goodhart, D.: Too Diverse? In: Prospect (February 2004), at http://www.guardian.co.uk/race/story/0,11374,1154684,00.html
  12. 12.
    Anderson, R.J.: Why Information Security is Hard – An Economic Perspective. In: 17th Annual Computer Security Applications Conference (December 2001), and at http://www.cl.cam.ac.uk/users/rja14/Papers/econ.pdf
  13. 13.
    Hirshleifer, J.: From weakest-link to best-shot: the voluntary provision of public goods. Public Choice 41, 371–386 (1983)CrossRefGoogle Scholar
  14. 14.
    Varian, H.: System Reliability and Free Riding. In: Economics of Information Security, pp. 1–15. Kluwer, Dordrecht (2004)CrossRefGoogle Scholar
  15. 15.
    Kunreuther, H., Heal, G.: Interdependent Security. Journal of Risk and Uncertainty 26(2–3), 231–249 (2003)MATHCrossRefGoogle Scholar
  16. 16.
    Katz, M., Shapiro, C.: Network Externalities, Competition, and Compatibility. The American Economic Review 75(3), 424–440 (1985)Google Scholar
  17. 17.
    Ozment, A., Schechter, S.: Bootstrapping the Adoption of Internet Security Protocols. In: Fifth Workshop on the Economics of Information Security, Cambridge, UK (June 26–28)Google Scholar
  18. 18.
    Anderson, R.: Open and Closed Systems are Equivalent (that is, in an ideal world). In: Perspectives on Free and Open Source Software, pp. 127–142. MIT Press, Cambridge (2005)Google Scholar
  19. 19.
    Rescorla, E.: Is Finding Security Holes a Good Idea? In: Third Workshop on the Economics of Information Security (2004)Google Scholar
  20. 20.
    Ozment, A.: The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting. In: Fourth Workshop on the Economics of Information Security (2005)Google Scholar
  21. 21.
    Ozment, A., Schechter, S.: Milk or Wine: Does Software Security Improve with Age? In: 15th Usenix Security Symposium (2006)Google Scholar
  22. 22.
    Arora, A., Telang, R., Xu, H.: Optimal Policy for Software Vulnerability Disclosure. In: Third Workshop on the Economics of Information Security, Minneapolis, MN (May 2004)Google Scholar
  23. 23.
    Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of Vulnerability Disclosure and Patch Availability – An Empirical Analysis. In: Third Workshop on the Economics of Information Security (2004)Google Scholar
  24. 24.
    Curtis, B., Krasner, H., Iscoe, N.: A Field Study of the Software Design Process for Large Systems. Communications of the ACM 31(11), 1268–1287 (1988)CrossRefGoogle Scholar
  25. 25.
    Shapiro, C., Varian, H.: Information Rules. Harvard Business School Press (1998)Google Scholar
  26. 26.
    Akerlof, G.: The Market for ‘Lemons: Quality Uncertainty and the Market Mechanism. The Quarterly Journal of Economics 84(3), 488–500 (1970)CrossRefGoogle Scholar
  27. 27.
    Anderson, R.: Cryptography and Competition Policy – Issues with Trusted Computing. In: Second Workshop on Economics and Information Security (2003)Google Scholar
  28. 28.
    VISA, PIN Management Requirements: PIN Entry Device Security Requirements Manual (2004)Google Scholar
  29. 29.
    Schechter, S.: Computer Security Strength & Risk: A Quantitative Approach. Harvard University (May 2004)Google Scholar
  30. 30.
    Kannan, K., Telang, R.: Economic Analysis of Market for Software Vulnerabilities. In: Third Workshop on the Economics of Information Security (2004)Google Scholar
  31. 31.
    Böhme, R.: A Comparison of Market Approaches to Software Vulnerability Disclosure. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 298–311. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. 32.
    Ozment, A.: Bug Auctions: Vulnerability Markets Reconsidered. In: Third Workshop on the Economics of Information Security (2004)Google Scholar
  33. 33.
    Böhme, R., Kataria, G.: Models and Measures for Correlation in Cyber-Insurance. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  34. 34.
    Ogut, H., Menon, N., Raghunathan, S.: Cyber Insurance and IT Security Investment: Impact of Interdependent Risk. In: Fourth Workshop on the Economics of Information Security (2005)Google Scholar
  35. 35.
    Posner, R.: An Economic Theory of Privacy. Regulation, 19–26 (1978)Google Scholar
  36. 36.
    Posner, R.: Privacy, Secrecy and Reputation. Buffalo Law Review 28(1) (1979)Google Scholar
  37. 37.
    Hirshleifer, J.: Privacy: its Origin, Function and Future. Journal of Legal Studies 9, 649–664 (1980)CrossRefGoogle Scholar
  38. 38.
    Varian, H.: Economic Apects of Personal Privacy. In: Privacy and Self-Regulation in the Information Age, National Telecommunications and Information Administration report (1996)Google Scholar
  39. 39.
    Odlyzko, A.: Privacy, economics, and price discrimination on the Internet. In: ICEC ’03: Proceedings of the 5th international conference on Electronic commerce, pp. 355–366Google Scholar
  40. 40.
    Acquisti, A., Varian, H.: Conditioning Prices on Purchase History. Marketing Science 24(3) (2005)Google Scholar
  41. 41.
    Acquisti, A., Grossklags, J.: Privacy and Rationality: Preliminary Evidence from Pilot Data. In: Third Workshop on the Economics of Information Security, Minneapolis, Mn (2004)Google Scholar
  42. 42.
    Vila, T., Greenstadt, R., Molnar, D.: Why we can’t be bothered to read privacy policies. In: Economics of Information Security, pp. 143–154. Kluwer, Dordrecht (2004)CrossRefGoogle Scholar
  43. 43.
    Swire, P.: Efficient Confidentiality for Privacy, Security, and Confidential Business Information. Brookings-Wharton Papers on Financial Services Brookings (2003)Google Scholar
  44. 44.
    Campbell, K., Gordon, L., Loeb, M., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003)Google Scholar
  45. 45.
    Acquisti, A., Friedman, A., Telang, R.: Is There a Cost to Privacy Breaches? In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  46. 46.
    Bouckaert, J., Degryse, H.: Opt In Versus Opt Out: A Free-Entry Analysis of Privacy Policies. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  47. 47.
    Varian, H., Wallenberg, F., Woroch, G.: The Demographics of the Do-Not-Call List. IEEE Security & Privacy 3(1), 34–39 (2005)CrossRefGoogle Scholar
  48. 48.
    Dingledine, R., Matthewson, N.: Anonymity Loves Company: Usability and the Network Effect. In: Workshop on Usable Privacy and Security Software (2004)Google Scholar
  49. 49.
  50. 50.
    Varian, H.: New chips and keep a tight rein on consumers, even after they buy a product. New York Times (July 4, 2002)Google Scholar
  51. 51.
    Samuelson, P., Scotchmer, S.: The Law and Economics of Reverse Engineering. Yale Law Journal  (2002)Google Scholar
  52. 52.
    von Hippel, E.: Open Source Software Projects as User Innovation Networks. Open Source Software Economics (Toulouse) (2002)Google Scholar
  53. 53.
    Lookabaugh, T., Sicker, D.: Security and Lock-In: The Case of the U.S. Cable Industry. In: Workshop on the Economics of Information Security, also in Economics of Information Security. Advances in Information Security, vol. 12, pp. 225–246. Kluwer, Dordrecht (2003)Google Scholar
  54. 54.
    Oberholzer, F., Strumpf, K.: The Effect of File Sharing on Record Sales – An Empirical Analysis. Cambridge, MA (2004)Google Scholar
  55. 55.
    Varian, H.: Keynote address to the Third Digital Rights Management Conference, Berlin, Germany (January 13, 2005)Google Scholar
  56. 56.
    Cobb, S.: The Economics of Spam. ePrivacy Group (2003), http://www.spamhelp.org/articles/economics_of_spam.pdf
  57. 57.
    Böhme, R., Holz, T.: The Effect of Stock Spam on Financial Markets. In: Workshop on the Economics of Information Security (2006)Google Scholar
  58. 58.
    Frieder, L., Zittrain, J.: Spam Works: Evidence from Stock Touts and Corresponding Market Activity. Berkman Center Research Publication No. 2006-11 (2006)Google Scholar
  59. 59.
    Akella, A., Seshan, S., Karp, R., Shenker, S., Papadimitriou, C.: Selfish Behavior and Stability of the Internet: A Game-Theoretic Analysis of TCP. ACM SIGCOMM, 117–130Google Scholar
  60. 60.
    Koutsoupias, E., Papadimitriou, C.: Worst-case equilibria. In: 16th STOC. Springer LNCS, vol. 1563, pp. 387–396Google Scholar
  61. 61.
    Roughgarden, T., Tardos, É.: How bad is selfish routing? Journal of the ACM 49(2), 236–259 (2002)CrossRefGoogle Scholar
  62. 62.
    Fabrikant, A., Luthra, A., Maneva, E., Papadimitriou, C., Shenker, S.: On a network creation game. In: 22nd PODC, pp. 347–351 (2003)Google Scholar
  63. 63.
    Anshelevich, E., Dasgupta, A., Tardos, É., Wexler, T.: Near-optimal network design with selfish agents. In: 35th STOC, pp. 511–520 (2003)Google Scholar
  64. 64.
    Anshelevich, E., Dasgupta, A., Kleinberg, J., Tardos, É., Wexler, T., Roughgarden, T.: The price of stability for network design with fair cost allocation. In: 45th FOCS, pp. 295–304 (2004)Google Scholar
  65. 65.
    Halldórsson, M.M., Halpern, J., Li, L., Mirrokni, V.: On spectrum sharing games. In: 23rd PODC, pp. 107–114 (2004)Google Scholar
  66. 66.
    Aspnes, J., Chang, K., Yampolskiy, A.: Inoculation strategies for victims of viruses and the sum-of-squares partition problem. In: 16th ACM-SIAM Symposium on Discrete Algorithms, pp. 43–52 (2005)Google Scholar
  67. 67.
    Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Crypto 92, pp. 139–147.Google Scholar
  68. 68.
    Laurie, B., Clayton, R.: Proof-of-Work’ Proves Not to Work. In: Third Workshop on the Economics of Information Security (2004)Google Scholar
  69. 69.
    Serjantov, A., Clayton, R.: Modeling Incentives for Email Blocking Strategies. In: Fourth Workshop on the Economics of Information Security (2005)Google Scholar
  70. 70.
    Feldman, M., Lai, K., Stoica, I., Chuang, J.: Robust Incentive Techniques for Peer-to-Peer Networks. In: Fifth ACM Conference on Electronic Commerce (2004)Google Scholar
  71. 71.
    Dellarocas, C.: Analyzing the economic efficiency of eBay-like online reputation mechanisms. In: Third ACM Conference on Electronic Commerce (2001)Google Scholar
  72. 72.
    Serjantov, A., Anderson, R.: On dealing with adversaries fairly. In: Third Workshop on the Economics of Information Security (2004)Google Scholar
  73. 73.
    Landwehr, C.: Improving Information Flow in the Information Security Market. In: Economics of Information Security, pp. 155–164. Kluwer, Dordrecht (2004)CrossRefGoogle Scholar
  74. 74.
    Anderson, R.: Security Engineering. Wiley, Chichester (2001)Google Scholar
  75. 75.
    European Commission proposal for a Council framework decision on attacks against information systems (April 2002)Google Scholar
  76. 76.
    German Federal Government’s Comments on the TCG and NGSCB in the Field of Trusted Computing (2004), at http://www.bsi.bund.de/sichere_plattformen/index.htm
  77. 77.
    Barnes, D.: Deworming the Internet. Texas Law Journal 83(279), 279–329 (2004)Google Scholar
  78. 78.
    Garcia, A., Horowitz, B.: The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  79. 79.
    Moore, T.: The Economics of Digital Forensics. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  80. 80.
    Ghose, A., Rajan, U.: The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  81. 81.
    Edelman, B.: Adverse Selection in Online ‘Trust’ Certificates. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  82. 82.
    Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A.: Timing the Application of Security Patches for Optimal Uptime. In: LISA 2002, pp. 233–242 (2002)Google Scholar
  83. 83.
    Arora, A., Forman, C., Nandkumar, A., Telang, R.: Competitive and Strategic Effects in the Timing of Patch Release. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  84. 84.
    Gal-Or, E., Ghose, A.: Economic Consequences of Sharing Security Information. In: Information System Research, pp. 186–208 (2005)Google Scholar
  85. 85.
    Gordon, L., Loeb, M., Lucyshyn, W.: An Economics Perspective on the Sharing of Information Related to Security Breaches. In: First Workshop on the Economics of Information Security, Berkeley, CA (May 16-17 2002)Google Scholar
  86. 86.
    Nisan, N., Ronen, A.: Algorithmic mechanism design (extended abstract). In: STOC ’99, pp. 129–140 (1999)Google Scholar
  87. 87.
    Nisan, N., Segal, I.: The communication complexity of efficient allocation problems. Draft. Second version (March 5, 2002)Google Scholar
  88. 88.
    Feigenbaum, J., Papadimitriou, C., Sami, R., Shenker, S.: A BGP-based mechanism for lowest-cost routing. In: PODC ’02, pp. 173–182 (2002)Google Scholar
  89. 89.
    Shneidman, J., Parkes, D.C., Massouli, L.: Faithfulness in internet algorithms. In: PINS ’04: Proceedings of the ACM SIGCOMM workshop on Practice and theory of Incentives in Networked Systems (2004)Google Scholar
  90. 90.
    Newman, M.: The structure and function of complex networks. SIAM Review 45, 167–256Google Scholar
  91. 91.
    Sah, R.: Social osmosis and patterns of crime. Journal of Political Economy 99(6), 1272–1295 (1991)CrossRefGoogle Scholar
  92. 92.
    Ballester, C., Calvó-Armengol, A., Zenou, Y.: ‘Who’s, who in crime networks? Wanted – The Key Player, No 617, Working Paper Series from Research Institute of Industrial EconomicsGoogle Scholar
  93. 93.
    Bramoulle, Y., Kranton, R.: Strategic experimentation in networks. NajEcon Working Paper no. 784828000000000417 from http://www.najecon.org
  94. 94.
    Jackson, M.: The economics of social networks. CalTech Division of the Humanities and Social Sciences Working Paper 1237. In: Proceedings of the 9th World Congress of the Econometric Society CUP (2006)Google Scholar
  95. 95.
    Demange, G., Wooders, M.: Group formation in economics: networks, clubs and coalitions. Cambridge University Press, Cambridge (2005)Google Scholar
  96. 96.
    Albert, R., Jeong, H.: Error and attack tolerance of complex networks. Nature 406(1), 387–482 (2000)Google Scholar
  97. 97.
    Nagaraja, S., Anderson, R.: The Topology of Covert Conflict. In: Fifth Workshop on the Economics of Information Security, UK (2006)Google Scholar
  98. 98.
    Li, L., Alderson, D., Willinger, W., Doyle, J.: A first-principles approach to understanding the internet’s router-level topology. In: SIGCOMM 2004, pp. 3–14 (2004)Google Scholar
  99. 99.
    Danezis, G., Wittneben, B.: The Economics of Mass Surveillance. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
  100. 100.
    Harley, J.: keynote talk, Government UK IT Summit (May 2007)Google Scholar
  101. 101.
    SE Asch. Social Psychology. OUP (1952)Google Scholar
  102. 102.
    Milgram, S.: Obedience to Authority: An Experimental View. HarperCollins (1974, reprinted 2004)Google Scholar
  103. 103.
    Zimbardo, P.: The Lucifer Effect. Random House (2007)Google Scholar
  104. 104.
    Wolfson, A.: A hoax most cruel. The Courier-Journal  (2005)Google Scholar
  105. 105.
    Cranor, L.: Security Usability. O’Reilly (2005)Google Scholar
  106. 106.
    Schneier, B.: The Psychology of Security. In: RSA (2007), at http://www.schneier.com
  107. 107.
    Gilbert, D.: If only gay sex caused global warming, LA Times (July 2, 2006)Google Scholar
  108. 108.
    Baron-Cohen, S.: The Essential Difference: Men, Women, and the Extreme Male Brain. Penguin (2003) ISBN 0141011017Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Ross Anderson
    • 1
  • Tyler Moore
    • 1
  1. 1.Computer Laboratory, University of Cambridge, 15 JJ Thomson Avenue, Cambridge CB3 0FDUnited Kingdom

Personalised recommendations