Workshop on Economics and Information Security

Do we spend enough on keeping `hackers' out of our computer systems? Do we not spend enough? Or do we spend too much?

Many system security failures occur not so much for technical reasons but because of failures of organisation and motivation. For example, the person or company best placed to protect a system may be insufficiently motivated to do so, because the costs of system failure fall on others. Such perverse incentives raise many issues best discussed using economic concepts such as externalities, asymmetric information, adverse selection and moral hazard. They are becoming increasingly important now that information security mechanisms are not merely used to protect against malicious attacks, but also to protect monopolies, differentiate products and segment markets. There are also interesting security issues raised by industry monopolization and the accompanying reduction in product heterogenity. For these and other reasons, the confluence between information security and economics is of growing importance.

Thursday 16th May

0900 Hal Varian, chair - Welcome

• Ross Anderson `Maybe we spend too much?'
• Bruce Schnieier, `No, we don't spend enough!'

1000 Tea

1030 Andrew Odlyzko, chair - "History of security economics"

• Carl Landwehr, Improving Information Flow in the Information Security Market
• John McHugh, The Principle of Distributed Accounting
• Li Gong, Non-Technical Influences on the Design of the Java Security Architecture

1200 Lunch

1330 Doug Tygar, chair - "Metrics and markets"

• Bob Blakley, The Measure of Information Security is Dollars
• Jean Camp, Marketplace Incentives to Prevent Piracy: An Incentive for Security?
• Andrew Odlyzko, Privacy, Economics, and Price Discrimination on the Internet

1500 Coffee

1530 Larry Gordon, chair, "Optimal Investments in Information Security"

• Kevin Soo Hoo, How Much Is Enough? A Risk Management Approach to Computer Security
• Brian Carini, Dynamics and Equilibria of Information Security Investments
• Kin Sing Leung, Diverging economic incentives caused by innovation for security updates on an information network

1700 Drinks

Friday 17th May

0830 Marty Loeb, chair, "Economic Theory Applied to Information Security"

• Rahul Sami, Agents' privacy in distributed algorithmic mechanisms
• Hal Varian, System Reliability and Free Riding
• Alessandro Acquisiti, Security of Personal Information and Privacy: Economic Incentives and Technological Solutions

1000 Tea

1030 Ross Anderson, chair, "Incentive-compatability of technical mechanisms"

• John Mitchell, Distributed algorithmic mechanism design and network security
• Tomas Sander, Economic Barriers to the Deployment of Existing Privacy Technologies
• Stuart Schechter, Quantitatively Differentiating System Security
• Yvo Desmedt, Using economics to model threats and security in distributed computing

1230 Lunch

1330 Hal Varian, chair "Liability"

• Mike Fisk, Causes and Remedies for Social Acceptance of Network Insecurity
• Rafael Yahalom, Liability Transfers in Network Exchanges
• W Yurcik, Cyberinsurance: A Market Solution to Internet Security Market Failure
• Robert Gehring, Software development, Intellectual Property Rights, and IT Security

1500 Coffee

1530 Li Gong, chair "Other issues"

• Paul Thompson, Cognitive Hacking and the Value of Information
• Larry Gordon, An Economics Perspective on the Sharing ofInformation Related to Security Breaches: Concepts and Empirical Evidence
• Thomas-Xavier Martin, Experience of the French Gendarmerie
• Barb Fox, Internet TAO: The Microeconomics of Internet Standards-Setting

Here are links to information about transport, food and lodging around Berkeley.

Program committee:

• Hal Varian (program co-chair)
• Ross Anderson (program co-chair)
• Doug Tygar (general chair)
• Jean Camp
• Li Gong
• Larry Gordon
• Marty Loeb
• Andrew Odlyzko
• Bruce Schneier