Economics and Security Resource Page

Ross Anderson

Do we spend enough on keeping ‘hackers’ out of our computer systems? Do we not spend enough? Or do we spend too much? For that matter, do we spend too little on the police and the army, or too much? And do we spend our security budgets on the right things?

The economics of security is a hot and rapidly growing field of research. More and more people are coming to realise that security failures are often due to perverse incentives rather than to the lack of suitable technical protection mechanisms. (Indeed, the former often explain the latter.) While much recent research has been on ‘cyberspace’ security issues — from hacking through fraud to copyright policy — it is expanding to throw light on ‘everyday’ security issues at one end, and to provide new insights and new problems for ‘normal’ computer scientists and economists at the other. In the commercial world, as in the world of diplomacy, there can be complex linkages between security arguments and economic ends.

This page provides links to a number of key papers, conferences, the home pages of active researchers, relevant books, and other resources. Complementary pages include Alessandro Acquisti's privacy economics page, Jean Camp's bibliography, and job ads for security economists.

Our annual bash is the Workshop on Economics and Information Security: WEIS 2010 was in Harvard (there's a liveblog here). See below for links to past workshops, for all the workshop papers to date, and for other conferences with some security economics content.

The Security and Human Behaviour workshop brings security engineers together with psychologists, behavioral economists and others. This is great fun and hugely productive. See the papers, the liveblog and the audio for 2010; the papers, the liveblog and the audio for 2009; and the papers, the liveblog and the audio for the first meeting in 2008.

Introductory Papers

• The Economics of Information Security is a short survey paper that appeared in Science on October 2006. For more detail, see Information Security Economics — and Beyond, a full-length survey paper. Here is the video of me giving a survey talk on security economics (and the slides). This has been an evolving talk: an earlier version appeared at Crypto 2007, and the first version in January 2007 at Softint. A journal version of the paper finally appeared in Phil Trans Roy Soc A in August 2009 and will be free to view without charge from August 2011.
• Managing Online Security Risks was one of the early pieces, and is still a good introduction. Hal Varian shows how a range of problems, from bank fraud to distributed denial-of-service attacks, result when the incentives to avoid abuse are poorly allocated. An analysis of cash machine fraud, for example, showed that banks in countries with strong customer rights suffered less fraud; complaints could not be ignored or brushed aside, so they took more care than in countries where it was harder for fraud victims to complain.
• Why Information Security is Hard - An Economic Perspective was the paper that got information security people thinking about the subject. I showed how economic analysis explains many phenomena that security researchers had previously found to be pervasive but perplexing. Why do mass-market software products such as Windows contain so many security bugs? Why are their security mechanisms so difficult to manage? Why for that matter are so many specialist security products second-rate, with bad ones driving good ones out of the market? Why is it hard for people to use security for competitive advantage - and how might they? Why are government evaluation schemes, such as the Orange Book and the Common Criteria, so bad? For that matter, why do government agencies concerned with information warfare concentrate on offense rather than defense, even now that the Cold War is over? (There is also an Italian translation.)
• Cryptographic abundance and pervasive computing by Andrew Odlyzko was an early paper to point out the economic and social limits on security technology - if a boss's secretary cannot forge his signature, a digital security system is as likely to subtract value as add it.
• Cars, Cholera and Cows: The Management of Risk and Uncertainty is a classic paper by John Adams on why organisations (and in particular governments) tend to be more risk-averse than rational economic considerations would dictate. One of the mechanisms is adverse selection: the people who end up in risk management jobs tend to be more risk-averse than average.
• Electronic Commerce: Who Carries the Risk of Fraud? (by Nick Bohm, Ian Brown and Brian Gladman) documents how many banks have seen online banking, and information security mechanisms such as cryptography and digital signatures, as a means of dumping on their customers many of the transaction risks that they previously bore themselves in the days of cheque-based and even telephone banking.
• Deworming the Internet looks at the incentives facing virus writers, software vendors and computer users. Its author Douglas Barnes asks what policy initiatives might make computers less liable to infection.
• Economics, Psychology and Sociology of Security by Andrew Odlyzko discusses a number of ways in which cultural factors undermine the formal assumptions underlying many security systems, and gives some insights from evolutionary psychology; for example, we have specialised neural circuits to detect cheating in social situations.
• Adverse Selection in Online 'Trust' Certifications by Ben Edelman shows that websites with the Trust-e seal of approval are much more likely to be malicious than uncertified websites. Crooks have a greater incentive to buy certification than honest merchants, so if the vetting process isn't strict enough your certification scheme can easily end up certifying the reverse of what it seems to.
• Economics of Malware: Security Decisions, Incentives and Externalities is an OECD survey of the misaligned incentives that drive the malware business, as perceived by multiple stakeholders. It was published together with another survey on malware prepared by the members of the OECD Working Party on Information Security and Privacy (WPISP)

Economics of Privacy

• Economic Aspects of Personal Privacy is an early discussion by Hal Varian of how market mechanisms might solve privacy problems, while Richard Posner's Orwell versus Huxley: Economics, Technology, Privacy, and Satire touches on a number of economic aspects of privacy and security technology.
• Privacy, Economics and Price Discrimination tackles one of the thorniest market-failure problems. Why is privacy being eroded so rapidly, despite many people saying they care about it? Andrew Odlyzko's analysis puts much of the blame on differential pricing. Technology is increasing both the incentives and the opportunities for this. From airline yield management to complex and constantly changing software and telecomms prices, differential pricing is economically efficient - but increasingly resented by consumers. His paper The Unsolvable Privacy Problem and its Implications for Security Technologies develops the argument to personalised pricing. Conditioning prices on purchase history, by Alessandro Acquisti and Hal Varian, analyses the market conditions under which first-degree price discrimination will actually be profitable for a firm.
• Privacy and Rationality: Preliminary Evidence from Pilot Data, by Alessandro Acquisti and Jens Grossklags, studies the specific problem of why people express a high preference for privacy when interviewed but reveal a much lower preference through their behaviour both online and offline.
• Guns, Privacy, and Crime by Alessandro Acquisti and Catherine Tucker studies the effect of the publication of a list of gun permit holders in Memphis, Tennessee. This was publicised in February 2009 by a shooting incident in a shopping mall, and gives an insight into people's tradeoff between privacy and security. Would knowing which neighbourhoods in Memphis had the most guns deter crime? It did indeed, with a significant drop in burglaries for about 15 weeks.
• Misplaced Confidences: Privacy and the Control Paradox by Laura Brandimarte, Alessandro Acquisti and George Loewenstein, explored the control paradox – the fact that we're more willing to reveal sensitive information than have the same information revealed by others. Lower perceived control triggers lower willingness to reveal; the effect is particularly strong for privacy-intrusive questions, and for publication rather than sharing, access or other use.
• Why we can't be bothered to read privacy policies - models of privacy economics as a lemons market, by Tony Vila, Rachel Greenstadt, and David Molnar, examines why many consumers fail to think of future price discrimination when giving information to merchants.
• In Opt In Versus Opt Out: A Free-Entry Analysis of Privacy Policies, Jan Bouckaert and Hans Degryse compare the competitive effects of three customer privacy policies - anonymity, opt-in and opt-out. Under certain assumptions, opt out is the socially preferred privacy regime: the availability in the market of information about the buying habits of most customers, rather than a few customers, helps competitors to enter the market.
• Who Signed Up for the Do-Not-Call List?, by Hal Varian, Fredrik Wallenberg and Glenn Woroch, analyses the FCC's telephone-sales blacklist by district. Privacy means different things to different population groups, but this raises further questions. For example, educated people are more likely to sign up, as one would expect: but is that because rich households get more calls, because they value their time more, or because they understand the risks better? In Financial Privacy for Free?, Alessandro Acquisti and Bin Zhang apply a similar analysis to credit reporting. In Is There a Cost to Privacy Breaches? Alessandro Acquisti, Allan Friedman and Rahul Telang look at the effect on companies' stock prices of reported breaches of their customers' privacy.
• Privacy, Property Rights & Efficiency: The Economics of Privacy as Secrecy, by Benjamin Hermalin and Michael Katz criticises the Chicago school view that more information is better (if collected costlessly), and argues that privacy can be efficient even when there is no `taste' for privacy per se. The authors develop a general model which also challenges the Varian view that privacy could be achieved by simply giving individuals property rights in information about themselves. In the Hermalin-Katz model, an effective privacy policy may need to ban information transmission or use. The flow of information between trading partners can reduce ex-post trade efficiency when the increase in information does not lead to symmetrically or fully informed parties.
• On the Economics of Anonymity studies why anonymity systems are hard to sell, and points out some of their novel aspects. For example, honest players want some level of free-riding, in order to provide cover traffic. So equilibria can also be novel, and the ways in which they break down can be complex. We also have to consider a wider range of principals - dishonest, lazy, strategic, sensitive, and myopic - than in most of the markets that economists try to model. Anonymity Loves Company: Usability and the Network Effect continues this analysis to show when a user will prefer a weak but popular anaonymity system over a strong but rarely-used one.
• When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information by Jens Grossklags and Alessandro Acquisti provides a nice exposition of the difference between willingness to pay and willingness to accept, with the latter usually being dramatically higher, and discuss how this gap can be applied to understand the privacy paradox.
• In Privacy, Network Effects and Electronic Medical Record Technology Adoption, Amalia Miller and Catherine Tucker provide a nice time-series analysis of health IT adoption rates compared to health privacy laws in various US states.
• The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study by Janice Tsai, Serge Egelman, Lorrie Cranor and Alessandro Acquisti shows that by making information about website privacy policies more accessible and salient it is possible to get shoppers to pay more attention to it and even to pay a premium for privacy.
• Conformity or Diversity: Social Implications of Transparency in Personal Data Processing by Rainer Boehme studies whether making information widely available about the bases on which decisions are taken about individuals will lead to more conformity (because, in the absence of information asymmetries and strategic interaction with others, the optimal behaviour becomes mainstream) or diversity (as in the absence of transparency, individuals are herded together by uncertainty and fear). He presents a model of how preferences and signaling behaviour might interact.
• The Economics of Privacy is a literature survey by Kai-Lung Hui and Ivan Png.

The Information Security Business

• In Encryption and Data Loss, Amalia Miller and Catherine Tucker report the surprising and important result that hospitals who adopt encryption end up having more breaches, not less! The data breach notification laws that give encryption exemptions don't explain it all, either. It seems that encryption software makes staff careless, and the damage outweighs the actual protection the software gives.
• In Inglorious Installers: Security in the Application Marketplace, Jonathan Anderson, Joseph Bonneau and Frank Stajano explore the transparency and confinement of application installers across twelve application markets. The clustering suggests it's about markets not technology! Factors include externalities and asymmetric information; in addition, the cost of evaluating code depends on who does it. The key tool may be branding: firms like Symbian and recently Apple vet applications and expose their own brand in return for market power. The Android market by contrast is a Wild West.
• In Information Governance: Flexibility and Control through Escalation and Incentives, Xia Zhao and Eric Johnson model the over- and under-entitlement to information that arise in firms due to agency and path-dependence. They argue that to align employees' interests with those of the firm, employers should use rewards as well as penalties, and allow staff to escalate their own access rights when needed within this framework.
• Will Outsourcing IT Security Lead to a Higher Social Level of Security? reports a study done by Brent Rowe for the DHS on whether outsourcing improves or undermines security. He concludes that it depends on what's outsourced (auditing, vulnerability testing, monitoring, insurance, implementation or even system management). Most firms outsource at least one service, and how much they buy in is sector dependant; also, the more they outsource, the less their overall security spend. Decisions also depend on scale economies and network effects.
• Annual CSI-FBI surveys are often cited by practitioners in the field. Survey results are generally recognised to be unsatisfactory, but unfortunately we don't have anything better at present. There are also various link farms, and an awful lot of hype.
• In Models and Measures for Correlation in Cyber-Insurance, Rainer Boehme and Gaurav Kataria examine the effects of local versus global correlation on insurance markets. They show that in many economically important cases (such as globally correlated risks from the worldwide spread of a worm or virus) there may be no market solution, as the insurer's cost of safety capital becomes too high.
• In Privacy Insurance contracts: Modeling and their use in Managing Risk in ICT firms, Athanassios Yannacopoulos and colleagues explore insurance market failures due to asymmetric information, and provide a random tulity model for assessing insurance against privacy failures.
• In How and Why More Secure Technologies Succeed in Legacy Markets: Lessons from the Success of SSH, Nicholas Rosasco and David Larochelle discuss why many security products failed and a few, like SSH, succeeded - in its case it provided added non-security benefits to users. In Bootstrapping the Adoption of Internet Security Protocols, Andy Ozment and Stuart Schechter provide a model for the adoption of a security service in the face of network externalities and discuss how bundling might be used to help roll out DNSSEC.
• Economic Aspects of Controlling Capital Investments in Cyberspace - Security for Critical Infrastructure Assets, by Larry Gordon, Marty Loeb, and Bill Lucyshyn, looks at the interaction between information security investment and internal control - whether asymmetric information between chief security officers and chief financial officers can lead to moral hazard and adverse election issues in organisations.
• The Economic Impact of Role-Based Access Control is a study commissioned by the US National Institute of Standards and Technology study to assess the economic impact of an investment they made in promoting role-based access control. It appears to be the first serious study that uses the return on investment to assess research in the field.
• Two papers, Economic Consequences of Sharing Security Information (by Esther Gal-Or and and Anindya Ghose) An Economics Perspective on the Sharing of Information Related to Security Breaches (by Larry Gordon), analyse the incentives that firms have to share information on security breaches within the context of the ISACs set up by the US government. Models developed for trade associations and research joint ventures can be applied to work out optimal membership fees and other incentives.
• Kevin Soo Hoo's thesis was a first attempt to bring some econometrics to the field. It looks at what countermeasures might be most cost-effective, given the FBI data. He also has an article analysing the return on security investment, which he puts at an unexciting 17-21 percent. (See press coverage here.) There is also a US government guide to doing risk assessment and cost-benefit analysis.
• The economic cost of publicly announced information security breaches: empirical evidence from the stock market, by Katherine Campbell, Larry Gordon, Marty Loeb and Lei Zhou, provides an analysis of the effect of security scares on share prices. There is a highly significant negative market reaction for information security breaches involving unauthorized access to confidential data, but no significant reaction when the breach does not involve confidential information. Thus stock market participants appear to discriminate across types of breach.

Economics of vulnerabilities

• Cormac Herley's paper The Plight of the Targeted Attacker in a World of Scale asks: Where are the missing attacks? We have 2 billion Internet users most of whom care diddley-squat about security, and lots of sophisticated attacks – yet life goes on. Why? Well, mass automated attacks are scaleable, with sublinear costs, while targeted attacks involve people and aren't. The profit from the former is driven to zero by price competition, and ditto the value of assets successfully attacked. The latter needs high-value targets, and assets tend to have a power-law distribution: 1.8% of people have above average wealth, while with fame 2% are above average. So 98% of people are of no interest. The moral is that optimal security investment depends on whether anyone's targeting you.
• Is finding security holes a good idea?, Eric Rescorla argues that since large software products such as Windows contain many security bugs, the removal of an individual bug makes little difference to the likelihood that an attacker will find another one later. But many exploits are based on vulnerability information disclosed explicitly by researchers, or implicitly when manufacturers ship patches. He therefore argues that, unless discovered vulnerabilities are correlated, it is best to avoid vulnerability disclosure and minimise patching.
• In Optimal Policy for Software Vulnerability Disclosure, Ashish Arora, Rahul Telang and Hao Xu argue to the contrary. They produce a model in which neither instant disclosure not non-disclosure is optimal; without disclosure, software firms will have little incentive to fix bugs in later versions of their products. Their model is based ona respresentative vulnerability rather than on vulnerability statistics.
• In Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis, Ashish Arora, Ramayya Krishnan, Anand Nandkumar, Rahul Telang, and Yubao Yang present empirical data to support the model of the above paper. While vendors respond quickly to rapid disclosure, disclosure does increase the number of attacks; and the number of reported vulnerabilities does decline over time. They also find that open source projects patch more quickly than proprietary vendors, and large companies patch more quickly than small ones.
• In Network Security: Vulnerabilities and Disclosure Policy, Jay Pil Choi, Chaim Fershtman and Neil Gandal model the conditions under which a company would voluntarily disclose vulnerabilities in the absence of regulation, and in which a mandatory disclosure policy might not necessarily be welfare improving: it all depends on the proportion of customers who install updates.
• Timing the Application of Security Patches for Optimal Uptime by Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright, provides a quantitative analysis of a practical security management problem - how long should you wait before you apply a security patch? Pioneers end up discovering problems with patches that cause their systems to break, but laggards are more vulnerable to attack. In a typical case, a wait of between ten and thirty days seems about right.
• Economics of Security Patch Management, by Huseyin Cavusoglu, Hasan Cavusoglu and Jun Zhang, compares liability and cost-sharing as mechanisms for incentivising vendors to work harder at patching their software. It turns out that liability helps where vendors release less often than optical, while cost-sharing helps where they release more often. If you want to achieve better coordination at minimum additional cost to the vendor, they should not be used together. Meanwhile, Competitive and Strategic Effects in the Timing of Patch Release by Ashish Arora, Christopher Forman, Anand Nandkumar and Rahul Telang shows that competition hastens patch release even more than disclosure threat in two out of three studied strategies.
• Open and Closed Systems are Equivalent (that is, in an ideal world) is a paper by Ross Anderson that examines whether openness helps the attacker or the defender more. He shows that under standard assumptions used in reliability growth models, openness helps both equally. There remain many factors that can break symmetry and cause one or the other to be better in practice, but one should look for them in the ways a system departs from the standard assumptions.
• In An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software, Sam Ramsbotham studies 883 vulnerabilities in 13101 software products, and finds that open source does have a significant positive effect on the probability and volume of exploitation; exploits of open source also spread farther and faster.
• The Mathematics of Obscurity: On the Trustworthiness of Open Source by Hermann Haertig, Claude-Joachim Hamann and Michael Roitzsch models races where defenders have to find all bugs before the attackers find one of them, and presents a closed form solution. It turns out that on some realistic assumptions, the attackers always have a window.
• In Pricing security: vulnerabilities as externalities Camp and Wolfram argue that exploits are externalities, and that a market of vulnerabilities can increase public welfare. Stuart Schechter's paper How to Buy Better Testing: using competition to get the most security and robustness for your dollar expands on this and his thesis, Computer Security Strength and Risk: A Quantitative Approach develops this theme in a lot more detail.
• In Bug Auctions: Vulnerability Markets Reconsidered, Andy Ozment applies auction theory to analyse how vulnerability markets might be run better, and how they might be exploited by the unscrupulous. Then Michael Sutton and Frank Nagle's paper, Emerging Economic Models for Vulnerability Research, described the operation of iDefense and Tipping Point, two companies set up to purchase vulnerabilities on the market. Vulnerability markets by Rainer Boehme provides a short survey of the whole field.
• In The legitimate vulnerability market: the secretive world of 0-day exploit sales, Charles Miller describes real-world experience in selling vulnerabilies, demonstrating the perils of operating in the absence of mature vulnerability markets.

Relevant Theory Papers

• Security Games in Online Advertising: Can Ads Help Secure the Web? by Nevena Vratonjic, Jean-Pierre Hubaux, Maxim Raya and David Parkes presents a game-theoretic model of what happens when ISPs meddle with advertising, by screening subscriber traffic, selling data to ad companies, or even inserting ads into web pages on the fly. Having constructed a multi-stage game between a website and all ISPs, they used real data on web traffic to estimate incentives. An ISP could make money out of the top 1000 websites, but the more aggressive ISPs get, the more websites would be secured. In fact, if ISPs try to divert revenue from the most popular sites these would be secured rapidly.
• In System Reliability and Free Riding, Hal Varian discusses ways in which the defence of a system can depend on the efforts of the defenders. Programming, for example, might be down to the weakest link (the most careless programmer introducing the fatal vulnerability) while the effectiveness of testing might depend on the sum of everyone's efforts. There can also be cases where the security depends on the efforts of an individual champion. These different models have interesting effects on whether an appropriate level of defence can be provided, and what policy measures are advisable.
• Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents, by Jens Grossklags, Nicolas Christin and John Chuang, extends this analysis to account for heterogeneity among decision makers, for example with respect to size and frequency of loss.
• The economics of information security investment, by Larry Gordon and Marty Loeb, suggests that a firm may often prefer to protect those information sets with middling vulnerability, rather than the most vulnerable (as that may be too expensive); and that to maximise the expected benefit, a firm might only spend a small fraction of the expected loss.
• On the Evolution of Attitudes toward Risk in Winner-Take-All Games by Eddie Dekel and Suzanne Scotchmer presents an evolutionary model of how winner-take-all conflicts such as patent races (or for that matter battles for control of software standards) select for risk-takers and lead to the extinction of risk-avoiders.
• A BGP-based Mechanism for Lowest-Cost Routing, by Joan Feigenbaum, Christos Papadimitriou, Rahul Sami and Scott Shenker, shows how combinatorial auction techniques can be used (at least in theory) to provide distributed routing mechanisms that are proof against strategic behaviour by one or more of the participants.
• Lawrence Ausubel's Ascending Auctions with Package Bidding shows that certain types of combinatorial auction can be solved efficiently if bidding is conducted through a trusted proxy - a system that can be relied on to bid according to an agreed strategy.
• The Communication Complexity of Efficient Allocation Problems, by Noam Nisan and Ilya Segal, shows that although one can solve the allocation problem using strategy-proof mechanisms, the number of bits that must be communicated grows exponentially; thus in many cases the best practical mechanism will be a simple bundled auction. The paper also suggests that if arbitrary valuations are allowed, players can submit bids that will cause communications complexity problems for all but the smallest auctions.
• Noam Nisan and Amir Ronen's seminal paper Algorithmic Mechanism Design shows how distributed mechanisms can be designed that are strategyproof, that is, participants cannot hope to gain an advantage by cheating. This paper sparked off much recent research at the boundary between theoretical computer science and economics.
• There are two influential related papers by Geoffrey Heal and Howard Kunreuther on security externalities, which extended ideas from information security economics to much more general applications. Interdependent Security discusses the many cases where my security depends on my neighbour's - where worms can spread from one part of a comnpany to another, fire from one apartment to another, and infection from one person to another. In some cases there will be a temptation to free-ride off the efforts of others, so it is hard to make security investment a dominant strategy. You Can Only Die Once: Managing Discrete Interdependent Risks examines the more general case and analyses the conditions under which various security problems have equilibria that are not socially optimal.

Measuring Electronic Crime

• Is the Internet for Porn? An Insight Into the Online Adult Industry by Gilbert Wondracek and colleagues investigates the links between adult pay sites, link collections, traffic brokers, search engines and redirector services. They crawled 269,000 URLs from 35,000 domains, which they checked for malware (over 3%, or about five times as much as expected) and other standard exploits. The authors aalso set up two porn websites and joined three traffic brokers, where $160 bought 49,000 visitors, of whom more than 20,000 were vulnerable to at least one known vulnerability. By comparison, pay-per-install sites charge $130 per 1000 US installs. The conclusion: although not all porn sites are crooked, many are, and this paper describes a whole ecosystem of shady services.
• The underground economy: priceless by Rob Thomas and Jerry Martin of Team Cymru was the first paper to explore the underground economy from studying it directly by monitoring IRC chat rooms. In recent years online criminals have established an efficient division of labour, just like in Adam Smith's pin factory. This paper explains how the villains' pin factory works.
• In An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage provides a more systematic analysis of the underground economy by studying IRC channels and collecting a lot of data about online criminals' trade in social security numbers, credit card numbers and other goodies.
• Identity Theft by Keith Anderson, Erik Durbin and Michael Salinger provides a survey of the research literature relating to identity theft in the USA and presents data from FTC surveys. Almost 4% of Americans were victims in 2005, with 0.8% suffering the most serious forms such as having credit cards issued to others in their names. Wealthier Americans were most at risk, and a significant minority incurred nontrivial clean-up costs. Credit card fraud losses by banks are stable at about 6 basis points — down from over 15 in 1992; losses by merchants are much higher at 1.4% of turnover (down from 3.6% in 2000). The authors also discuss various policy options such as liability shifting, breach notification, credit freezes and stiff penalties. These are made complex by the links between the economics of payment systems and of credit.
• The Impact of Incentives on Notice and Take-down by Tyler Moore and Richard Clayton compares a variety of notice and take-down regimes for removing content on the Internet. They find that phishing is removed fastest, but the the banks are much slower to remove mule-recruitment websites. It turns out that child sexual abuse images are slowest of all to be removed, due to the division of responsibility for removal along national lines.
• In Examining the Impact of Website Take-down on Phishing, Tyler Moore and Richard Clayton find wide variation in the effectiveness of the responses of different actors to phishing, and empirically demonstrate the impact of attacker innovation in the form of longer website lifetimes for rock-phish and fast-flux attacks.
• Studying Malicious Websites and the Underground Economy on the Chinese Web by Jianwei Zhuge and colleagues presents data on the Chinese underground economy and explains the different roles of miscreants there.
• In Crime Online: Cybercrime and illegal innovation, Howard Rush, Chris Smith, Erika Kraemer-Mbula and Puay Tang describe the specialisation that has accelerated the development of online crime since about 2004, just as Adam Smith's pin factory epitomised the same tendency in the late 18th century.

Information Security Regulation

• A study of security economics in Europe, by Ross Anderson, Richard Clayton, Tyler Moore and Rainer Boehme, was published by the European Network and Information Security Agency. It applies security economics research to synthesise a series of policy options for dealing with cyber risk and online policy issues in Europe. A shorter version (62 pages) appeared at WEIS 2008, and there's an even shorter (25 page) version entitled Security economics and European Policy.
• The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data by Michel van Eeten and colleagues analysed 63 billion spam from 138 unique sources,and confirmed that ISPs are the critical control point: the top 200 ISPs controlled 60% of spam sources and the top 10, 30%. There are substantial differences in ISP effectiveness at botnet mitigation – two orders of magnitude. They explored possible explanatory factors and found that cable providers have less infection, along with whether country adheres to the London Action Plan. Education, regulation and automation may explain some differences.
• Might Governments Clean-up Malware? is a paper by Richard Clayton assessing how much a contractor might charge per PC if given a government ‘public health contract’ to clean up infected PCs; this might be about $10, or under a dollar a machine per year assuming 0.5% of the population use the service every month.
• In Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?, Sasha Romanosky, Richard Sharp and Alessandro Acquisti analyse the net change of social costs following breach-disclosure laws using a tort model of minimising the cost of care plus the cost of a breach. The social cost converges on the firm's optimal cost as the level of care increases, and disclosure seems more appropriate than mandated standards.
• Do Data Breach Disclosure Laws Reduce Identity Theft? by Sasha Romanosky, Rahul Telang and Alessandro Acquisti studies the effects of the security breach disclosure laws now in force in many US states, and concludes that the case for their effectiveness has not been proven.
• In Reinterpreting the Disclosure Debate for Web Infections, Oliver Day, Rachel Greenstadt and Brandon Palmen provide another analysis of data on electronic crime, in this case the distribution of malware on infected web hosts. They show a high concentration of infected hosts at poor-performing ISPs, and find evidence of attackers moving to previously untargeted ISPs as others clean up their act.
• Why the Security Market has Not Worked Well is a chapter from a 1990 study by the NAS Computer Science and Technology Board which provides an early analysis of the `computer security problem'. It blames the rapid pace of technological (and particularly architectural) change, the comparatively slow pace of government market interventions (through procurement and evaluation programs), export controls, a lack of consumer understanding of the risks, and the very limited recourse that US customers have against vendors of faulty software.
• Improving Information Flow in the Information Security Market describes the efforts of the US government over the last couple of decades to tackle a perceived market failure in the security business - the lemons problem, whereby bad products drove out good ones. The attempted fix was a government-sponsored evaluation scheme (the Orange Book), but that was not without its own problems.
• In The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare, Anindya Ghose and Uday Rajan discuss how the implementation of US legislation such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA has placed a disproportionate burden on small and medium sized businesses, largely through a one-model-fits-all approach to compliance by the big accounting firms. They show how mandatory investment in security compliance can have a number of unindented consequences including distorting security markets and reducing competition.
• In The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy, Alfredo Garcia and Barry Horowitz show that the gap between the social value of ISPs, and the revenue at stake associated with their security levels, is continuing to increase. If this continues, they argue, mandatory security standards may become likely.
• The European Union has proposed a Network Security Policy that sets out a common European response to attacks on information systems. This starts using economic arguments about market failure to justify government action in this sector. The proposed solutions are rather familiar, involving everything from consciousness raising to Common Criteria evaluations; but the use of economic analysis could be significant for the future.
• The German Federal Government's Comments on the TCG and NGSCB in the Field of Trusted Computing sets out government concerns about TC on a wide range of issues, from certification and trapdoors through data protection to economic policy matters.
• The Center for Strategic and International Studies has a very good study of the risks of cyber-terrorism which goes a long way to debunk the scaremongering and hype about the vulnerability of critical infrastructures to digital attack.
• The Brookings Institute has published a short paper on the economic effects of security interdependency, and a longer book chapter on the economics of homeland security - what should be the roles of government and the private sector in financing precautions against terrorism?
• Economics and Security in Statecraft and Scholarship explains why a web search on `economics' and `security' turns up few interesting documents on international affairs. The two were considered closely linked until 1945; thereafter nuclear weapons were thought to decouple national survival from economic power, while the USA established a pattern of confronting the USSR over security, and Japan and the EU over trade. This caused Washington bureaucrats to split into a `security' camp and a `political economy' camp; academics studying international relations followed suit. Bill Clinton started to get the bureaucrats working together again from about 1995, but the academics are still lagging somewhat.

Copyright and Rights Management

• Olson's Paradox Revisited: An Empirical Analysis of File-Sharing Behaviour in P2P Communities finds a positive correlation between the size of a BitTorrent file-sharing community and the amount of content shared, despite a reduced individual propensity to share in larger groups, and deduces from this that file-sharing communities provide a pure (non-rival) public good. Forcing users to upload results in a smaller caatalogue; but private networks provide both more and better content, as do networks aimed at specialised communities.
• Felix Oberholzer-Gee and Koleman Strumpf's File-Sharing and Copyright argues that file-sharing doesn't seem to harm overall social welfare in that concert ticket sales have gone up by more than sales of recorded music have fallen. The paper summarises much of the research and controversy kicked off by an earlier paper of theirs, The Effect of File Sharing on Record Sales -- An Empirical Analysis. That argued that downloads do not do significant harm to the music industry: five thousand downloads are needed to displace a single album sale, while high-selling albums actually benefit from file sharing.
• A Cost Analysis of Windows Vista Content Protection asks some hard questions about whether the new security mechanisms in Vista are worth it, and to whom. It suggests Microsoft is imposing large costs on hardware suppliers, under cover of protecting Hollywood content, but in reality as a lock-in play to control content distribution.
• It follows logically from the `Trusted Computing' Frequently Asked Questions, which provided the first critical survey of Trusted Computing, and Cryptography and Competition Policy - Issues with `Trusted Computing' which developed an economic analysis that first suggested that Microsoft stoods to gain much more than Hollywood - with the quick win being to lock in users of Microsoft Office more tightly, thus enabling its price to be raised (or cut less) in the face of competition.
• Fetscherin and Vlietstra's DRM and music: How do rights affect the download price? shows that the prices of music tracks sold online are mostly determined by the rights granted to the purchaser - including the right to burn, copy or export the music - and also by the label and the location.
• Ivan Png's Copyright: A Plea for Empirical Research attacks Oberholzer and Strumpf, citing six other studies that did indeed show a negative correlation between downloads and CD sales. It also examines the Eldred case and looks at the incentive effects of copyright law on the production of movies.
• Yooki Park and Suzanne Scotchmer's Digital Rights Management and the Pricing of Digital Products argues that DRM does not have to be perfect - the cost of circumvention needn't be raised above the monopoly price; that technical protection may still yield more revenue than legal protection, as it may never expire; and that separate DRM systems may yield higher prices than a shared system, because of the greater incentives for, and effects of, circumvention. It also looks at how the structure of a DRM consortium such as the TCG might promote, or inhibit, collusive behaviour among content vendors.
• Hal Varian's New Chips Can Keep a Tight Rein on Consumers provides a concise introduction to the problems that strict usage control mechanisms create for innovation policy. A certain level of reverse engineering for compatibility is an important brake on the abuse of monopoly power, especially in information goods and services markets whose incumbents try hard to manipulate switching costs by controlling compatibility.
• In Cruel, Mean or Lavish?: Economic Analysis, Price Discrimination and Digital Intellectual Property Jamie Boyle argues that the next target of the copyright lobby, after cracking down on fair use, will logically be the doctrine of first sale: the right to resell, lend, or even criticise a book (or film or software product) will be increasingly limited by contract and by technical means. Publishers may try to control their aftermarkets using arguments about the economics of price discrimination.
• In The Law and Economics of Reverse Engineering, Pam Samuelson and Suzanne Scotchmer describe what may go wrong if some combination of technical and legal restraints can be made to undermine the right to reverse engineer software products so as to make other products compatible with them. It provides the theoretical and scholarly underpinnings for much of the work on the anti-competitive effects of the DMCA, copyright control mechanisms, and information security mechanisms applied to accessory control applications. There is also a shorter paper that applies the lessons of the main paper to the DeCSS case.
• Open Source Software Projects as User Innovation Networks expands on this. Eric von Hippel shows how most of the innovations that spur economic growth are not anticipated by the manufacturers of the platforms on which they are based; the PC, for example, was conceived as an engine for running spreadsheets. If IBM had been able to limit it to doing that, a huge opportunity would have been lost. Furthermore, technological change in the IT goods and services markets is usually cumulative. If security technology can be abused by incumbent firms to make life harder for people trying to develop novel uses for their products, this will create all sorts of traps and perverse incentives.
• In Security and Lock-In: The Case of the U.S. Cable Industry, Tom Lookabaugh and Doug Sicker discuss an existing case history of an industry's development being affected by security-related technical lock-in. US cable industry operators are locked in to their set-top-box vendors; and although they can largely negotiate to offset the direct costs of this when committing to a suppler, the indirect costs are large and unmanageable. In particular, innovation suffers. Cable is falling behind other platforms, such as the internet, as the two platform vendors don't individually have the incentives to invest in improving their platforms.
• Trusted Computing, Peer-To-Peer Distribution, and the Economics of Pirated Entertainment, by Stuart Schechter, Rachel Greenstadt and Mike Smith, shows how trusted computing technology can aid the pirates as well as the Hollywood guys. TC platforms will, if they perform as advertised, provide much more robust platforms for hosting peer-to-peer file-swapping services; they will be very much less vulnerable to the service denial attacks currently deployed by the content industry against services such as gnutella, grokster and kazaa.
• In Privacy Engineering for Digital Rights Management Systems, Joan Feigenbaum, Michael Freedman, Tomas Sander and Adam Shostack discuss why the economic motivations of the various players lead to serious difficulties in deploying privacy technology for DRM.

Miscellaneous Papers

• The password thicket: technical and market failures in human authentication on the web by Joe Bonneau and Soren Preibusch reports a survey over 150 websites of password advice, length, recovery, probing prevention and guessing prevention. Password overcollection is a tragedy of the commons; insecurity is a negative externality, as attackers get passwords from weak sites and try them elsewhere: Twitter recently forced a million users to reset their passwords after such a password-reuse attack.
• Ross Anderson's and Shailendra Fuloria's paper On the security economics of electricity metering examines problems with the smart metering initiatives being pursued in the EU and the USA, which create significant conflicts of interest between energy companies, governments and customers. They make recommendations for mitigating these.
• The topology of covert conflict by Shishir Nagaraja and Ross Anderson examines how the police can best target an underground organisation given some knowledge of its patterns of communication, and they in turn might react, using a framework combining ideas from network analysis and evolutionary game theory. Nagaraja's The Economics of Covert Community Detection and Hiding extended this work from active attacks on networks to passive surveillance, and studied best strategies for both surveillance and countersurveillance in networks where the adversaries have bounded resources.
• In The Economics of Mass Surveillance, George Danezis and Bettina Wittneben apply these network analysis ideas to privacy policy; traffic analysis conducted against just a few well-connected militant organisers can draw a surprising number of members of a subversive organisation into the surveillance net.
• Closing the Phishing Hole - Fraud, Risk and Nonbanks reports research commissioned by the US Federal Reserve for their biennal Santa Fe Conference on bank regulation. This paper identified speedy asset recovery as the most effective deterrent to online fraud, which is made easier by systems like Western Union that make the recovery of stolen funds more difficult.
• Nonbanks and Risk in Retail Payments by Stuart Weiner, Richard Sullivan and Simonetta Rosati followed up with an analysis of the role played by nonbanks in US payment systems more generally; a very large part of the infrastructure is now outsourced.
• In The Economics of Digital Forensics, Tyler Moore explains how the interests of vendors diverge from those of law enforcement. For example, mobile phone vendors prefer proprietary interfaces, which makes data recovery from handsets difficult; recovery tools exist only for the most common models. Criminals should buy unfashionable phones, while the police should prefer open standards.
• "Proof-of-Work" Proves Not to Work by Ben Laurie and Richard Clayton shows that the spam-blocking schemes that rely on getting mail senders to perform some computational task are unlikely to solve the spam problem: there are many legitimate senders with less available compute power per message than many spammers can obtain from the compromised hosts they use.
• In Modelling Incentives for Email Blocking Strategies, Andrei Serjantov and Richard Clayton analyse the incentives on ISPs to block traffic from other ISPs with many infected machines, and back this up with data. They also show how a number of existing spam-blocking strategies are irrational and counterproductive.
• In Inadvertent Disclosure - Information Leaks in the Extended Enterprise, Eric Johnson and Scott Dynes study inadvertent data leaks of sensitive information (personal and corporate) through P2P file sharing, and also find that some users are explicitly searching for sensitive documents leaked through such mechanisms.
• In Mental Models of Computer Security Risks, Farzaneh Asgharpour, Debin Liu and Jean Camp show that people's mental models of computer security risks vary substantially according to their expertise in the subject. The models implicit in much of the literature are different again. This diversity has implications for risk communication.
• Evaluating the Wisdom of Crowds in Assessing Phishing Websites by Tyler Moore and Richard Clayton challenges the fashionable approach of turning decisions over to end users on the Internet. Letting users vote on what websites are evil creates many opportunities for abuse because of the huge variance in participation rates.

The event to aim for if you want to keep up with research in this field and get to know people is WEIS - the Workshop on the Economics of Information Security.

• The first of these workshops, WEIS 2002, took place at UC Berkeley;
• WEIS 2003 was held at the University of Maryland;
• WEIS 2004 was at the University of Minnesota;
• WEIS 2005 was hosted at Harvard;
• WEIS 2006 was held in Cambridge;
• WEIS 2007 was held at Carnegie-Mellon;
• WEIS 2008 was held at Dartmouth;
• WEIS 2009 was held at UCL in London; and
• WEIS 2010 was held in Harvard.

Other relevant conferences include:

• The Security and Human Behaviour workshop brings security engineers together with psychologists, behavioral economists and others. See the papers, liveblog and audio for 2009; and the papers, liveblog and audio for the first meeting in 2008.
• The ACM Conference on Electronic Commerce focusses on auction theory and game theory, but has occasional relevant papers. The 2010 event was co-hosted with WEIS 2010.
• Two similar events are NetEcon which looks at general problems of economics of networks, including dependability, and the Workshop on Internet and Network Economics.
• Some relevant papers turn up in Toulouse at SoftInt, the biennial Conference on the Economics of the Software and Internet Industries. See also the proceedings of predecessor conferences in 2002 (on Open Source Software Economics), 2005 and 2007. There are also occasional security-economics papers at the NET Institute Conference, while the Society for Economic Research on Copyright Issues holds annual workshops.
• One-off events have included a session in 2002 at the Stanford Institute of Theoretical Economics; a Forum on Financial Systems and Cyber Security at the University of Maryland in May 2004; and a workshop on the Law and Economics of Cyber Security, George Washington University in June 2004. farther back, there used to be annual NATO colloquia on the economics and national security, with a focus on stabilizing Eastern Europe and the Balkans.

• Alessando Acquisiti
• William Agresti
• Ross Anderson
• Ashish Arora
• Ralf Bendrath
• Yochai Benkler
• Joe Bonneau
• Rainer Boehme
• Jan Bouckaert
• Bob Briscoe
• Shawn Butler
• Jean Camp
• Huseyin Cavusoglu
• Richard Clayton
• Michael Collins
• Marco Cremonini
• George Cybenko
• George Danezis
• Anupam Datta
• Hans Degryse
• Yvo Desmedt
• Roger Dingledine
• Ben Edelman
• Joan Feigenbaum
• Chris Forman
• Allan Friedman
• Neil Gandal
• Alfredo Garcia
• Carrie Gates
• Anindya Ghose
• Larry Gordon
• Rachel Greenstadt
• Stefanos Gritzalis
• Kjell Hausken
• Geoffrey Heal
• Hemantha Herath
• Anke Hoeffler
• Matt Hottell
• Howard Kunreuther
• Carl Landwehr
• Marty Loeb
• Jeff MacKie-Mason
• Nick Mathewson
• Kanta Matsuura
• John Mitchell
• Tyler Moore
• Tridas Mukhopadhyay
• Shishir Nagaraja
• Helen Nissenbaum
• Dmitri Nizovtsev
• Andrew Odlyzko
• Andy Ozment
• IPL Png
• Uday Rajan
• Todd Sandler
• Bruce Schneier
• Suzanne Scotchmer
• Stuart Schechter
• Adam Shostack
• Michael D Smith
• Tashfeen Sohail
• Koleman Strumpf
• Rahul Telang
• Doug Tygar
• Hal Varian
• Jan Willemson

Books

• Information Rules, by Carl Shapiro and Hal Varian, is a good introduction to economics for computer scientists. It focuses on the specific problems and opportunities of IT goods and services markets, and the characteristics that tend to make them different from the market for potatoes - such as the combination of high fixed costs and low marginal costs, network externalities, technical lock-in and standards wars. It is pitched at the level of an educated general reader. If you want the mathematical detail too, read Varian's Intermediate Microeconomics.
• Security Engineering by Ross Anderson is a good introduction for economists (and others) to secure systems engineering. It covers not just technologies such as crypto and `infrastructure' matters such as firewalls and PKI, but a number of specific applications, such as banking and medical record-keeping, and embedded systems such as automatic teller machines and burglar alarms. It brings out the fact that most systems don't fail because the mechanisms are weak, but because they're used wrong, and provides economic explanations for a number of these failures.
• Secrets and Lies by Bruce Schneier is a more populist book in the same theme. It discusses how things go wrong and what sort of organisational measures are advisable to contain them. It debunks the idea that security problems can be fixed by focussing on purely technical measures such as cryptography.
• Economics of Information Security has a selection of papers taken from the first two international workshops on security economics, WEIS 2002 and WEIS 2003.
• Economic Behavior in Adversity by Jack Hirshleifer is a set of essays from the early days of conflict theory. It starts off from early work at Rand on how societies and economies recover from disaster; in an attempt to plan for World War 3, Rand economists looked at the aftermath of tragedies from World War 2 to the Black Death. This led to work on a broader front from evolutionary game theory through the interplay of law and economics to hindrance strategies in general. (These are where a competitor concentrates not on running faster, but on making its adversaries run slower.)
• The Dark Side of the Force: Economic Foundations of Conflict Theory is a more recent set of essays by Jack Hirshleifer, looking at such topics as the causes of war, why it is not always true that the rich get richer and the poor poorer, and why the technology of conflict is absolutely essential to such questions. The decisiveness of conflict matters; so does whether its outcome depends on the absolute or relative difference of effort between the combatants. The evolution of strategies, for both conflict and cooperation, is growing in its perceived importance.
• Risk by John Adams is the classic study of why people and organisations are sometimes more risk-averse than would seem rational, and sometimes more risk-loving. For example, mandatory seat-belt laws did not reduce road traffic casualties overall, but merely shifted them from vehicle occupants to pedestrians and cyclists. Adams explains this by a `risk thermostat': people compensate for an increased feeling of safety by driving faster. In general, behaviour is governed by the probable costs and benefits of possible actions as perceived through filters formed from experience and culture. This work exposes the rather shaky foundations of much current risk assessment work.
• The Future of Ideas by Larry Lessig is an important and influential description of the effects that increasing technical protection of copyright is likely to have on a range of fields, from academic and intellectual life through the competitiveness of markets and the level of innovation. He argues that the overprotection of digital rights is an error: private land is more valuable if it is separated from other private land by public roads, sewers and other utility rights-of way. Its value is also enhanced by the existence of public parks.
• Managing Cybersecurity Resources: A Cost-Benefit Analysis by Larry Gordon and Marty Loeb looks at how one can assess the costs of information security breaches and thus estimate the return on security investment.

Other Resources

• The Information Economy pages at SIMS, UC Berkeley, and their pages
• Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack by Ian Ayres and Steven Levitt
• The Economist covered the subject in 2002 with a survey of information security (subscription now required).
• The Deadliest of Games: The Institution of Dueling by Chris Kingston and Bob Wright analyses the incentives of duelling; they explain the value of "honor" in terms of opaque credit markets
• The Battle Over the Institutional Ecosystem in the Digital Environment, Yochai Benkler
• Coase's Penguin, or Linux and the Nature of the Firm, Yochai Benkler
• Paul Resnick's web page on reputation systems has links to a lot of research that bears on incentives and their relationship with dependability in many systems
• Brian Lavoie's paper The incentives to preserve digital materials: roles, scenarios, and economic decision-making investigates the long-term dependability of archives using tools and concepts that appear applicable to many security problems
• An article in Wired describes the low ratio of vulnerabilities to exploits and the attention-seeking nature of many vulnerability reports prior to about 2004
• Smart and stupid networks: Why the Internet is like Microsoft, Andrew Odlyzko; se also his The bumpy road of electronic commerce
• Larry Gordon's pages on cybersecurity risk management
• The I3P Digital Library
• Snake-oil Security Claims: the Systematic Misrepresentation of Product Security in the E-commerce Arena, John Michener, Steven Mohan, James Astrachan and David Hale
• Risk Management is Where the Money Is, Dan Geer
• The Vmyths site is devoted to debunking computer security hysteria (and see press coverage here)
• Breaking Up Is Hard To Do: Modeling Security Threats for Smartcards, Bruce Schneier and Adam Shostack
• The software economics site run by Kevin Sullivan, Barry Boehm, Mary Shaw and David Notkin
• Reverse Engineering, David Musker
• A Simple Model of Fads and Cascading Failures, Duncan Watts
• The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection, Ralf Bendrath
• Sell First, Fix Later: Impact of Patching on Software Quality by Ashish Arora, Jonathan Caulkins and Rahul Telang
• Economic Analysis of the Market for Software Vulnerability Disclosure by Karthik Kannan and Rahul Telang
• The Link Between Economics, Stability and Security in a Transforming Economy Katarzyna Zukrowska
• Economics and Security in the Asia Pacific: A Constructivist Analysis, Shaun Narine (requires free ciaonet subscription)
• Power and Prosperity: Linkages Between Security and Economics in US.-Japanese Relations Since 1960, Robert Wampler (requires free ciaonet subscription)
• Economics-Security Nexus: The Evolution of Chinese Security Policy 1979-1991, Mumin Chen
• The Economics of Airline Safety and Security by Robert Hahn
• NATO has been running annual colloquia on the interaction between economics and national security, with a particular emphasis on Eastern Europe. There's a summary by Martin Spechler of the 1999 workshop
• An Economic Perspective on Transnational Terrorism, Todd Sandler
• The World Bank has some fascinating papers on the economics of civil war, crime and violence, by Paul Collier and Anke Hoeffler.