Economics Of Security
   HOME

TheInfoList



Click Here for Items Related To - Economics Of Security
OR:
Economics Of Security on:   [Wikipedia]   [Google]   [Amazon]

The economics of
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
addresses the economic aspects of
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
and
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
. Economics of information security includes models of the strictly rational “
homo economicus The term ''Homo economicus'', or economic man, is the portrayal of humans as agents who are consistently rational and narrowly self-interested, and who pursue their subjectively defined ends optimally. It is a word play on ''Homo sapiens'', u ...
” as well as
behavioral economics Behavioral economics studies the effects of psychological, cognitive, emotional, cultural and social factors on the decisions of individuals or institutions, such as how those decisions vary from those implied by classical economic theory. ...
. Economics of security addresses individual and organizational decisions and behaviors with respect to security and privacy as market decisions. Economics of security addresses a core question: why do agents choose technical risks when there exists technical solutions to mitigate security and privacy risks? Economics addresses not only this question, but also inform design decisions in security engineering.


Emergence of economics of security

National security National security, or national defence, is the security and defence of a sovereign state, including its citizens, economy, and institutions, which is regarded as a duty of government. Originally conceived as protection against military atta ...
is the canonical public good. The economic status of information security came to the intellectual fore around 2000. As is the case with innovations it arose simultaneously in multiple venues. In 2000, Ross Anderson wrote
Why Information Security is Hard
Anderson explained that a significant difficulty in optimal development of security technology is that incentives must be aligned with the technology to enable rational adoption. Thus, economic insights should be integrated into technical design. A security technology should enable the party at risk to invest to limit that risk. Otherwise, the designers are simply counting on
altruism Altruism is the principle and moral practice of concern for the welfare and/or happiness of other human beings or animals, resulting in a quality of life both material and spiritual. It is a traditional virtue in many cultures and a core as ...
for adoption and diffusion. Many consider this publication the birth of economics of security. Also in 2000 at Harvard, Camp at the School of Government and Wolfram in the Department of Economics argued that security is not a public good but rather each extant vulnerabilities has an associated negative
externality In economics, an externality or external cost is an indirect cost or benefit to an uninvolved third party that arises as an effect of another party's (or parties') activity. Externalities can be considered as unpriced goods involved in either co ...
value. Vulnerabilities were defined in this work as tradable goods. Six years later
iDEFENSEZDI
an

have extant markets for vulnerabilities. In 2000, the scientists at the Computer Emergency Response Team at
Carnegie Mellon University Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
proposed an early mechanism for risk assessment. The Hierarchical Holographic Model provided the first multi-faceted evaluation tool to guide security investments using the science of risk. Since that time, CERT has developed a suite of systematic mechanism for organizations to use in risk evaluations, depending on the size and expertise of the organization
OCTAVE
The study of computer security as an investment in risk avoidance has become standard practice. In 2001, in an unrelated development, Lawrence A. Gordon and Martin P. Loeb published ''Using Information Security as a Response to Competitor Analysis System''.
A working paper of the published article was written in 2000. These professors, from Maryland's Smith School of Business, present a game-theoretic framework that demonstrates how information security can prevent rival firms from gaining sensitive information. In this context, the article considers the economic (i.e., cost-benefit) aspects of information security. The authors came together to develop and expand a series of flagship events under the name Workshop on the Economics of Information Security.


Examples of findings in economics of security

Proof of work is a security technology designed to stop spam by altering the economics. An early paper in economics of information security argued that
proof of work Proof of work (PoW) is a form of Cryptography, cryptographic proof (truth), proof in which one party (the ''prover'') proves to others (the ''verifiers'') that a certain amount of a specific computational effort has been expended. Verifiers can s ...
cannot work. In fact, the finding was that
proof of work Proof of work (PoW) is a form of Cryptography, cryptographic proof (truth), proof in which one party (the ''prover'') proves to others (the ''verifiers'') that a certain amount of a specific computational effort has been expended. Verifiers can s ...
cannot work without
price discrimination Price discrimination is a microeconomic pricing strategy where identical or largely similar goods or services are sold at different prices by the same provider in different markets. Price discrimination is distinguished from product different ...
as illustrated by a later paper
Proof of Work can Work
Another finding, one that is critical to an understanding of current American data practices, is that the opposite of
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
is not, in economic terms
anonymity Anonymity describes situations where the acting person's identity is unknown. Some writers have argued that namelessness, though technically correct, does not capture what is more centrally at stake in contexts of anonymity. The important idea he ...
, but rather
price discrimination Price discrimination is a microeconomic pricing strategy where identical or largely similar goods or services are sold at different prices by the same provider in different markets. Price discrimination is distinguished from product different ...

Privacy and price discrimination
was authored by
Andrew Odlyzko Andrew Michael Odlyzko (Andrzej Odłyżko) (born 23 July 1949) is a Polish-American mathematician and a former head of the University of Minnesota's Digital Technology Center and of the Minnesota Supercomputing Institute. He began his career in ...
and illustrates that what may appear as information pathology in collection of data is in fact rational organizational behavior.
Hal Varian Hal Ronald Varian (born March 18, 1947 in Wooster, Ohio) is Chief Economist at Google and holds the title of emeritus professor at the University of California, Berkeley where he was founding dean of the School of Information. Varian is an eco ...
presented three models of security using the metaphor of the height of walls around a town to show security as a normal good, public good, or good with externalities
Free riding
is the end result, in any case. Lawrence A. Gordon and Martin P. Loeb wrote th
Economics of Information Security Investment
The Gordon–Loeb model is considered by many as the first economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.


See also

*
Computer insecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Defensive programming Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unf ...
(secure coding) * Security engineering * Hacking * Software security assurance *
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Trusted system In the security engineering subspecialty of computer science, a trusted system is one that is relied upon to a specified extent to enforce a specified security policy. This is equivalent to saying that a trusted system is one whose failure would b ...
*
Cyber insurance Cyber-insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded ...


References

{{Reflist


External links


Centers that study economics of security


Carnegie Mellon University Heinz College

Carnegie Mellon University Privacy Lab

Cambridge University Computer Science Laboratory

Indiana University School of Informatics

University of Minnesota

University of Michigan School of Information

Harvard University Division of Engineering and Applied Sciences

Dartmouth hosts the I3P
which includes the Tuck School as well as the Computer Science Department in studying economics of information security.


Resources in economics of security

* Ross Anderson maintains th
Economics of Information Security
page.
Alessandro Acquisti
has the correspondin

page. * Jean Campbr>Economics of Information Security
links to all the past workshops, with the corresponding papers, as well as current conferences and calls for papers. It also provides events, books, past workshops, and an annotated bibliography.
Return on Information Security Investment
provides self-assessment questionnaire, papers and links to Information security economics resources.
Cyber Attacks: An Economic Policy Challenge
published in CEPR's policy portal VOX, provides a non-technical overview of policy and measurement issues related to the economics of cybersecurity. Computer security Risk Security
Security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...