HOME

TheInfoList



Click Here for Items Related To - Economics Of Security
OR:
Economics Of Security on:   [Wikipedia]   [Google]   [Amazon]

The economics of
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthori ...
addresses the economic aspects of
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
and
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
. Economics of information security includes models of the strictly rational “
homo economicus The term ''Homo economicus'', or economic man, is the portrayal of humans as agents who are consistently rational and narrowly self-interested, and who pursue their subjectively defined ends optimally. It is a word play on ''Homo sapiens'', u ...
” as well as
behavioral economics Behavioral economics studies the effects of psychological, cognitive, emotional, cultural and social factors on the decisions of individuals or institutions, such as how those decisions vary from those implied by classical economic theory. ...
. Economics of security addresses individual and organizational decisions and behaviors with respect to security and privacy as market decisions. Economics of security addresses a core question: why do agents choose technical risks when there exists technical solutions to mitigate security and privacy risks? Economics addresses not only this question, but also inform design decisions in
security engineering Security engineering is the process of incorporating security controls into an information system so that the controls become an integral part of the system’s operational capabilities. It is similar to other systems engineering activities in th ...
.


Emergence of economics of security

National security is the canonical
public good Public good may refer to: * Public good (economics), an economic good that is both non-excludable and non-rivalrous * The common good, outcomes that are beneficial for all or most members of a community See also * Digital public goods Digital pu ...
. The economic status of information security came to the intellectual fore around 2000. As is the case with innovations it arose simultaneously in multiple venues. In 2000, Ross Anderson wrote
Why Information Security is Hard
Anderson explained that a significant difficulty in optimal development of security technology is that incentives must be aligned with the technology to enable rational adoption. Thus, economic insights should be integrated into technical design. A security technology should enable the party at risk to invest to limit that risk. Otherwise, the designers are simply counting on
altruism Altruism is the moral principle, principle and moral courage, moral practice of concern for the welfare and/or happiness of other human kind, human beings or animals, resulting in a quality of life both material and spirituality, spiritual. It ...
for adoption and diffusion. Many consider this publication the birth of economics of security. Also in 2000 at Harvard, Camp at the School of Government and Wolfram in the Department of Economics argued that security is not a
public good Public good may refer to: * Public good (economics), an economic good that is both non-excludable and non-rivalrous * The common good, outcomes that are beneficial for all or most members of a community See also * Digital public goods Digital pu ...
but rather each extant vulnerabilities has an associated negative
externality In economics, an externality or external cost is an indirect cost or benefit to an uninvolved third party that arises as an effect of another party's (or parties') activity. Externalities can be considered as unpriced goods involved in either co ...
value. Vulnerabilities were defined in this work as tradable goods. Six years later
iDEFENSEZDI
an

have extant markets for vulnerabilities. In 2000, the scientists at the Computer Emergency Response Team at
Carnegie Mellon University Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
proposed an early mechanism for risk assessment. The Hierarchical Holographic Model provided the first multi-faceted evaluation tool to guide security investments using the science of risk. Since that time, CERT has developed a suite of systematic mechanism for organizations to use in risk evaluations, depending on the size and expertise of the organization
OCTAVE
The study of computer security as an investment in risk avoidance has become standard practice. In 2001, in an unrelated development, Lawrence A. Gordon and Martin P. Loeb published ''Using Information Security as a Response to Competitor Analysis System''.
A working paper of the published article was written in 2000. These professors, from Maryland's Smith School of Business, present a game-theoretic framework that demonstrates how information security can prevent rival firms from gaining sensitive information. In this context, the article considers the economic (i.e., cost-benefit) aspects of information security. The authors came together to develop and expand a series of flagship events under the name Workshop on the Economics of Information Security.


Examples of findings in economics of security

Proof of work is a security technology designed to stop spam by altering the economics. An early paper in economics of information security argued that
proof of work Proof of work (PoW) is a form of cryptographic proof in which one party (the ''prover'') proves to others (the ''verifiers'') that a certain amount of a specific computational effort has been expended. Verifiers can subsequently confirm this expe ...
cannot work. In fact, the finding was that
proof of work Proof of work (PoW) is a form of cryptographic proof in which one party (the ''prover'') proves to others (the ''verifiers'') that a certain amount of a specific computational effort has been expended. Verifiers can subsequently confirm this expe ...
cannot work without
price discrimination Price discrimination is a microeconomic pricing strategy where identical or largely similar goods or services are sold at different prices by the same provider in different markets. Price discrimination is distinguished from product different ...
as illustrated by a later paper
Proof of Work can Work
Another finding, one that is critical to an understanding of current American data practices, is that the opposite of
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
is not, in economic terms anonymity, but rather
price discrimination Price discrimination is a microeconomic pricing strategy where identical or largely similar goods or services are sold at different prices by the same provider in different markets. Price discrimination is distinguished from product different ...

Privacy and price discrimination
was authored by
Andrew Odlyzko Andrew Michael Odlyzko (Andrzej Odłyżko) (born 23 July 1949) is a Polish- American mathematician and a former head of the University of Minnesota's Digital Technology Center and of the Minnesota Supercomputing Institute. He began his career in ...
and illustrates that what may appear as information pathology in collection of data is in fact rational organizational behavior.
Hal Varian Hal Ronald Varian (born March 18, 1947 in Wooster, Ohio) is Chief Economist at Google and holds the title of emeritus professor at the University of California, Berkeley where he was founding dean of the School of Information. Varian is an econom ...
presented three models of security using the metaphor of the height of walls around a town to show security as a normal good, public good, or good with externalities
Free riding
is the end result, in any case. Lawrence A. Gordon and Martin P. Loeb wrote th
Economics of Information Security Investment
The Gordon–Loeb model is considered by many as the first economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.


See also

* Computer insecurity *
Defensive programming Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unf ...
(secure coding) *
Security engineering Security engineering is the process of incorporating security controls into an information system so that the controls become an integral part of the system’s operational capabilities. It is similar to other systems engineering activities in th ...
* Hacking * Software security assurance *
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
* Trusted system *
Cyber insurance Cyber-insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded ...


References

{{Reflist


External links


Centers that study economics of security


Carnegie Mellon University Heinz College

Carnegie Mellon University Privacy Lab

Cambridge University Computer Science Laboratory

Indiana University School of Informatics

University of Minnesota

University of Michigan School of Information

Harvard University Division of Engineering and Applied Sciences

Dartmouth hosts the I3P
which includes the Tuck School as well as the Computer Science Department in studying economics of information security.


Resources in economics of security

* Ross Anderson maintains th
Economics of Information Security
page.
Alessandro Acquisti
has the correspondin

page. * Jean Campbr>Economics of Information Security
links to all the past workshops, with the corresponding papers, as well as current conferences and calls for papers. It also provides events, books, past workshops, and an annotated bibliography.
Return on Information Security Investment
provides self-assessment questionnaire, papers and links to Information security economics resources.
Cyber Attacks: An Economic Policy Challenge
published in CEPR's policy portal VOX, provides a non-technical overview of policy and measurement issues related to the economics of cybersecurity. Computer security Risk Security
Security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...