DelftX: Secon101x Cyber Security Economics

Course ReaDINGS

The course readings are drawn from a variety of sources. They include outcomes of major international meetings and conferences, scholarly writings, excerpts of reports by international organizations, WEIS papers, and cutting-edge reflections on current affairs.
The course readings are designed to provide the necessary background information for the various speaker presentations as well as, present a spectrum of opinions, philosophies and perspectives on the economics of cybersecurity in a range of conflicts and situations.

For Week 1

An overview of the field

• Ross Andersson and Tyler Moore, The Economics of Information Security, Science, 2006.
• Tyler Moore and Ross Anderson. Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research, 2011 

History of information security economics

• Ross Andersson, Why Information Security is Hard - An Economic Perspective, Annual Computer Security Applications Conference, 2002.
• Hal Varian, Managing Online Security Risks, New York Times, 2000.

Not required reading, but if you want to get a bit more background on the economic concepts we are using

• The classic paper on the tragedy of the commons: G. Hardin, The Tragedy of the commons, Science, 1968.
• The classic paper on information asymmetry: A. Akerlof, The market for ‘lemons’: quality uncertainty and the market mechanism,  In Quarterly Journal of Economics, 1970
• If need more basic information about concepts like 'marginal cost' and 'diminishing (marginal) returns on investment', you can find numerous online sources. There are also online courses providing an introduction to microenonomics. A recent one that looks promising it by Tyler Cowen and Alex Tabarrok, though not all lectures are available yet: Introduction to Microeconomics, Marginal Revolution University,  2015

For Week 2

Measuring cybersecurity

• Arman Noroozian et al; Inferring Security Performance of Providers from Noisy and Heterogenous Abuse Datasets , WEIS 2017
• Rainer Böhme, Cyber-insurance revisited, WEIS 2005
• Rainer Böhme, Security Metrics and Security Investment Models, Advances in Information and Computer Security, Lecture Notes in Computer Science Volume 6434, pp 10-24, 2010
• Ross Anderson et al., Measuring the Cost of Cybercrime, WEIS, 2012
• If you are interested in more information on our example of incident metrics on botnet infections, see Michel van Eeten et al., The Role of Internet Service Providers in Botnet Mitigation An Empirical Analysis Based on Spam Data, WEIS, 2010
• The reference we mentioned to the study of privacy leaks in the Apple App Store is here: Manuel Egele et al., PiOS: Detecting Privacy Leaks in iOS Applications, NDSS, 2011. You can find a short piece in Forbes here. 

For Week 3

• Carlos Ganan, Michael Ciere and Michel van Eeten, Beyond the pretty penny: the Economic cost of cybercrime, NSPW 2017 
• Gordon and Loeb, The economics of information security investment, TISSEC, 2002
• Gordon  et al., Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, 2003
• Bodin et al., Information security and risk management, Communications of the ACM, 2008
• Rainer Böhme and Gaile Schwartz, Modeling cyber-insurance: Towards a unifying framework, WEIS, 2010
• Gordon and Loeb, A framework for using insurance for cyber-risk management, Communications of the ACM, 2003
• Hal  Varian, System reliability and free riding, Economics of Information Security, 2004

For Week 4

Strongly suggested readings:

• Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Options, International Journal of Critical Infrastructure Protection, 2010
• B. Schneier, Security as a lemon market, 2007
• Tyler Moore, Richard Clayton, and Ross Anderson. The economics of online crime. Journal of Economic Perspectives,  2009
• Section 3.4 (Payment System Security) of Tyler Moore and Ross Anderson. Internet security. In Martin Peitz and Joel Waldfogel, editors, The
  Oxford Handbook of the Digital Economy, pages 572-599. Oxford University Press, 2012.

Optional readings:

• E. Gal-Or and A. Ghose, The Economic Incentives for Sharing Security Information, Information Systems Research, 2005
• Gordon et al., Sharing information on computer systems security: An economic analysis, Journal of Accounting and Public Policy, 2003
• Ross Anderson et al. , Security Economics and European Policy, WEIS, 2008
• Tyler Moore and Richard Clayton. Examining the Impact of Website Take-down on Phishing, ECRIME, 2007
• Tyler Moore and Richard Clayton. The Consequence of Non-Cooperation in the Fight Against Phishing, ECRIME, 2008
• Marc Rysman, The Economics of Two-Sided Markets. The Journal of Economic Perspectives, Vol. 23, No. 3 (Summer, 2009), pp. 125-143.

For Week 5

• Bruce Schneier,  The Psychology of Security, 2008
• Mark Frank et al., Human Behaviour and Deception Detection,  Handbook of Science and Technology for Homeland Security , 2008
• Stephen Lea et al., The Psychology of Scams – Provoking and Committing Errors of Judgment, 2009
• Frank Stajano and Paul Wilson, Understanding scam victims: seven principles for systems security, 2009
• Shari L. Pfleegera and Deanna D. Caputo, Leveraging behavioral science to mitigate cyber security risk, Computers & Security, 2012
• Alessandro Acquisti and Jens Grossklags, Privacy and Rationality: Preliminary Evidence from Pilot Data, WEIS 2004
• Alessandro Acquisti and Jens Grossklags, What Can Behavioral Economics Teach Us About Privacy?, ETRICS 2006
• Janice Tsai et al.,  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study, WEIS 2007
• Kai-Lung Hui and Ivan Png, The Economics of Privacy, Handbooks in Information Systems, 2006
• Hal Varian, Economic Aspects of Personal Privacy, 1996
• On some of the key policy implications of security economics: Ross Anderson, Rainer Böhme, Richard Clayton and Tyler Moore, Security Economics and the Internal Market, ENISA report, 2008

Websites of interest

• Ross Anderson's Economics and Security Resource Page
• Larry Gordon's Cybersecurity Risk Management Links
• Alessandro Acquisti's page on the Economics of Privacy
• Jean Camp's Economics of Information Security Bibliography