Economics of Security and Privacy (EconSec)

The course is an elective course open to anyone. There are no prerequisites, but a generic understanding of computer networks and security helps. You can find the official course description at the server of the Dean's Office at BME. On this page, you will find recent news, course material and other relevant information. We are continuously refreshing the page.

News

course room announced: IB110 @ BME

Team

Lectures: Mark Felegyhazi (BME-HIT, Crysys Lab.)

Goal

The goal of the course is to give a comprehensive overview of the economics of information security and privacy. This novel point of view is able to shed light on many security problems and promises the solutions to these problems. The economics point of view is particularly appropriate to analyze the incentives of users, service providers and other networking participants and promises solutions to security issues that arise due to misaligned incentives. The course is taught in English.

Requirements

during the semester 1 homework
Requirements for the signature homework with a minimum grade (2)
During exam time -
Final grade homework

Corrections

during the semester see requirements
repeat the signature see requirements
during the exam period see requirements

Lectures and room

lectures room
Thursday, 14:00-15:30 BME, IB. 110

Questions, comments

drop an email: mfelegyhazi _at_ crysys.hu
in subject: [EconSec2014]
  (otherwise it can end up in my spam folder)

Course material

date topic readings notes
2011-09-11 CHAPTER 1:
logistics, introduction to the economics of security and privacy
01_introduction_econsec.pdf
2011-09-18 CHAPTER 1:
logistics, introduction to the economics of security and privacy (cont'd)
- -
2011-09-25 CHAPTER 2:
introduction to the microeconomics in networking
02_introduction_gametheory.pdf
2011-10-02 CHAPTER 3:
risk management models in IT security
03_IT_risk_management.pdf
2011-10-09 CHAPTER 4:
generic models for security investments
04_security_investments.pdf
2011-10-16 CHAPTER 5:
interdependent security: security investments with selfish participants
05_interdependent_security.pdf
2011-10-23 Hungarian national holiday - -
2011-10-30 ELTE holiday - -
2011-11-06 CHAPTER 6:
vulnerabilities, patching
06_vulnerabilities.pdf
2011-11-13 CHAPTER 7:
information sharing in security
07_information_sharing.pdf
2011-11-20 CHAPTER 8:
regulations and the role of ISPs in security defense
08_intermediaries.pdf
2011-11-27 CHAPTER 9:
cyber-insurance for security risk management
09_insurance.pdf
HW: submit document
2011-12-04 CHAPTER 10:
understanding the attackers: underground economy and spam
10_understanding_adversary.pdf
2011-12-11 TBD - -



Homework rules and selection


Homework selection:

Homework rules

Homework topics:

  1. - disclosure effects
    "Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?" - Sasha Romanosky, Richard Sharp and Alessandro Acquisti
    paper
  2. - typosquatting
    Tyler Moore and Benjamin Edelman. "Measuring the Perpetrators and Funders of Typosquatting." 14th International Conference on Financial Cryptography and Data Security. January 25-28, 2010: Tenerife, Spain
    paper
  3. - phishing takedown
    Tyler Moore and Richard Clayton. "Examining the Impact of Website Take-down on Phishing." Second APWG eCrime Researcher's Summit. October 4-5, 2007: Pittsburgh, PA, USA
    paper
  4. - usability of PGP
    Whitten, Alma and Tygar, J. D. "Why Johnny can't encrypt: a usability evaluation of PGP 5.0", USENIX Security Symposium, 1999
    paper
  5. - password issues
    "The password thicket: technical and market failures in human authentication on the web," Joseph Bonneau and Sören Preibusch. WEIS '10: Proceedings of the Ninth Workshop on the Economics of Information Security. Boston, MA, USA, Jun 25 2010
    paper
  6. - more password issues
    Breaking our password hash habit: Why the sharing of users' password choices for defensive analysis is an underprovisioned social good, and what we can do to encourage it. Cormac Herley, Stuart Schechter, WEIS 2013
    paper
  7. - quantified security weak?
    Verendel, Vilhelm, "Quantified security is a weak hypothesis: a critical survey of results and assumptions," Proceedings of the 2009 workshop on New security paradigms workshop (NSPW), 2009
    paper
  8. - mental models for security
    Mental models of computer security risks, Asgharpour, F. and Liu, D. and Camp, L.J., WEIS 2007
    paper
  9. - CAPTCHA-s
    Re: CAPTCHAs ~~ Understanding CAPTCHA-Solving from an Economic Context, Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage, Proceedings of the USENIX Security Symposium, Washington, D.C., August 2010, pages 435–452.
    paper
  10. - Twitter spam
    K. Thomas, C. Grier, V. Paxson and D. Song, Suspended Accounts in Retrospect: An Analysis of Twitter Spam, Proc. ACM IMC, November 2011.
    paper
  11. - network topology economics
    Sanjeev Goyal and Adrien Vigier, "Robust Networks", December 2008 (revised January 2011)
    paper
  12. - security patch management
    Timing the Application of Security Patches for Optimal Uptime by Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright, 2002
    paper
  13. - security externality - encryption
    "Encryption and data loss," Miller, A.R. and Tucker, C.E., WEIS 2010
    paper
  14. - cloud security economics
    "Cloud Implications on Software Network Structure and Security Risks", Terrence August, Marius Niculescu, Hyoduk Shin, WEIS 2013
    paper
  15. - more cloud security economics
    Self Hosting vs. Cloud Hosting: Accounting for the security impact of hosting in the cloud, David Molnar and Stuart Schechter, WEIS 2010
    paper
  16. - economics of Bitcoin mining
    The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries Joshua Kroll, Ian Davey, Edward Felten, WEIS 2013
    paper
  17. - liability
    On the Viability of Using Liability to Incentivise Internet Security Huw Fryer, Roksana Moore, Tim Chown, WEIS 2013
    paper
  18. - secure web value chain
    Security Economics in the HTTPS Value Chain Hadi Asghari, Michel Van Eeten, Axel Arnbak, Nico van Eijk, WEIS 2013
    paper
  19. - the FlipIt game
    M. van Dijk, A. Juels, A. Oprea, and R. L. Rivest. FlipIt: The Game of "Stealthy Takeover". Journal of Cryptology, to appear
    link, paper
  20. - measuring security costs
    "Measuring the Cost of Cybercrime", Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michael van Eeten, Michael Levi, Tyler Moore, Stefan Savage, WEIS 2012
    paper
  21. - online advertisements as a game
    Ad-blocking Games: Monetizing Online Content Under the Threat of Ad Avoidance Nevena Vratonjic, Mohammad Hossein Manshaei, Jens Grossklags, Jean-Pierre Hubaux, WEIS 2012
    paper
  22. - fake anti-virus software
    "The Underground Economy of Fake Antivirus Software", Brett Stone-Gross, Ryan Abman, Richard A. Kemmerer, Christopher Kruegel, Douglas G. Steigerwald, WEIS 2011
    paper
  23. - crypto and games
    Cryptography and game theory: Designing protocols for exchanging information G Kol, M Naor
    paper
  24. - game and algorithms
    "How to play any mental game", O Goldreich, S Micali, A Wigderson
    paper