Archívum - 2016-2017-2

Archive - 2016-2017-2

Security and Privacy: an Economic Approach (VIHIAV34)

This course is delivered in the Computer Science BSc/MSc as an elective. The official syllabus is available on the faculty's web site. On this page, you will find the most recent administrative information related to the course, as well as the lecture slides, the homework description, and links to some recommended further readings. This site is continuously updated!



Information security is as much an economic problem as it is technical. Even given flawless cryptographic protocols and the availability of perfectly secure software, the misaligned economic incentives of different stakeholders in a system often result in a (very) sub-optimal security level. By guiding you through the jungle of asymmetric information, interdependent security, correlated risk and other concepts characteristic for system security, this elective course will enable you to make better decisions in risk management, security investment and policy design on a system level. Furthermore, the course touches upon the economic aspects of data privacy, an emerging area of interest for users and companies in the big data era.





During the semester

1 project assignment: written report and oral presentation

Órák ideje és helye

Time and location of classes



  • Wednesday, 12:30-14:00, I.L. 108. (Morgan Stanley lab)


Megbeszélés szerint, az előadóval előre egyeztetett időpontban.

Office hours

Please contact the lecturer to schedule an appointment.



Dátum Téma Előadó
Date Topic Lecturer
2017.02.08. Introduction Biczók G.
2017.02.15. Microeconomics Biczók G.
2017.02.22. Game theory Biczók G.
2017.03.01. Risk management Biczók G.
2017.03.08. Security investment Biczók G.
2017.03.15. Cancelled (National Holiday)
2017.03.22. Cyber-insurance Biczók G.
2017.03.29. Interdependent security Biczók G.
2017.04.05. Vulnerabilities and patching Biczók G.
2017.04.12. Information sharing Biczók G.
2017.04.19. Understanding the adversary Biczók G.
2017.04.26. Economics of privacy Biczók G.
2017.05.03. Interdependent privacy Biczók G.
2017.05.10. Student project presentations Biczók G.

Házi feladat


Potential topics

Security advice - Herley, Cormac. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users . In Proceedings of the 2009 workshop on New security paradigms workshop (NSPW '09). ACM, New York, NY, USA, 133-144.

Attacker incentives - Herley, Cormac. Why do Nigerian scammers say they are from Nigeria? . WEIS. 2012.

Threat modeling - Florencio, Dinei, and Cormac Herley. Where do all the attacks go? . Economics of Information Security and Privacy III. Springer New York, 2013. 13-33.

Bug bounty - Laszka, Aron, Mingyi Zhao, and Jens Grossklags. Banishing misaligned incentives for validating reports in bug-bounty platforms . European Symposium on Research in Computer Security. Springer International Publishing, 2016.

Risk communication - Asgharpour, Farzaneh, Debin Liu, and L. Jean Camp. Mental models of security risks . International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2007.

Attacks: Internet routing - Moriano, Pablo, Soumya Achar, and L. Jean Camp. Incompetents, Criminals, or Spies: Macroeconomic Analysis of Routing Anomalies . Technical report, Indiana University, 2016.

Insider attacks - Liu, Debin, XiaoFeng Wang, and L. Jean Camp. Mitigating inadvertent insider threats with incentives . International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2009.

Targeted attacks: APT - Van Dijk, Marten, et al. FlipIt: The game of stealthy takeover . Journal of Cryptology 26.4 (2013): 655-713.

Underground economy - Soska, Kyle, and Nicolas Christin. Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem . USENIX Security. Vol. 15. 2015.

Cybercrime - Anderson, Ross, et al. Measuring the cost of cybercrime . The economics of information security and privacy. Springer Berlin Heidelberg, 2013. 265-300.

HTTPS - Asghari, H., van Eeten, M.J., Arnbak, A.M. and van Eijk, N.A. Security economics in the HTTPS value chain , WEIS 2013.

Bitcoin - Kroll, Joshua A., Ian C. Davey, and Edward W. Felten. The economics of Bitcoin mining, or Bitcoin in the presence of adversaries . Proceedings of WEIS 2013.

Privacy paradox - Cofone, Ignacio N. The Value of Privacy: Keeping the Money Where the Mouth is . WEIS 2015.

Privacy: cookies - Aziz, Arslan, and Rahul Telang. What is a Cookie Worth? . WEIS 2015.

Privacy: interdependence - Harkous, Hamza, and Karl Aberer. If You Can't Beat them, Join them: A Usability Approach to Interdependent Privacy in Cloud Apps . arXiv preprint arXiv:1702.08234 (2017).



Claiming a topic - topics can be claimed until 11:59pm CET, March 29th, 2017. Please send me an e-mail with 3 topics of your preference (in decreasing order) with the subject [econsec_report topic_name1 topic_name2 topic_name3 your_name]. You will get an email back with the assigned topic. If all 3 of your preferred topics are already claimed you will get an email back so that you should choose other topics. Topics are assigned first-come-first-served. I will mark the already claimed topics with red color ASAP, so check the homepage regularly. If you have your own idea for a topic not listed here together with some references, write me an email.

Submitting the report - A 10-page (A4, single-spaced, 11 pt font, 1 inch margins, PDF format, filename: econsec_report_your_name.pdf) written report containing a critical review of the chosen paper (and, if needed, some of the referenced papers) and some discussion for potential improvements/future work is due 11:59pm CET, May 7th, 2017. Please send the report in e-mail with the subject [econsec_report your_name].

Oral presentation - 10-minute oral presentations will take place at the last lecture (details TBA)