Economics of Security and Privacy (EconSec)

The course is an elective course open to anyone. There are no prerequisites, but a generic understanding of computer networks and security helps. You can find the official course description at the server of the Dean's Office at BME. On this page, you will find recent news, course material and other relevant information. We are continuously refreshing the page.


course room announced: IB110 @ BME


Lectures: Mark Felegyhazi (BME-HIT, Crysys Lab.)


The goal of the course is to give a comprehensive overview of the economics of information security and privacy. This novel point of view is able to shed light on many security problems and promises the solutions to these problems. The economics point of view is particularly appropriate to analyze the incentives of users, service providers and other networking participants and promises solutions to security issues that arise due to misaligned incentives. The course is taught in English.


during the semester 1 homework
Requirements for the signature homework with a minimum grade (2)
During exam time -
Final grade homework


during the semester see requirements
repeat the signature see requirements
during the exam period see requirements

Lectures and room

lectures room
Thursday, 14:00-15:30 BME, IB. 110

Questions, comments

drop an email: mfelegyhazi _at_
in subject: [EconSec2014]
  (otherwise it can end up in my spam folder)

Course material

date topic readings notes
2011-09-11 CHAPTER 1:
logistics, introduction to the economics of security and privacy
2011-09-18 CHAPTER 1:
logistics, introduction to the economics of security and privacy (cont'd)
- -
2011-09-25 CHAPTER 2:
introduction to the microeconomics in networking
2011-10-02 CHAPTER 3:
risk management models in IT security
2011-10-09 CHAPTER 4:
generic models for security investments
2011-10-16 CHAPTER 5:
interdependent security: security investments with selfish participants
2011-10-23 Hungarian national holiday - -
2011-10-30 ELTE holiday - -
2011-11-06 CHAPTER 6:
vulnerabilities, patching
2011-11-13 CHAPTER 7:
information sharing in security
2011-11-20 CHAPTER 8:
regulations and the role of ISPs in security defense
2011-11-27 CHAPTER 9:
cyber-insurance for security risk management
HW: submit document
2011-12-04 CHAPTER 10:
understanding the attackers: underground economy and spam
2011-12-11 TBD - -

Homework rules and selection

Homework selection:

Homework rules

Homework topics:

  1. - disclosure effects
    "Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?" - Sasha Romanosky, Richard Sharp and Alessandro Acquisti
  2. - typosquatting
    Tyler Moore and Benjamin Edelman. "Measuring the Perpetrators and Funders of Typosquatting." 14th International Conference on Financial Cryptography and Data Security. January 25-28, 2010: Tenerife, Spain
  3. - phishing takedown
    Tyler Moore and Richard Clayton. "Examining the Impact of Website Take-down on Phishing." Second APWG eCrime Researcher's Summit. October 4-5, 2007: Pittsburgh, PA, USA
  4. - usability of PGP
    Whitten, Alma and Tygar, J. D. "Why Johnny can't encrypt: a usability evaluation of PGP 5.0", USENIX Security Symposium, 1999
  5. - password issues
    "The password thicket: technical and market failures in human authentication on the web," Joseph Bonneau and Sören Preibusch. WEIS '10: Proceedings of the Ninth Workshop on the Economics of Information Security. Boston, MA, USA, Jun 25 2010
  6. - more password issues
    Breaking our password hash habit: Why the sharing of users' password choices for defensive analysis is an underprovisioned social good, and what we can do to encourage it. Cormac Herley, Stuart Schechter, WEIS 2013
  7. - quantified security weak?
    Verendel, Vilhelm, "Quantified security is a weak hypothesis: a critical survey of results and assumptions," Proceedings of the 2009 workshop on New security paradigms workshop (NSPW), 2009
  8. - mental models for security
    Mental models of computer security risks, Asgharpour, F. and Liu, D. and Camp, L.J., WEIS 2007
  9. - CAPTCHA-s
    Re: CAPTCHAs ~~ Understanding CAPTCHA-Solving from an Economic Context, Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage, Proceedings of the USENIX Security Symposium, Washington, D.C., August 2010, pages 435–452.
  10. - Twitter spam
    K. Thomas, C. Grier, V. Paxson and D. Song, Suspended Accounts in Retrospect: An Analysis of Twitter Spam, Proc. ACM IMC, November 2011.
  11. - network topology economics
    Sanjeev Goyal and Adrien Vigier, "Robust Networks", December 2008 (revised January 2011)
  12. - security patch management
    Timing the Application of Security Patches for Optimal Uptime by Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright, 2002
  13. - security externality - encryption
    "Encryption and data loss," Miller, A.R. and Tucker, C.E., WEIS 2010
  14. - cloud security economics
    "Cloud Implications on Software Network Structure and Security Risks", Terrence August, Marius Niculescu, Hyoduk Shin, WEIS 2013
  15. - more cloud security economics
    Self Hosting vs. Cloud Hosting: Accounting for the security impact of hosting in the cloud, David Molnar and Stuart Schechter, WEIS 2010
  16. - economics of Bitcoin mining
    The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries Joshua Kroll, Ian Davey, Edward Felten, WEIS 2013
  17. - liability
    On the Viability of Using Liability to Incentivise Internet Security Huw Fryer, Roksana Moore, Tim Chown, WEIS 2013
  18. - secure web value chain
    Security Economics in the HTTPS Value Chain Hadi Asghari, Michel Van Eeten, Axel Arnbak, Nico van Eijk, WEIS 2013
  19. - the FlipIt game
    M. van Dijk, A. Juels, A. Oprea, and R. L. Rivest. FlipIt: The Game of "Stealthy Takeover". Journal of Cryptology, to appear
    link, paper
  20. - measuring security costs
    "Measuring the Cost of Cybercrime", Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michael van Eeten, Michael Levi, Tyler Moore, Stefan Savage, WEIS 2012
  21. - online advertisements as a game
    Ad-blocking Games: Monetizing Online Content Under the Threat of Ad Avoidance Nevena Vratonjic, Mohammad Hossein Manshaei, Jens Grossklags, Jean-Pierre Hubaux, WEIS 2012
  22. - fake anti-virus software
    "The Underground Economy of Fake Antivirus Software", Brett Stone-Gross, Ryan Abman, Richard A. Kemmerer, Christopher Kruegel, Douglas G. Steigerwald, WEIS 2011
  23. - crypto and games
    Cryptography and game theory: Designing protocols for exchanging information G Kol, M Naor
  24. - game and algorithms
    "How to play any mental game", O Goldreich, S Micali, A Wigderson