Economics of security
From Wikipedia, the free encyclopedia
The economics of information security addresses the economic aspects of economics of privacy and computer security. Economics of information security includes models of the strictly rational homo economicus as well as behavioral economics.
Economics of security addresses a core question: why do people take such technical risks and thus why does there exists technical solutions to security problems that are not adopted? Economics can help answer not only this question, but also inform design decisions in security engineering.
[edit] Emergence of Economics of Security
Since national security is the canonical public good, it may be surprising that the economics of information security did not come to the intellectual fore until 2000. Like many innovations it seems to have occurred to many people at once.
In 2000, the scientists as the Computer Emergency Response Team at Carnegie Mellon proposed an early mechanism for risk assessment. The Hierarchical Holographic Model provided the first multi-faceted evaluation tool to guide security investments using the science of risk. Since that time, CERT has developed a suite of systematic mechanism for organizations to use in risk evaluations, depending on the size and expertise of the organization under the name OCTAVE.
Also in 2000, Camp in Harvard's School of Government and Wolfram in the Department of Economics argued that security is not a public good but rather an externality. Vulnerabilities were defined in this work as tradable externalities. Six years later, iDEFENSE, ZDI and Mozilla show there is a market for vulnerabilities. Vulnerabilities are also known as computer security exploits.
In 2001, when Ross Anderson published, Why Computer Security is Hard the groundwork was laid. Anderson explained that a significant difficulty in optimal development of security technology is that economic insights should be integrated into technical design. A security technology should enable the party at risk to invest to limit that risk. Otherwise, the designers are simply counting on altruism for adoption and diffusion.
Also in 2001, in an unrelated development, Larry Gordon and Marty Leob published A framework on using information security as a response to competitor analysis systems. These professor of Maryland's Smith School of Business examined the strategic use of security information from a classical business perspective.
[edit] Examples of Findings in Economics of Security
One of the most popular findings in economics of information security has been that proof of work cannot work. In fact, the finding was that proof of work cannot work without price discrimination as illustrated by a later paper, Proof of Work can Work.
Another interesting finding is that the opposite of privacy is not, in economic terms anonymity, but rather price discrimination. Privacy and price discrimination was authored by Andrew Odlyzko.
Hal Varian presented three models of security using the metaphor of the height of walls around a town. Free riding is the end result, in any case.
Economics of Information Security links to all the past workshops, with the corresponding papers, as well as current conferences and calls for papers.
[edit] Resources in Economics of Security
Ross Anderson has an excellent Economics of Information Security page.
Alessandro Acquisti has the corresponding Economics of Privacy Resources page.
Again, Economics of Information Security events, books, past workshops, and an occasionally-updated bibliography are available at infosecon.net.
