290-18 Economics of Network Security and Privacy (Spring 2008)

Schedule and Readings

[Back to course homepage]
Security Economics
Jan 22 Introduction to security economics & semester overview [readings]
29 The market for attention: Economics of Spam and Scam [readings]
Feb 05 The market for the lack of attention: Economics of Phishing and ID theft [readings]
12 Consensually acquired Spyware? -- The notice and consent experience [readings]
19 Individual and group security decision making: Worms, viruses... Oh my... [readings]
26 The market for software vulnerabilities and exploits & the market for insurance [readings]
  Economics of privacy
Mar 04 Introduction to the economics of privacy [readings]
11 Business models and their impact on individual privacy [readings]
18 Identity, Anonymity and the future of 'personally identifying information' [readings]
25 Spring Recess -- no class
  Special Topics
Apr 01 Regulation, lawmaking and enforcement [readings]
08 The DRM debate [readings]
15 The economics of terrorism and cyberwarfare [readings]
  Student Projects
29 Project Presentations
May 06 Project Presentations


Part 1. Security Economics


Jan 22. Introduction to security economics

The first class will provide an overview of the lectures throughout the semester and introduce you to the area of security economics. The economics of security is a relatively new research area that brings together researchers and draws from research efforts from many other research fields such as computer science, economics, legal studies and psychology. We will discuss a few recurring themes such as incentive failures and the role of externalities. Most importantly, we hope to settle into a productive interactive culture in this class to discuss formal research but also events popularized in the news.


Why Information Security is Hard -- An Economic Perspective.
Ross Anderson
Annual Computer Security Applications Conference (ACSAC 2001)


Tussle in Cyberspace: Defining Tomorrow?s Internet.
David D. Clark, John Wroclawski, Karen R. Sollins, Robert Braden
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM 2002)


Jan 29. The market for attention: Economics of Spam and Scam

We will start the class with a brief overview of the purpose and basic economics of advertisements. Then we will follow the timeline of the arms race between spammers and the anti-spam community and mark several milestones in the introduction of new technologies and practices. In the core of the class we will discuss the economics of spam business models such as pump and dump as well as models of defense mechanisms and their effectiveness such as Captchas, blacklists and filters. Time permitting we might venture into the world of online scams frequently associated with email, e.g., Nigerian 419 scam.

Guest speaker: Jenna Burrell, Assistant Professor, UC Berkeley, School of Information [website]


An Economic Response to Unsolicited Communication.
Theodore Loder, Marshall Van Alstyne, and Rick Wash
Advances in Economic Analysis & Policy, Volume 6, Issue 1, 2006

The Effect of Stock Spam on Financial Markets.
Rainer Böhme and Thorsten Holz
Proceedings of the Workshop on the Economics of Information Security (WEIS 2006)


Problematic Empowerment: West African Internet Scams as Grassroots Media Production
Jenna Burrell
Working paper, School of Information, UC Berkeley (2007)

2007 Internet Crime Report
Internet Crime Complaint Center

"Proof-of-Work" Proves Not to Work
Ben Laurie and Richard Clayton
Proceedings of the Workshop on the Economics of Information Security (WEIS 2004)

When Proof of Work Works
Debin Liu and L. Jean Camp
NET institute working paper No. 06-18

Pricing to Solve the Problem of Spam
Robert E. Kraut, Shyam Sunder, Rahul Telang, and James Morris
Human-Computer Interaction, Volume 20

For Orlando Soto, No Day Is Complete Without Some Spam
Mylene Mangalindan
Wall Street Journal (March 15, 2004)

Under Attack, Spam Fighter Folds.
Ryan Singel
Wired News (May 16, 2006)

Spam Volumes Drop by Two-Thirds After Firm Goes Offline
Brian Krebs
Washington Post (November 12, 2008)

Taking down spammers: Successful spam fighting via legalization, regulation and economics
Gadi Evron
ZDnet (December 07, 2007)

Woman out $400K to 'Nigerian scam' con artists
Anna Song
KATU.com (November 11, 2008)

Cognitive Hacking
George Cybenko, Annarita Giani, and Paul Thompson
Advances in Computers, Volume 60 (April 2004)


Feb 05. The market for the lack of attention: Economics of Phishing and ID theft

In this lecture we will review some known facts about the blackmarket economy evolving around phishing and other fraudulent websites and online/offline identify theft. We will read research on why phishing attacks continue to be successful in luring individuals into their traps. Similarly, we will investigate the drivers (or lack of better impediments) for identity theft. Distinctions are drawn between different types of ID theft such as synthetic identity theft and new account fraud.

Guest speaker: Chris J. Hoofnagle, Senior Staff Attorney (Samuelson Law, Technology & Public Policy Clinic), Senior Fellow (Berkeley Center for Law & Technology), UC Berkeley, School of Law [website]


Why Phishing Works
Rachna Dhamija, J.D. Tygar and Marti Hearst
Proceedings of the Conference on Human Factors in Computing Systems (CHI2006)

An Empirical Analysis of the Current State of Phishing Attack and Defence
Tyler Moore and Richard Clayton
Proceedings of the Workshop on the Economics of Information Security (WEIS 2007)


The economy of phishing: A survey of the operations of the phishing market.
Christopher Abad
First Monday, Volume 10, Number 9 (September 2005)

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants
Jason Franklin, Vern Paxson, Adrian Perrig and Stefan Savage
Proceedings of 14th ACM CCS (November 2007)

Social phishing
Tom N. Jagatic, Nathaniel A. Johnson, Markus Jakobsson, and Filippo Menczer
Communications of the ACM, Volume 50, Number 10 (October 2007), pp. 94-100

The Emperor's New Security Indicators
Stuart Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer
Proceedings of the IEEE Symposium on Security and Privacy (S&P 2007)

Know your Enemy: Phishing, Behind the Scenes of Phishing Attacks
The Honeynet Project & Research Alliance


Feb 12. Consensually acquired Spyware? -- The notice and consent experience

We have good reason to be concerned about the amount of email spam we receive in our mail boxes, spyware we might discover on our computers, or surveillance cameras that watch our footsteps in public. The problem is that many of these technologies and applications can be used for desirable, legitimate purposes as well as clearly unwanted practices. For example, spyware can render our computers vulnerable to the loss of important financial account data, however, in a different scenario it can also help to avoid cheating in online games. In this class we will review in what form security, privacy and performance risks are frequently disclosed to consumers and what impact these disclosures have on individuals' decision making. Lack of or incomplete disclosure can result in significant consumer backlash as evidenced by the Sony rootkit case.

Guest speaker: Aaron Perzanowski, Microsoft Research Fellow (Berkeley Center for Law & Technology), UC Berkeley, School of Law [website]


Noticing Notice: A large-scale experiment on the timing of software license agreements
Nathan Good, Jens Grossklags, Deirdre Mulligan, and Joe Konstan
Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2007)

Competition and the Quality of Standard Form Contracts: An Empirical Analysis of Software License Agreements
Florencia Marotta-Wurgler
NYU Law and Economics Working Paper No. 05-11

The Magnificence of the Disaster: Reconstructing the Sony BMG Rootkit Incident
Deirdre K. Mulligan and Aaron K. Perzanowski
Berkeley Technology Law Journal, Volume 22 (2007) p. 1157


I Know What You Did Last Logon - Monitoring Software, Spyware and Privacy
Jeff Williams
Proceedings of the Virus Bulletin Conference 2006

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study
Janice Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti
Proceedings of the Workshop on the Economics of Information Security (WEIS 2007)

Compliance v Communication.
Mark Hochhauser
Clarity: Journal of the International Movement to simplify legal language, Volume 50 (November 2003)

Informed Consent in the Mozilla Browser: Implementing Value Sensitive Design
Batya Friedman, Daniel C. Howe and Edward Felten
Proceedings of the 35th Annual Hawaii international Conference on System Sciences (HICSS 2002)

Spyware on My Machine? So What?
Michelle Delio
Wired News (December 06, 2004)

Why We Can?t Be Bothered To Read Privacy Policies: Models of Privacy Economics as a Lemons Market
Tony Vila, Rachel Greenstadt, and David Molnar
Economics of Information Security (Springer Verlag)


Feb 19. Individual and group security decision making: Worms, viruses... Oh my...

Worms and other propagated threats have the potential to harm many users with one single large-scale attack. This is due to the interdependence of systems across networks. In this lecture we will review game-theoretic models for different organizational structures and will investigate when individuals have an incentive to protect or insure themselves, when they prefer to free-ride on others' efforts or when security fails completely.


Secure or insure? A game-theoretic analysis of information security games
Jens Grossklags, Nicolas Christin and John Chuang
Proceedings of the 17th International World Wide Web Conference (WWW2008), Internet Monetization track
To be posted

System Reliability and Free Riding
Hal R. Varian
Technical Report, School of Information, UC Berkeley (February 2001)


Near rationality and competitive equilibria in networked systems
Nicolas Christin, Jens Grossklags and John Chuang
Proceedings of the SIGCOMM Workshop on Practice and Theory of Incentives in Networked Systems (PINS 2004)

Interdependent Security
Howard Kunreuther, and Geoffrey Heal
Journal of Risk and Uncertainty, Volume 26, Number 2-3

Cent, five cent, ten cent, dollar: hitting botnets where it really hurts
Richard Ford, and Sarah Gordon
Proceedings of the Workshop on New security paradigms (NSPW 2006)

AOL/NCSA Online Safety Study
America Online and the National Cyber Security Alliance

An experiment on learning with limited information: nonconvergence, experimentation cascades, and the advantage of being slow
Eric Friedman, Mikhael Shor, Scott Shenker, and Barry Sopher
Games and Economic Behavior, Volume 47, Number 2 (May 2004)


Feb 26. The market for software vulnerabilities and exploits: Patching, disclosure, trading & ignorance

Patching sounds like a simple enough problem. It turns out that it is one of the most vigorously researched topics in security economics. We will discuss why there seems to be an endless stream of bugs and vulnerabilities in software. Further questions we will explore are how much effort should developers invest into finding bugs, and if independent researchers who discover critical weaknesses in code should disclose those to the public? We then continue with an exploration of the open and blackmarket for these vulnerabilities. We will study the organization's problem on when and how often to patch. Should large software companies force their customers to apply patches in a timely manner or should the burden be left to service providers or the individual? Have you patched already?


Competitive and strategic effects in the timing of patch release
Ashish Arora, Christopher M. Forman, Anand Nandkumar, and Rahul Telang
Workshop on the Economics of Information Security (WEIS 2006)

Optimal time to patch revisited
Eric Rescorla

Models and Measures for Correlation in Cyber-Insurance
Rainer Böhme and Gaurav Kataria
Workshop on the Economics of Information Security (WEIS 2006)


Cyberinsecurity - The cost of monopoly: How the dominance of Microsoft?s Products poses a risk to Security
Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman, and Bruce Schneier

Is finding security holes a good idea?
Eric Rescorla
Workshop on the Economics of Information Security (WEIS 2004)

Timing the application of security patches for optimal uptime
Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright, and Adam Shostack
Proceedings of Sixteenth Systems Administration Conference (LISA 2002)

Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation
Telang, Rahul, and Sunil Wattal
Workshop on the Economics of Information Security (WEIS 2005)

Economics of security patch management
Huseyin Cavusoglu, Hasan Cavusoglu, and Jun Zhang
Workshop on the Economics of Information Security (WEIS 2006)

An Empirical Analysis of Vendor Response to Disclosure Policy
Ashish Arora, Ramayya Krishnan, Rahul Telang, and Yubao Yang
Workshop on the Economics of Information Security (WEIS 2005)

The Countervailing Incentive of Restricted Patch Distribution: Economic and Policy Implications
Mohammad S. Rahman, Karthik Kannan and Mohit Tawarmalani
Workshop on the Economics of Information Security (WEIS 2007)

A Comparison of Market Approaches to Software Vulnerability Disclosure
Rainer Böhme
Proceedings of Emerging Trends in Information and Communication Security (ETRICS 2006)

Part 2. The Economics of Privacy


Mar 04. Introduction to the Economics of Privacy

Privacy and security are often presented as contradictory terms. However, privacy is sometimes also confused with security. Where is the truth? In this lecture we will discuss the relationship between the two disciplines. We will also discuss the origin and history of the economics of privacy and showcase some current trends in this rapidly developing research field. The first studies we will read are concerned with the obstacles individuals face when they try to analyze privacy problems rationally and to act accordingly.


Economic Aspects of Personal Privacy.
Hal R. Varian
Privacy and Self-Regulation in the Information Age (report issued by the NTIA)

Privacy and Rationality in Individual Decision Making
Alessandro Acquisti and Jens Grossklags
IEEE Security and Privacy, Volume 3, Number 1 (January/February 2005)

When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information
Jens Grossklags and Alessandro Acquisti
Proceedings of the Workshop on the Economics of Information Security (WEIS 2007)


The State of Economics of Information Security
L. Jean Camp
I/S: A Journal of Law and Policy in the Information Society, Volume 2, Number 2

Economics of Privacy
Kai-Lung Hui and Ivan P.L. Png
Handbooks in Information Systems, Volume 1 (Elsevier, 2006)

'I've Got Nothing to Hide' and Other Misunderstandings of Privacy
Daniel J. Solove
San Diego Law Review, Volume 44 (2007)

Experimental Economics and Experimental Computer Science: A Survey
Jens Grossklags
Proceedings of the Workshop on Experimental Computer Science (ExpCS 2007)

The Orbitofrontal Cortex, Real-World Decision-Making, and Normal Aging
Natalie L. Denburg, Catherine A. Cole, Michael Hernandez, Torricia H. Yamada, Daniel Tranel, Antoine Bechara, and Robert B. Wallace
Linking Affect to Action: Critical Contributions of the Obitofrontal Cortex (Edited by: Geoffrey Schoenbaum, Jay A. Gottfried, Elizabeth A. Murray and Seth J. Ramus), Annals of the New York Academy of Sciences (December 2007)

Terrorism, Acute Stress, and Cardiovascular Health
E. Alison Holman, Roxane Cohen Silver, Michael Poulin, Judith Andersen, Virginia Gil-Rivas, and Daniel N. McIntosh
Archives of General Psychiatry, Volume 65, Number 1 (January 2008), pp. 73-80

Data Users versus Data Subjects: Are Consumers Willing to Pay for Property Rights to Personal Information?
Ellen Rose
Proceedings of the 38th Hawaii International Conference on System Sciences (HICSS 2005)

A Study on The Value of Location Privacy
Dan Cvrcek, Marek Kumpost, Vashek Matyas, and George Danezis
Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2006)

Valuating Privacy
Bernardo A. Huberman, Eytan Adar, and Leslie R. Fine
IEEE Security & Privacy, Volume 3, Number 5 (Sep.-Oct. 2005)

E-privacy in 2nd generation E-Commerce: privacy preferences versus actual behavior
Sarah Spiekermann, Jens Grossklags, and Bettina Berendt
Proceedings of the Third ACM Conference on Electronic Commerce (ACM EC 2001)


Mar 11. Business models: Price discrimination and more


Conditioning Prices on Purchase History
Alessandro Acquisti and Hal Varian
Marketing Science, Volume 24, Number 3 (2005), pp. 1-15


Privacy, economics, and price discrimination on the Internet,
Andrew Odlyzko
Proceedings of the Fifth International Conference on Electronic Commerce (ICEC2003)

Ask.com Puts a Bet on Privacy
Miguel Helft
New York Times (December 11, 2007)

Web sites change prices based on customers' habits
Anita Ramasastry
CNN.com (June 24, 2005)


Mar 18. Identity, Anonymity and the future of 'Personally Identifying Information'


On the Economics of Anonymity
Alessandro Acquisti, Roger Dingledine, Paul Syverson
Financial Cryptography, Springer Lecture Notes in Computer Science, No. 2742 (2003), pp. 84-102

Messin' with Texas Deriving Mother's Maiden Names Using Public Records
Virgil Griffith and Markus Jakobsson
Applied Cryptography and Network Security, Springer Lecture Notes in Computer Science, No. 3531 (2005), pp. 91-103


Economics and Identity
George Akerlof and Rachel Kranton
Quarterly Journal of Economics, Volume CXV, Number 3 (August 2000), pp. 715-733

How To Break Anonymity of the Netflix Prize Dataset
Arvind Narayanan and Vitaly Shmatikov
arXiv:cs/0610105v2, Cryptography and Security (cs.CR); Databases (cs.DB)

K-Anonymity: A Model for Protecting Privacy
Latanya Sweeney
International Journal Uncertainty, Fuzziness, and Knowledge-Based Systems, Volume 10 (2002), pp. 557-570

Web-Based Inference Detection
Jessica Staddon, Philippe Golle, and Bryce Zimny
USENIX Security Conference (2007)

Inference Attacks on Location Tracks
John Krumm
Fifth International Conference on Pervasive Computing (Pervasive 2007)

You are what you say: Privacy risks of public mentions
Dan Frankowski, Dan Cosley, Shilad Sen, Loren Terveen, and John Riedl
Proceedings of the 29th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval (August 2006)

Part 3. Special Topics


Apr 01. Regulation, lawmaking and enforcement


Information Disclosure as a light-weight regulatory mechanism
Deirdre Mulligan
Proceedings of the DIMACS Workshop on Information Security Economics 2007

Is There a Cost to Privacy Breaches? An Event Study
Alessandro Acquisti, Allan Friedman, and Rahul Telang
Proceedings of the International Conference of Information Systems (ICIS 2006)

The Deterrent Effect of Enforcement Against Computer Hackers: Cross-Country Evidence
Ivan Png, and Chen Yu Wang
Proceedings of the Workshop on the Economics of Information Security (WEIS 2007)


Privacy versus Antidiscrimination
Lior Jacob Strahilevitz
Working paper, University of Chicago Law School

Crime and Punishment: An Economic Approach
Gary Becker
Journal of Political Economy, Volume 76, Number 2 (March-April 1968)

Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack
Ian Ayres; Steven D. Levitt
The Quarterly Journal of Economics, Volume 113, Number 1 (February 1998)

The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare
Anindya Ghose and Uday Rajan
Proceedings of the Workshop on the Economics of Information Security (WEIS 2006)


Apr 08. The DRM debate


Piracy of digital products: A critical review of the economics literature
Martin Peitz and Patrick Waelbroeck
Information Economics and Policy, Volume 18, Number 4 (November 2006)

Digital Music Usage and DRM: Results from an European Consumer Survey
Nicole Dufft, Andreas Stiehler, Danny Vogeley, Thorsten Wichmann
Indicare: The Informed Dialogue about Consumer Acceptability of DRM Solutions in Europe (May 2005)


Digital Rights Management and Consumer Acceptability
Natali Helberger (Ed.)
Indicare: The Informed Dialogue about Consumer Acceptability of DRM Solutions in Europe (December 2004)

How DRM-based content delivery systems disrupt expectations of "personal use"
Deirdre K. Mulligan, John Han, and Aaron J. Burstein
Proceedings of the 3rd ACM Workshop on Digital Rights Management (October 2003)

Digital Rights Management and the Pricing of Digital Products
Yooki Park and Suzanne Scotchmer
NBER Working Paper, No. W11532 (August 2005)

DRM and Privacy
Julie E. Cohen
Berkeley Technology Law Journal, Volume 18, Number 2 (Spring 2003)


Apr 15. The economics of terrorism and cyberwarfare


A Worst-Case Worm
Nicholas Weaver and Vern Paxson
Proceedings of the Workshop on the Economics of Information Security (WEIS 2004)

Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats
James A. Lewis
Center for Strategic and International Studies (November 2002)


Defending state against ones and zeros
Steven E. Roberts
Foreign Service Journal (December 2005)

Government backed counter-attack-forces necessary in future

A letter from concerned scientists to the President of the United States
O. Sami Saydjari, Robert Balzer, Terry C. Vickers Benzel, Thomas A. Berson, ...

The National Strategy to Secure Cyberspace
US Government (February 2003)

Last Updated: April 09, 2008 - Jens Grossklags