Security and Privacy: an Economic Approach (VIHIAV34)

This course is delivered in the Computer Science BSc/MSc as an elective. The official syllabus is available on the faculty's web site. On this page, you will find the most recent administrative information related to the course, as well as the lecture slides, the homework description, and links to some recommended further readings. This site is continuously updated!

Lecturers

Előadók

Célkitűzés

Objectives

Information security is as much an economic problem as it is technical. Even given flawless cryptographic protocols and the availability of perfectly secure software, misaligned economic incentives of different stakeholders in a system often result in a (very) sub-optimal security level. By guiding you through the jungle of asymmetric information, interdependent security, correlated risk and other concepts characteristic for system security, this elective course will enable you to make better decisions in risk management, security investment and policy design on a system level. Furthermore, the course touches upon the economic aspects of data privacy, an emerging area of interest for users and companies in the big data era.

Követelmények

Requirements

During the semester

1 project assignment: written report

Órák ideje és helye

Time and location of classes

Előadás

Lecture

  • Wednesday, 12:30-14:00, IB140

Konzultáció

Megbeszélés szerint, az előadóval előre egyeztetett időpontban.

Office hours

Please contact the lecturer to schedule an appointment.

Előadások

Lectures

Date Topic Lecturer Slides
2018.02.07. Introduction Biczók G. slides
2018.02.14. Microeconomics Biczók G. slides
2018.02.21. Game theory Biczók G. slides
2018.02.28. Risk management Biczók G. slides
2018.03.07. Security investment Biczók G. slides
2018.03.14. Cyber-insurance Biczók G. slides
2018.03.21. Interdependent security Biczók G. slides
2018.03.28. Vulnerabilities and patching Biczók G. slides
2018.04.04. Cancelled (Spring Holiday)
2018.04.11. Information sharing Biczók G. slides
2018.04.18. Cancelled (Dean’s Break)
2018.04.25. Economics of privacy Biczók G.
2018.05.02. Interdependent privacy Biczók G.
2018.05.09. Understanding the adversary Biczók G.
2018.05.16. Cancelled

Házi feladat

Homework

Project assignment (Time is up. Topics in red are taken.)

1. Security advice - Herley, Cormac. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users . In Proceedings of the 2009 workshop on New security paradigms workshop (NSPW '09). ACM, New York, NY, USA, 133-144.

2. Attacker incentives - Herley, Cormac. Why do Nigerian scammers say they are from Nigeria? . WEIS. 2012.

3. Attacker incentives 2 -Luca Allodi, Fabio Massacci and Julian Williams. The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures . WEIS 2017.

4. Attacker incentives 3 -Carlos Barreto and Alvaro A Cardenas. Perverse Incentives in Security Contracts: A Case Study in the Colombian Power Grid . WEIS 2016.

5. Threat modeling - Florencio, Dinei, and Cormac Herley. Where do all the attacks go? . Economics of Information Security and Privacy III. Springer New York, 2013. 13-33.

6. Bug bounty - Laszka, Aron, Mingyi Zhao, and Jens Grossklags. Banishing misaligned incentives for validating reports in bug-bounty platforms . European Symposium on Research in Computer Security. Springer International Publishing, 2016.

7. Bug bounty 2 - Thomas Maillart, Mingyi Zhao, Jens Grossklags, and John Chuang. Given Enough Eyeballs, All Bugs Shallow? Revisiting Eric Raymond with Bug Bounty Markets . WEIS 2016.

8. Risk communication -Asgharpour, Farzaneh, Debin Liu, and L. Jean Camp. Mental models of security risks . International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2007.

9. Attacks: Internet routing - Moriano, Pablo, Soumya Achar, and L. Jean Camp. Incompetents, Criminals, or Spies: Macroeconomic Analysis of Routing Anomalies . Technical report, Indiana University, 2016.

10. Insider attacks -Liu, Debin, XiaoFeng Wang, and L. Jean Camp. Mitigating inadvertent insider threats with incentives . International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2009.

11. Targeted attacks: APT -Van Dijk, Marten, et al. FlipIt: The game of stealthy takeover . Journal of Cryptology 26.4 (2013): 655-713.

12. Underground economy - Soska, Kyle, and Nicolas Christin. Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem . USENIX Security. Vol. 15. 2015.

13. Underground economy 2 - Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Tom Holt, Christopher Kruegel, Damon McCoy, Stefan Savage and Giovanni Vigna. Framing Dependencies Introduced by Underground Commoditization . WEIS 2015.

14. Cybercrime - Anderson, Ross, et al. Measuring the cost of cybercrime . The economics of information security and privacy. Springer Berlin Heidelberg, 2013. 265-300.

15. HTTPS -Asghari, H., van Eeten, M.J., Arnbak, A.M. and van Eijk, N.A. Security economics in the HTTPS value chain , WEIS 2013.

16. Bitcoin - Kroll, Joshua A., Ian C. Davey, and Edward W. Felten. The economics of Bitcoin mining, or Bitcoin in the presence of adversaries . Proceedings of WEIS 2013.

17. Bitcoin 2 -Neil Gandal, Jt Hamrick, Tyler Moore and Tali Oberman. Price Manipulation in the Bitcoin Ecosystem . WEIS 2017.

18. Bitcoin 3 -Neil Gandal and Hanna Halaburda. Competition in the Crypto-Currency Market . WEIS 2014.

19. Privacy paradox - Cofone, Ignacio N. The Value of Privacy: Keeping the Money Where the Mouth is . WEIS 2015.

20. Privacy: cookies -Aziz, Arslan, and Rahul Telang. What is a Cookie Worth? . WEIS 2015.

21. Privacy: tracking -Benjamin Johnson, Paul Laskowski, Thomas Maillart, John Chuang and Nicolas Christin. Caviar and Yachts: How Your Purchase Data May Come Back to Haunt You . WEIS 2015.

22. Privacy: interdependence -Harkous, Hamza, and Karl Aberer. If You Can't Beat them, Join them: A Usability Approach to Interdependent Privacy in Cloud Apps . arXiv preprint arXiv:1702.08234 (2017).

23. Security investment -Sadegh Farhang and Jens Grossklags. When to Invest in Security? Empirical Evidence and a Game-Theoretic Approach for Time-Based Security . WEIS 2017.

24. Security investment 2-Pern Hui Chia, John Chuang, and Yanling Chen. Whack-a-mole: Asymmetric Conflict and Guerrilla Warfare in Web Security . WEIS 2016.

25. Security investment 3-Chad Heitzenrater, Rainer Böhme, and Andrew Simpson. The Days Before Zero Day: Investment Models for Secure Software Engineering . WEIS 2016.

26. Security investment 4-Wing Man and Wynne Lam. Attack-Deterring and Damage-Control Investments in Cybersecurity . WEIS 2015.

27. Patching -Arrah-Marie Jo. The effect of competition intensity on software security – An empirical analysis of security patch release on the web browser market . WEIS 2017.

28. Security management -Frank Nagle, Sam Ransbotham and George Westerman. The Effects of Security Management on Security Events . WEIS 2017.

29. Cyberinsurance -Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones. Content Analysis of Cyber Insurance Policies: How do carriers develop policies and price cyber risk? . WEIS 2017.

30. Cyberinsurance 2-Rui Zhang and Quanyan Zhu. Attack-Aware Cyber Insurance of Interdependent Computer Networks . WEIS 2017.

31. Data breach -Stefan Laube and Rainer Böhme. The Economics of Mandatory Security Breach Reporting to Authorities . WEIS 2015.

32. Data breach 2 -Fabio Bisogni, Hadi Asghari and Michel van Eeten. Estimating the size of the iceberg from its tip: An investigation into unreported data breach notifications . WEIS 2017.

Deadlines

Határidő

Claiming a topic - topics can be claimed starting 0:01am CET, March 8th, 2018 until 11:59pm CET, March 21th, 2018. Please send me an e-mail with 5 topics of your preference (in decreasing order) with the subject [econsec_report topic_name1 topic_name2 topic_name3 topic_name4 topic name5 your_name]. You will get an email back with the assigned topic. If all 5 of your preferred topics are already claimed you will get an email back so that you should choose other topics. Topics are assigned first-come-first-served. I will mark the already claimed topics with red color ASAP, so check the homepage regularly. If you have your own idea for a topic not listed here together with some references, write me an email.

Submitting the report - A 10-page (A4, single-spaced, 11 pt font, 1 inch margins, PDF format, filename: econsec_report_your_name.pdf) written report containing a CRITICAL REVIEW of the chosen paper (and, if needed, some of the referenced papers) and some discussion for potential improvements/future work is due 11:59pm CET, May 13th, 2018. Please send the report in e-mail with the subject [econsec_report your_name].

Results

Eredmények

Students receive a single grade based on the written report. A CRITICAL REVIEW should offer more than just a simple summary of the paper: you should assess the strengths and the weaknesses, the choice of topic, the methodology and tools used, the potential impact and your idea(s) of how to extend/improve the paper in a future work.

Korábbi évek

Previous Years