Security Economics Laboratory
What is Security Economics?
As a discipline, security economics helps to answer questions such as these:
- Why has Internet security worsened even as investment has increased?
- According to a report from the US Secret Service/Verizon, 64% of data breaches could have been prevented using "simple and cheap" countermeasures. Why aren't they deployed?
- How much should firms invest to protect their IT systems?
- How can the past history of cyber incidents guide future investments in defense?
Economics puts the challenges facing information security into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. In order to solve the problems of growing vulnerability and increasing crime, solutions must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. This requires a technical comprehension of security threats combined with an economic perspective to uncover the strategies employed by attackers and defenders.
Research in security economics includes the development of theoretical models to study the strategic interaction of attackers and defeners. It also includes empirical approaches to quantify security threats more accurately. This page includes some of my papers including introductory surveys, policy recommdendations, empirical analysis and modeling. It also lists some publication venues for security economics research.
Since Fall 2012 Tyler Moore has taught a graduate course in Security Economics at SMU (CSE 5/7338) and TU. If you are interested in teaching a similar course at your university, please get in touch.
Selected Security Economics Papers
Here is a selection of papers that Tyler Moore has co-authored in the area grouped by topic. For a more comprehensive listing of papers in the field, see Ross Anderson's Economics and Security Resource Page.
Tyler Moore and Ross Anderson. "Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research." Harvard Computer Science Technical Report TR-03-11 (to appear as a chapter in the Oxford Handbook of the Digital Economy, 2011) [Paper]
Tyler Moore. "The Economics of Cybersecurity: Principles and Policy Options". International Journal of Critical Infrastructure Protection 3 (3-4), pp. 103-117, December 2010. [Paper | Link to publisher] (Based on a report for the US National Academy of Sciences, Proceedings of a Workshop on Deterring Cyberattacks, pp. 3-23)
Ross Anderson, Rainer Böhme, Richard Clayton and Tyler Moore. "Security Economics and European Policy." Seventh Workshop on the Economics of Information Security. June 26-28, 2008: Hanover, NH, USA. [Paper | Press: Network World, Security Focus, The Register] (Based on this report written for ENISA)
Tyler Moore, Nektarios Leontiadis and Nicolas Christin. "Fashion Crimes: Trending-Term Exploitation on the Web". 18th ACM Conference on Computer and Communications Security. October 18-20, 2011: Chicago, IL. [Paper | Presentation | Blog Post]
Nektarios Leontiadis, Tyler Moore and Nicolas Christin. "Measuring and Analyzing Search-Redirection Attacks in the Illict Online Prescription Drug Trade". 20th USENIX Security Symposium. August 10-12, 2011: San Francisco, CA. [ Paper | Blog Post ]
Tyler Moore and Benjamin Edelman. "Measuring the Perpetrators and Funders of Typosquatting." 14th International Conference on Financial Cryptography and Data Security. January 25-28, 2010: Tenerife, Spain. [Paper | Web Appendix | Press: New Scientist, The Register, ZDNet]
Tyler Moore and Richard Clayton. "Examining the Impact of Website Take-down on Phishing." Second APWG eCrime Researcher's Summit. October 4-5, 2007: Pittsburgh, PA, USA.
[Paper | Presentation | Link to publisher | Press: PC World, Infosecurity Magazine]
Tyler Moore and Richard Clayton. "The Impact of Incentives on Notice and Take-down." Seventh Workshop on the Economics of Information Security. June 26-28, 2008: Hanover, NH, USA.
[Paper | Press: The Guardian]
Tyler Moore and Richard Clayton. "The Impact of Public Information on Phishing Attack and Defense." Communications and Strategies 81(1), pp. 45-68, 2011.
[Paper | Original conference paper from FC 2009 | Presentation | Link to publisher for conference version]
Modeling Attack and Defense
Rainer Böhme, Tyler Moore. "The Iterated Weakest Link - A Model of Adaptive Security Investment." 8th Workshop on the Economics of Information Security (WEIS). June 24-24, 2009: London, UK. [Full Paper | Presentation | Essay in IEEE Security and Privacy -- winner of the Gordon Prize in Managing Cybersecurity Resources | Link to publisher]
Tyler Moore, Allan Friedman and Ariel Procaccia. "Would a 'Cyber Warrior' Protect Us? Exploring Trade-offs Between Attack and Defense of Information Systems". 13th New Security Paradigms Workshop (NSPW). September 21-23, 2010: Concord, Massachusetts. [Paper]
Security Economics Conferences
Due to its interdisciplinary nature, it can be difficult to keep track of all the venues for publishing research in the field of security economics. Below is a partial list of conferences that encourage papers on the economics of information security.
WEIS, the Workshop on the Economics of Information Security. WEIS is the flagship conference for research on the economics of information security, held in June each year. All papers from past WEIS conferences are available on their respective websites. You can also find past proceedings on DBLP.
Financial Crypto (FC). In addition to applied cryptography papers, FC encourages submissions on the economics of information security, especially if it relates to financial security or fraud. Papers from past conferences are linked to from the IFCA website.
APWG eCrime Researchers Summit. APWG eCrime encourages submissions which measure electronic crime and the underground economy.
IFIP WG 11.10 International Conference on Critical Infrastructure Protection. The IFIP 11.10 conference solicits papers related to the economics of critical infrastructure protection.
The Journal of Cybersecurity (JCS) is a new open-access publication from Oxford University Press, developed specifically to deliver a venue that bridges the many different disciplines and specialties involving information security. Selected papers from WEIS conferences are published in JCS.
Jean Camp maintains a list of EIS publication venues here. Please email me to let me know about new venues that encourage EIS publications.