Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
The economics of information security and privacy
Böhme R., Springer Publishing Company, Incorporated, New York, NY, 2013. 315 pp. Type: Book (978-3-642394-97-3)
Date Reviewed: Sep 26 2014

Information security and privacy are political hot buttons, and more so as we become, personally and as a society, increasingly dependent on IT. From Heartland Payment Systems to Target to community health services, barely a day goes by without another database being hacked, and another business announcing a breach of privacy. At the same time, privacy regulations are being drafted, proposed, and entered into law in different countries and jurisdictions, creating a new set of legal and financial liabilities for businesses that fail to effectively secure their data.

How much should businesses spend to manage information security and privacy, bearing in mind that these investments have a measurable opportunity cost? The Workshop on the Economics of Information Security brings together researchers from a variety of disciplines to propose and discuss alternate approaches to measuring the economic impact of information security, privacy, and cybercrime. The latest volume of proceedings contains 13 contributions to the 11th Workshop. The first section focuses on information security management, while the three remaining sections focus on the economics of information security, privacy, and cybercrime, respectively.

Part 1, “Management of Information Security,” is comprised of four papers. The first, “A Closer Look at Information Security Costs,” is primarily a survey of existing models for assigning costs to different aspects of information security activities. The second paper, “To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool,” reviews existing approaches to measuring the value of information security investments, and finds all existing approaches lacking in at least one fundamental area. The third paper, “Ad-Blocking Games: Monetizing Online Content Under the Threat of Ad Avoidance,” provides an illuminating look at how most Internet content is currently supported through advertising revenues, and the steps that many users take to avoid the advertisements that fund the services. The last paper, “Software Security Economics: Theory, in Practice,” studies vulnerability fixes for a small subset of software, and finds that the model does not match the one the authors had predicted. However, I was not personally convinced that the data they selected was statistically valid enough to provide predictive value for broader application.

Part 2, “Economics of Information Security,” includes four papers. The bitcoin-inspired paper, “Can We Afford Integrity by Proof-of-Work? Scenarios Inspired by the Bitcoin Currency,” is very interesting, and describes some fundamental assumptions built into the design of bitcoin, as well as some vulnerabilities of the bitcoin environment to targeted attacks. Economists interested in virtual currency would do well to study the technological risks embedded in the bitcoin ecosystem. The last paper, “Online Promiscuity: Prophylactic Patching and the Spread of Computer-Transmitted Infections,” applies epidemiological methods to analyzing the effectiveness of protecting a subset of a computer population against infections, and determining what level of protection of individual devices is sufficient to protect a larger population.

Three papers are included in Part 3, “Economics of Privacy.” The first, “The Privacy Economics of Voluntary Over-Disclosure in Web Forms,” highlights a disturbing truth. While in conversation and in surveys, people are very concerned about privacy, their actions suggest otherwise. Most people are willing to give up a startling amount of private information with little-to-no incentive to do so. This calls into question the damages they may claim when a third party exposes information about an individual that the individual would give away for free. “Choice Architecture and Smartphone Privacy: There’s a Price for That” is reminiscent of Lessig’s seminal code, as it explores the willingness of people to trade their privacy for convenience, one small piece at a time. This theme is reinforced by the next paper, “Would You Sell Your Mother’s Data? Personal Data Disclosure in a Simulated Credit Card Application,” in which a discrepancy is noted between what people say they would do, and their actual behavior.

Part 4, “Economics of Cybercrime,” is comprised of two papers. “Measuring the Cost of Cybercrime” by Ross Anderson et al. is particularly interesting. It discusses the ways in which cybercrime is distinct from “pre-cyber” crime, and also provides one of the better explanations I’ve read of how cybercrime activities generate revenue for the perpetrators. The ratio of victim losses to criminal gain is particularly worrisome, as so much economic loss results with so little net gain. The reference data on losses from UK estimates, and the extrapolation to global losses, was interesting, and may be of value to the practitioner when trying to answer questions about the net impact of cybercrime.

On the whole, it was an interesting read. However, the presentation is targeted for the academic student or researcher, and is not appropriate for the general reader. Even so, it contains useful data for the chief information security or privacy officer articulating the economic rationale for proposed information security or privacy initiatives to a CFO or Board.

Reviewer:  Lee Imrey Review #: CR142771 (1501-0047)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Security and Protection (K.6.5 )
 
 
Economics (J.4 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy