IEEE's Economics of Information Security
IEEE Security & Privacy magazine has a special on _Economics of Information Security_ this month. Best bet is to simple read the editor's intro.
Eric Rescorla's article "Is Finding Security Holes a Good Idea?" argues that because large modern software products such as Windows contain many security bugs, removing an individual bug makes little difference to the likelihood that an attacker will find exploits later in a product's life....
There are two on economimcs of disclosure, a theme touched upon recently:
Ashish Arora and Rahul Telang argue for openness in "Economics of Software Vulnerability Disclosure." Their thesis is that software vulnerability disclosure policies should, in some cases, be more aggressive to push vendors into investing more in patch management.
Two I've selected for later reading are:
In "Privacy and Rationality in Individual Decision Making," Alessandro Acquisti and Jens Grossklags use consumer psychology tools to investigate why users' stated privacy preferences differ from their behaviors.
In "Toward Econometric Models of the Security Risk from Remote Attacks," Stuart Schechter discusses the problems of trying to model network attacks in the same way that economists interested in crime build economic models of housebreaking. Many of the variables concerning computer or system security risk are hard to pin down,and change rapidly. For example, an analysis of attackers' incentives and costs comes up against the difficulty of assessing products' security strengths. A market for security vulnerability information might bring some clarity here.
This is because they speak to a current theme - how to model information in attacks.
Posted by iang at February 19, 2005 04:07 PM