Economics of Security Bibliography

WEIS05


	WEIS08 \| WEIS07 \| WEIS06 \| WEIS05 \| WEIS04-02 \| academic opportunities home \| central texts \| related events \| annotated bibliography \| contact us

Recently Added:

Bibliography

The bibliography that follows is intended as a complement to Acquisti's Economics of Privacy and Anderson's Economics and Security Resource Page. They Economics of networks page maintainted by Nicholas Economides contains a bibliography and the excellent introductory article properly entitled "Economics of Networks". There is also Hal Varian's page on The Information Economy. Another useful resource is Schneier on Security. In addition, there is an annotated security bibliography that may be of interest to beginners in security.

Please see also the list of monographs in addition to this listing of papers and articles.

This bibliography, and the entire site, is maintained by Jean Camp. Contact her at ljean.com for additions.

2008

Sang Hoo Bae, Pilsik Choi, Firms' Optimal Digital Rights Management (DRM) Strategies: The Effects of Public Copy Protection and DRM Compatibility, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Rainer Bohme, Conformity or Diversity: Social Implications of Transparency in Personal Data Processing, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

L. Jean Camp, Hillary Elmore, Brandon Stephens, Diffusion and Adoption of IPv6 in the United States, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Ramnath Chellappa, Raymond Sin, Competition for Information under Privacy Concerns, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Anindya Ghose, Karthik Balakrishnan, Panos Ipeirotis, The Impact of Information Disclosure on Stock Market Returns: The Sarbanes-Oxley Act and the Role of Media as an Information Intermediary, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Rachel Greenstadt, Oliver Day, Brandon Palmen, Reinterpreting the Disclosure Debate for Web Infections, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Jens Grossklags, Nicolas Christin, John Chuang, Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Il-Horn Hann, Kai-Lung Hui, Sang-Yong T. Lee, and I.P.L. Png, Consumer Privacy and Marketing Avoidance: A Static Model, Management Science, Vol. 54 No. 6, June 2008, 1094-1103. Introduces the concept of marketing avoidance, i.e., consumer efforts to conceal themselves and to deflect marketing.

Rolf Hulthen, Communicating the Economic Value of Security Investments; Value at Security Risk, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Marc Lelarge, Jean Bolot, Cyber Insurance as an Incentive for IT Security, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Qi Liao, Zhen Li, Aaron Striegel, Botnet Economics: Uncertainty Matters, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

T. Maillart, D. Sornette Heavy-Tailed Distribution of Cyber-Risks, Physics and Society
comment: An analysis based on complex systems that indicates that the ID theft market has matured, with roughly 500M incidents. The model also illustrates that vulnerability increases with organization size.

Kanta Matsuura, Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Tyler Moore, Ross Anderson, Rainer Boehme, Richard Clayton, Security Economics and European Policy, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Tyler Moore, Richard Clayton, The Impact of Incentives on Notice and Take-down, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Tyler Moore and Richard Clayton. "Evaluating the Wisdom of Crowds in Assessing Phishing Websites. To appear at the 12th International Financial Cryptography and Data Security Conference (FC08). January 28-31, 2008: Cozumel, Mexico. Paper

Shishir Nagaraja, The Economics of Covert Community Detection and Hiding, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Kurt Nielsen, Is Distributed Trust More Trustworthy?, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

David Pym, Adam Beautement, Robert Coles, Jonathan Griffin, Christos Ioannidis, Brian Monahan, Angela Sasse, Mike Wonham, Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Do Data Breach Disclosure Laws Reduce Identity Theft?, WEIS 2008 - Seventh Workshop on Economics of Information Security, Hanover NH, 25-28 June 2008.

2007

David S. Anderson, Chris Fleizach, Stefan Savage and Geoffrey M. Voelker, Spamscatter: Characterizing Internet Scam Hosting Infrastructure, USENIX Security Symposium, Boston, MA. 5 -10 August 2007.
comment: analysis of spam infrastructure, useful for spam-o-nomics

R. Anderson, T. Moore, S. Nagaraja, A. Ozment, Incentives and Information Security, in Algorithmic Game Theory, N. Nisan, T. Roughgarden, E. Tardos, and V. Vazirani (editors), ISBN-13: 9780521872829, Cambridge University Press, 2007.

Tyler Moore and Richard Clayton. "Examining the Impact of Website Take-down on Phishing." Second APWG eCrime Researcher's Summit. October 4-5, 2007: Pittsburgh, PA, USA. (Best Paper Award) Presentation

Ross Anderson and Tyler Moore. "The Economics of Information Security: A Survey and Open Questions." Fourth bi-annual Conference on the Economics of the Software and Internet Industries, January 19-20, 2007, Toulouse, France.

Farzaneh Asgharpour, Debin Liu, L. Jean Camp Mental Models of Computer Security Risks, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

S. E. Goodman, Robert Ramer, Identify and Mitigate the Risks of Global IT Outsourcing, Editorial Preface, The Journal of Global Information Technology Management (JGITM), Vol. 10, No. 4, October 2007, 1-6.

Seymour E. Goodman, Rob Ramer, Global Sourcing of IT Services and Information Security: Prudence Before Playing Comm. of the American Association for Information Systems (CAIS), Vol, 20, December 2007, 812-823.

Steven M. Bellovin, Routing Security Economics DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Rainer Böhme and Sven Koble, Technische Universität Dresden, On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Ramnath K. Chellappa, Shivendu Shivendu, Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Pau-Chen Chen, Pankaj Rohatgi and Claudia Keser, Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Yue Chen, Barry Boehm, Luke Sheppard,Measuring Security Investment Benefit for Off the Shelf Software Systems - A Stakeholder Value Driven Approach, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Jay Pil Choi, Chaim Fershtman, Neil Gandal Network Security: Vulnerabilities and Disclosure Policy, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Lorrie Faith Cranor, Sarah Spiekermann, Privacy Engineering DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Nicolas Christin, Countermeasures Against Government-Scale Monetary Forgeries, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

George Danezis, Network formation, Sybil Attacks & Reputation Systems, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

George Danezis and Stefan Schiffner, On Network formation, (Sybil attacks and Reputation systems) DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Ginger Davis, Alfredo Garcia and Weide Zhang, "Empirical Analysis of the Effects of Cyber Security Incidents" , submitted to Risk Analysis

Scott Dynes, Information Security and IT Risk Management in the Real World:Results From Field Studies DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Jason Franklin, Vern Paxon, Adrian Perrig, and Stefan Savage, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS '07, Alexandria, VA. 29 October - 2 November, 2007.

M. Eric Johnson and Scott Dynes, Inadvertent Disclosure - Information Leaks in the Extended Enterprise, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Neil Gandal, Internet Security, Vulnerability Disclosure, & Software Provision, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Eric Goetz and M.Eric Johnson, Embedding Information Security Risk Management into the Extended Enterprise, 2006. Available online at http://mba.tuck.dartmouth.edu/digital/Programs/CorporateEvents/CIO_RiskManage/Overview.pdf, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Gritzalis S., Yannacopoulos A., Lambrinoudakis C., Hatzopoulos P., Katsikas S., A Probabilistic Model for Optimal Insurance Contracts against Security Risks and Privacy Violation in IT Outsourcing Environments , International Journal of Information Security, Vol.6, No.4, pp.197-211, 2007.

Jens Grossklags, Alessandro Acquisti, When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Alok Gupta and Dmitry Zhdanov, Growth and sustainability of MSSP networks, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy" Alfredo Garcia and Barry Horowitz, Journal of Regulatory Economics, Vol. 31:1 (2007) pp. 37-51

Kjell Hausken, Strategic Defense and Attack of Complex Networks, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Hemantha S. B. Herath, Tejaswini C. Herath, Cyber-Insurance: Copula Pricing Framework and Implications for Risk Management, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Peter Honeyman, Galina A. Schwartz, Ari Van Assche, Interdependence of Reliability and Security, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Barry Horowitz, Linking the Economics of Cyber Security and Corporate Reputation DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Gaurav Kataria, Rainer Böhme, Models and Measures for Correlation in Cyber-Insurance DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Vineet Kumar, Rahul Telang, Tridas Mukhopadhyay, Carnegie Mellon University,Optimally Securing Enterprise Information Systems and Assets, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Costas Lambrinoudakis, Stefanos Gritzalis, and Thanassis Yannacopoulos, Modelling and Economics of IT Risk Management and Insurance DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Ivan Png, Chen Yu Wang, The Deterrent Effect of Enforcement Against Computer Hackers: Cross-Country Evidence, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Amalia R. Miller,Catherine E. Tucker,Privacy, Network Effects and Electronic Medical Record Technology Adoption, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Charles Miller, The legitimate vulnerability market: the secretive world of 0-day exploit sales, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Tyler Moore and Richard Clayton An Empirical Analysis of the Current State of Phishing Attack and Defence, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Tyler Moore, (joint with Ross Anderson and Shishir Nagaraja), Network Economics and Security Engineering DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Deirdre K. Mulligan, Information Disclosure as a light-weight regulatory mechanism DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Mohammad S. Rahman Karthik Kannan, Mohit Tawarmalani, Purdue University,The Countervailing Incentive of Restricted Patch Distribution: Economic and Policy Implications, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Srinivasan Raghunathan, Huseyin Cavusoglu, Byungwan Koh, Bin Mai, Economics of User Segmentation, Profiling, and Detection in Security, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Brent Rowe,Will Outsourcing IT Security Lead to a Higher Social Level of Security?, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Rachel Rue, Shari Lawrence Pfleeger, David Ortiz,A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Bruce Schneier, The Psychology of Security... a work in progress DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Katherine J. Strandburg, Surveillance of Emergent Associations: Freedom of Association in a Network Society DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Michael D. Smith and Rahul Telang, Competing with Free: The Impact of Movie Broadcasts on DVD Sales and Internet Piracy DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Peter Swire, Security Through Obscurity: When It Works, When It Doesn't DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

Janice Tsai, Serge Egelman, Lorrie Cranor, Alessandro Acquisti, The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Rick Wash and Jeff Mackie-Mason Incentive-Centered Design for Information Security, DIMACS Workshop on Information Security Economics January 18 - 19, 2007 DIMACS Center, Rutgers, NJ.

2006

Alessandro Acquisti and Allan Friedman and Rahul Telang, Is There a Cost to Privacy Breaches? An Event Study, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/40.pdf.

Alessandro Acquisti and Bin Zhang, Financial Privacy for Free? US Consumers' Response to FACTA, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/45.pdf.

Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613, October 27, 2006. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Ashish Arora and Christopher M. Forman and Anand Nandkumar and Rahul Telang, Competitive and Strategic Effects in the Timing of Patch Release, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/35.pdf.

Rainer Boehme and Thorsten Holz, The Effect of Stock Spam on Financial Markets, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://ssrn.com/abstract=897431.

Rainer Boehme and Gaurav Kataria, Models and Measures for Correlation in Cyber-Insurance, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/16.pdf.

L Jean Camp, Economics of Information Security, I/S A Journal of Law and Policy in the Information Society, Vol 2. No. 2 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=889442

L Jean Camp, Reliable, Usable Signaling to Defeat Masquerade Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/48.pdf.

L Jean Camp, Mental Models of Security, IEEE Technology and Society,accepted in 2006. (publication expected in 2008)

Huseyin Cavusoglu and Hasan Cavusoglu and Jun Zhang, Economics of Security Patch Management, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/5.pdf.

Michael Collins and Carrie Gates and Gaurav Kataria, A Model for Opportunistic Network Exploits: The Case of P2P Worms, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/30.pdf.

Marco Cremonini and Dmitri Nizovtsev, Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/3.pdf.

George Danezis and Bettina Wittneben, The Economics of Mass Surveillance and the Questionable Value of Anonymous Communications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/36.pdf.

Roger Dingledine and Nick Mathewson, Anonymity Loves Company: Usability and the Network Effect, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/41.pdf.

Scott Dynes and Eva Andrijicic and M Eric Johnson, Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/4.pdf

Benjamin Edelman, Adverse Selection in Online 'Trust' Certifications, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/10.pdf.

A. Friedman, 2006, Information Networks and Social Trust, Kennedy School of Government Working Paper Series, Cambridge, MA, comment: defines the limits and efficacy of information-sharing among naive users who are attempting to jointly identify "good" or "bad" sites, i.e. limits of social networks for security. uses agent-based modeling.

Garcia, Alfredo and Barry Horowitz, The Potential for Underinvestment in Internet Security : Implications for Regulatory Policy, Journal of Regulatory Economics, 2006.

Alfredo Garcia and Barry Horowitz, The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/24.pdf.

Anindya Ghose and Uday Rajan, The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/37.pdf.

Goetz, Eric and M.Eric Johnson, Embedding Information Security Risk Management into the Extended Enterprise, 2006. Available online at http://mba.tuck.dartmouth.edu/digital/Programs/CorporateEvents/CIO_RiskManage/Overview.pdf

Nathaniel Good and Jens Grossklags and David Thaw and Aaron Perzanowski and Deirdre Mulligan and Joseph Konstan, User Choices and Regret: Understanding Users' Decision Process about Consensually acquired Spyware, I/S A Journal of Law and Policy for the Information Society, Summer 2006,
available online, at http://is-journal.org/CFPs/2006-cybersecurity.php ,
comment:people still install spyware when told what it is but they feel good about it.

Gordon, Lawrence A., Martin, P. Loeb, William Lucyshyn, and Tashfeen Sohail, The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities, Journal of Accounting and Public Policy, Vol. 25, No. 5, 2006, pp. 503-530.

Lawrence A. Gordon and Martin P. Loeb, Managing Cybersecurity Resources: A Cost-Benefit Analysis, McGraw-Hill, 2006, NY, NY.

Jennifer Granick, Faking It: Criminal Sanctions and the Cost of Computer Intrusions, I/S A Journal of Law and Policy for the Information Society, Summer 2006,
available online, at www.infosecon.net/workshop/pdf/FakingIt.granick.pdf.

Rachel Greenstadt and Michael D. Smith, Collaborative Scheduling: Threats and Promises, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/43.pdf.

Hemantha Herath and Tejaswini Herath, Justifying Spam and E-mail Virus Security Investments: A Case Study, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/13.pdf.

Matthew Hottell and Drew Carter and Matthew Deniszczuk, Predictors of Home-Based Wireless Security, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/51.pdf.

C. Derrick Huang and Qing Hu and Ravi S. Behara, Economics of Information Security Investment in the Case of Simultaneous Attacks, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/15.pdf.

Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, and S.Y.T. Lee and I.P.L. Png Who Gets Spammed?, Communications of the ACM, Vol. 49, No. 10, October 2006, 83-87, http://www.comp.nus.edu.sg/~ipng/research/spam_CACM.pdf
comment: measures the degree to which spam is randomly distributed or targeted. spam is most strongly correlated with the account provider for free email, opting out of marketing opportunities does decrease spam.

Jeremy Kirk, Antivirus market jumped 13.6 percent last year , IDG News Service June 21, 2006
available online http://www.infoworld.com/article/06/06/21/79506_HNantivirusmarket_1.html?source=NLC-TB2006-06-21
comment: Growth in malicious software drives revenue totaling $4 billion for anti-virus companies, .......... enterprise share of the antivirus market in 2005 was 51.5 percent while the consumer segment came in at 48.5 percent.

Vineet Kumar and Rahul Telang and Tridas Mukhopadhyay, Enterprise Information Security: Who Should Manage it and How?, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/21.pdf.

Debin Liu and L Jean Camp, Proof of Work can Work, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/50.pdf. comment: the difference in the production frontier can be overcome by embedding proof of work into current anti-spam systems which include reputation systems, white lists, and black lists.

Wei Liu and Hideyuki Tanaka and Kanta Matsuura, An Empirical Analysis of Security Investment in Countermeasures Based on an Enterprise Survey in Japan, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/9.pdf.

I. MacInnes, Y. Li Risk and Dispute in eBay Transactions, International Journal of Electronic Commerce.
comment: not the nature of the good nor the size of the transaction but rather the payment method is the greatest predictor of dispute in eBay transactions.

P.K. Manadhata, J.M. Wing, M.A. Flynn, and M.A. McQueen,Measuring the Attack Surfaces of Two FTP Daemons Quality of Protection Workshop, Alexandria, VA, October 30, 2006.http://www.cs.cmu.edu/~pratyus/qop.pdf

Tyler Moore, The Economics of Digital Forensics, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/14.pdf.

Shishir Nagaraja and Ross Anderson, The Topology of Covert Conflict, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/38.pdf.

Andy Ozment and Stuart E. Schechter, Bootstrapping the Adoption of Internet Security Protocols, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/46.pdf.

Andy Ozment and Stuart E. Schechter. Milk or Wine: Does Software Security Improve with Age? In the proceedings of The Fifteenth Usenix Security Symposium. July 31 - August 4 2006: Vancouver, BC, Canada. http://www.cl.cam.ac.uk/~jo262/papers/Ozment_and_Schechter-Milk_Or_Wine-Usenix06.pdf

Shari Lawrence Pfleeger and Rachel Rue and Jay Horwitz and Aruna Balakrishnan, Investing In Cyber Security: The Path to Good Practice, 2006, The RAND Journal.

I.P.L. Png and Candy Q. Tang and Qiu-Hong Wang, Hackers, Users, Information Security, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/54.pdf

Brent R. Rowe and Michael P. Gallaher, Private Sector Cyber Security Investment: An Empirical Analysis, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/18.pdf.

Brent Rowe and Michael Gallaher, Could IPv6 Improve Network Security? If so, at what cost?, I/S A Journal of Law and Policy for the Information Society, Summer 2006,
available online, at htp://www.is-journal.org/articles.php?abstract=2&level=1.

Peter Sand, The Privacy Value, Journal of Law and Policy for the Information Society, Summer 2006.

Michael Sutton and Frank Nagle, Emerging Economic Models for Vulnerability Research, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/17.pdf.

R. Wash and J. K. MacKie-Mason, Incentive-centered design for information security. 1st Conference on USENIX Workshop on Hot Topics in Security - Volume 1 (Vancouver, B.C., Canada). August 2006.

Y. Wang and D. Beck and Z. Jiang and R. Roussev and C. Verbowski and S. Chen and S. King, 2006, Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities, Proc. Network and Distributed System Security NDSS Symposium, ISOC, Washington, DC

Jan Willemson, On the Gordon & Loeb Model for Information Security Investment, Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, available online, at http://weis2006.econinfosec.org/docs/12.pdf.

2005

Andy Ozment and Stuart E. Schechter. Milk or Wine: Does Software Security Improve with Age? In the proceedings of the Fifteenth Usenix Security Symposium. July 31 - August 4 2006: Vancouver, BC, Canada
short answer: wine

Ross Anderson and Tyler Moore. "The Economics of Information Security" Science 314 (5799), pp.610-613, October 27, 2006. http://www.cl.cam.ac.uk/~twm29/science-econ.pdf, WEIS 2007 - Sixth Workshop on Economics of Information Security, Pittsburgh PA, 7-8 June 2007.

Farahmand, Fariborz, Shamkant B. Navathe, Gunter P. Sharp, and Philip H. Enslow, A Management Perspective on Risk of Security Threats to Information Systems, Information Technology and Management 6 (2-3):203-225, 2005

Gal-Or, Esther, and Anindya Ghose. The economic incentives for sharing security information, Information Systems Research 16 (2):186-208. 2005

Lambrinoudakis C., Gritzalis S., Yannacopoulos A., Hatzopoulos P., Katsikas S., A Formal Model for Pricing Information Systems Insurance Contracts, Computer Standards and Interfaces, Vol.27, No.5, pp.521-532, 2005.

James R. Conrad, Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/13.pdf

Pei-yu Chen and Gaurav Kataria and Ramayya Krishnan, Software Diversity for Information Security, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/47.pdf

Anindya Ghose and Arun Sundararajan, Pricing Security Software: Theory and Evidence, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/37.pdf

Avi Goldfarb, Why do denial of service attacks reduce future visits? Switching costs vs. changing preferences, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/6.pdf

Jennifer S. Granick, Faking It: Criminal Sanctions and the Cost of Computer Intrustions, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/FakingIt.granick.pdf

Tyler Moore, Countering Hidden-Action Attacks on Networked Systems, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/18.pdf

Dirk Bergemann and Thomas Eisenbach and Joan Feigenbaum and Scott Shenker, Flexibility as an Instrument in Digital Rights Management, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/50.pdf

Yooki Park and Suzanne Scotchmer, Digital Rights Management and the Pricing of Digital Products, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/62.pdf

Andrei Serjantov and Richard Clayton, Modeling Incentives for Email Blocking Strategies, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/emailblocking.pdf

Jay Pil Choi and Chaim Fershtman and Neil Gandal, Internet Security, Vulnerability Disclosure, and Software Provision, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/9.pdf

Byung Cho Kim and Pei-Yu Chen and Tridas Mukhopadhyay, An Economic Analysis of Software Market with Risk-Sharing Contract, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/28.pdf

Rainer Boehme, Cyber-Insurance Revisite, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/15.pdf

Jay P. Kesan and Ruperto P. Majuca and William J. Yurcik, Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/42.pdf

Hulisi Ogut and Nirup Menon and Srinivasan Raghunathan, Cyber Insurance and IT Security Investment: Impact of Interdependent Risk, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/56.pdf

Scott Dynes and Hans Brechbuhl and Eric Johnson, Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/51.pdf

Luc Wathieu and Allan Friedman, An empirical approach to the valuing privacy valuation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/WathFried_WEIS05.pdf. comment: people are sensitive to the potential of secondary uses when they decide under what conditions to share information

Bernardo A. Huberman and Eytan Adar and Leslie R. Fine, Valuating Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/7.pdf. comment: people value their information to the extent that they deviate from the norm

Rahul Telang, and Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/telang_wattal.pdf

Zhulei Tang and Yu (Jeffrey) Hu and Michael D. Smith, Protecting Online Privacy: Self-Regulation, Mandatory Standards, or Caveat Emptor, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/31.pdf

Alessandro Acquisti, and Jens Grossklags, Uncertainty, Ambiguity and Privacy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/64.pdf

Rachel Greenstadt and Michael D. Smith, Protecting Personal Information: Obstacles and Directions, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/48.pdf

David Baumer and Julia Earp and J.C. Poindexter, Quantifying Privacy Choices with Experimental Economics, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/16.pdf

Dmitri Nizovtsev and Marie Thursby, Economic Analysis of Incentives to Disclose Software Vulnerabilities, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/20.pdf

Andy Ozment, The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/10.pdf

Ashish Arora and Ramayya Krishnan Rahul Telang and Yubao Yang, An Empirical Analysis of Vendor Response to Disclosure Policy, Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, available online, at http://infosecon.net/workshop/pdf/41.pdf

Cavusoglu, H., B. Mishra, S. Raghunathan (2005), "The Value of Intrusion Detection Systems (IDSs) in Information Technology (IT) Security," Information Systems Research, 16(1), March, pp. 28-46

L Jean Camp and Allan Friedman, Good Neighbors Make Good Fences, Telecommunication Policy Research Conference, 2005, Arlington, VA.

Daniel Geer, Making Choices to Show ROI, Secure Business Quarterly, Vol. 1, pp. 1-5, 2005,
available online, at http://www.sbq.com/sbq/rosi/sbq_rosi_making_choices.pdf, comment: proposed a metric of Return on Security Investment Analysis

Tom Espiner, Symantec flaw found by TippingPoint bounty hunters, ZDNET, October 2005,
available online, at http://news.zdnet.co.uk/0, 39020330, 39230317, 00.htm , comment: first public report of a bug being purchased.

Federal Trade Commission, FTC Releases Top 10 Consumer Complain Categories for 2004

Reuters, Identity Theft, Net Scams Rose in 04-FTC, 2005

A. Acquisti and John Russ, 2005, Information Revelation and Privacy, Heinz Seminars, Carnegie Mellon University, Pittsburgh, PA

M. Wu and R. Miller and S. Garfinkle, 2005, Do Security Toolbars Actually Prevent Phishing Attacks? , eds. L. Cranor, Proceedings of SOUPS

C. Koch, 2005, The Five Most Shocking Things About the ChoicePoint Debacle, CSO, May, comment: worth reading, really will be shocked

S. Smith, 2005, Trusted Computing Platforms - Design and Applications, Springer, Berlin, DE

Top 10 Consumer Complain Categories for 2004, Feb. 2005, Federal Trade Commission, Washington, DC, institution Federal Trade Commission,
available online at http://www.ftc.gov/opa/2005/02/top102005.htm

Dan Burk, Legal and Technical Standards in Digital Rights Management Technology, Fordham Law Review , Vol. 74, 2, Nov. 2005, pp. 537-573,
comment: reviews Lexmark, Blizzard, Chamberlain garage door, DeCSS, realNetworks, and Game Masters

Paul Virijevich, DShield - A community approach to intrusion detection, News Forge , 2005, June, pp. 537-573,
available online, at http://software.newsforge.com/article.pl?sid=05/06/07/1432216.
comment: cooperation of individuals with no obvious incentive enables an Internet monitoring network. an example of peer production of security information.

2004

Eric Rescorla, Is finding security holes a good idea?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/rescorla.pdf

Ashish Arora and Rahul Telang and Hao Xu, Optimal Policy for Software Vulnerability Disclosure, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/xu.pdf. comment: central coordination is required for an optimal market for vulnerabilities

Hal Varian and Fredrik Wallenberg and Glenn Woroch, Who Signed Up for the Do-Not-Call List?, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/varian.pdf

Alessandro Acquisti and Jens Grossklags, Privacy and Rationality: Preliminary Evidence from Pilot Data, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/acquisti.pdf

Ashish Arora and Ramayya Krishnan and Anand Nandkumar and Rahul Telang and Yubao Yang, Impact of Vulnerability Disclosure and Patch Availability -- An Empirical Analysis, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/telang.pdf. comment: Honeypots, two experiments Publication & patching increase attacks by.02 attacks/day Disclosure increases attacks by.26, patching decreases by.5

Karthik Kannan and Rahul Telang, An Economic Analysis of Market for Software Vulnerabilities, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/kannan-telang.pdf. comment: Markets will increase investigation but will also increase exposure. The optimal market would be one where there was a single purchaser that excludes no party from the information. This suggest direct governmental participation

George Danezis and Ross Anderson, The Economics of Censorship Resistance, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/danezis.pdf

Roger Adkins, An Insurance Style Model for Determining the Appropriate Investment Level against Maximum Loss arising from an Information Security Breach, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/adkins.pdf

Andrei Serjantov and Ross Anderson, On dealing with adversaries fairly, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/serjantov.pdf

Michal Feldman and Christos Papadimitriou and John Chuang and Ion Stoica, Free-Riding and Whitewashing in Peer-to-Peer Systems, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/feldman.pdf

Rupert Gatti and Stephen Lewis and Andy Ozment and Thierry Rayna and Andrei Serjantov, Sufficiently Secure Peer-to-Peer Networks, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/lewis.pdf

Joan Feigenbaum and Dirk Bergemann and Scott Shenker and Jonathan M. Smith, Towards an Economic Analysis of Trusted Systems, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/feigenbaum.pdf

Stuart Schechter, Toward Econometric Models of the Security Risk from Remote Attacks, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/schechter.pdf

Maximillian Dornseif and Sascha A. May, Modelling the costs and benefits of Honeynets, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/dornseif.pdf

Ben Laurie and Richard Clayton, 'Proof-of-Work' Proves Not to Work, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/clayton.pdf. comment: spam producers use zombie machines and thus have a different production frontier than legitimate email senders, therefore proof of work doesn't work

Andy Ozment, Bug Auctions: Vulnerability Markets Reconsidered, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/ozment.pdf

Nicholas Weaver and Vern Paxson, A Worst-Case Worm, Third Workshop on the Economics of Information Security, 2004, Minneapolis, MN, available online, at http://www.dtc.umn.edu/weis2004/weaver.pdf

L Jean Camp and S Lewis, Economics of Information Security, Springer, Vol. 12, 2004, New York, NY

H. Cavusoglu and S. Raghunathan, Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches, INFORMS Journal on Decision Analysis, 1(3), September, pp. 131-148, 2004

H. Cavusoglu, B. Mishra, S. Raghunathan, A Model for Evaluating IT Security Investments, Communications of the ACM, 47(7), July, pp. 87-92, 2004

H. Cavusoglu, B. Mishra, S. Raghunathan, The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reaction for Breached Firms and Internet Security Developers, Special Issue: Measuring the Business Value of Information Technology in e-Business Environments, 2004

Adam Shostack and Paul Syverson, What Price Privacy?, pp. 129-142, Ch. 10, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Springer, Vol. 12, 2004, New York, NY, comment: Privacy is a signaling problem, when privacy is offered in a clear and comprehensible manner, it sells

Huseyin Cavusoglu, Economics of IT Security Management, pp. 71-83, Ch. 6, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Springer, Vol. 12, 2004, New York, NY, comment: Economics of IT overview, includes data about the losses from incidents in 2004

Alessandro Acquisti and Jens Grossklags, Privacy Attitudes and Privacy Behavior, pp. 165-178, Ch. 13, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Springer, Vol. 12, New York, NY, comment: Direct incentives are required to protect privacy. The market by itself will not reach a equilibrium where privacy policies are readable, read and reliable

Andrew Odlyzko, Privacy, Economics and Price Discrimination on the Internet, pp. 187-212, Ch. 15, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Springer, Vol. 12, 2004, New York, NY, comment: Direct incentives are required to protect privacy. The market by itself will not reach a equilibrium where privacy policies are readable, read and reliable

T. Adleston, 2004, Linux in Government: The Government Open Code Collaborative, The Linux Journal,
available online, at http://www.linuxjournal.com/node/7932, December, comment: describes a cooperative model for governments to develop open code to their shared needs, as opposed to having one state pay for development then the others buy it 49 times

Office of Government Commerce, Open Source Software Trials in Government Final Report Office of the Treasury, 2004, available online, at http://www.ogc.gov.uk/oss/Report-v8d.htm , London, UK, annotopen source can be cheaper and useful in government, but these might be generalized, open source is a viable alternative

2003

Computational Methods for Dynamic Graphs, C.Cortes, D. Pregibon, and C. Volinsky, Journal of Computational and Graphical Statistics, Vol 12 pp 950-970 (2003). http://homepage.mac.com/darylpregibon/papers/jcgs.pdf
comment: This careful, methodological paper describes how individuals can be identified from their call patterns alone. Assuming that web browsing has more information than simple number tracing, this has implications for privacy preferences.

Gordon, Lawrence A., Martin P. Loeb, and William Lucyshyn, Sharing Information on Computer Systems: An Economic Analysis, Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003, pp. 461-485

Gordon, Lawrence A. and Martin P. Loeb, Expenditures on Competitor Analysis and Information Security: A Management Accounting Perspective, Chapter in Management Accounting in the Digital Economy (Oxford University Press), A. Bhimini (ed), 2003, pp. 95-111

Gordon, Lawrence A., Martin P. Loeb, and William Lucyshyn, Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, Vol 19, No. 2, 2003, pp. 1-7

Campbell, K., L. A. Gordon, M.P. Loeb, and L. Zhou The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market, Journal of Computer Security, Vol. 11,No. 3, 2003, pp. 431-448. Available online at http://brief.weburb.dk/archive/00000130/01/2003-costs-security-on-stockvalue-9972866.pdf

Gordon, Lawrence A., Martin P. Loeb and Tashfeen Sohail, A Framework for Using Insurance for Cyber Risk Management, Communications of the ACM, March 2003, pp. 81-85

Ross Anderson, Cryptology and Competition Policy-Issues with Trusted Computing, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session1_anderson.pdf

M. Howard, J. Pincus, and J. M. Wing, Measuring Relative Attack Surfaces, Proceedings of Workshop on Advanced Developments in Software and Systems Security, Taipei, December 2003.http://www.cs.cmu.edu/%7Ewing/publications/Howard-Wing03.pdf

Stephen R. Lewis, How Much is Stronger DRM Worth?, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session1_lewis.pdf, (later published in pp. 53-58, Ch. 4, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Springer, Vol. 12, 2004, New York, NY). comment: competing with free requires frictionless commerce and a better experience. every dollar invested in DRM that results in a lower quality consumer experience is a dollar spent driving users to free, illegal but usable alternatives.

Stuart E. Schecter and Rachel A. Greenstadt and Michael D. Smith, Trusted Computing, Peer-to-Peer Distribution, and the Economics of Pirated Entertainment, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.eecs.harvard.edu/%7Estuart/papers/eis03.pdf

Huseyin Cavusoglu and Srinivasan Raghunathan and Birendra Mishra, Quantifying the Value of IT Security Mechanisms and Setting Up an Effective Security Architecture, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session2_cavusoglu.raghunathan.mishra.pdf

Fariborz Farahmand and Shamkant B. Navathe and Gunter P. Sharp and Philip H. Enslow, Evaluating Damages Caused By Information Systems Security Incidents, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session2_farahmand.navathe.sharp.enslow.pdf

Paul Syverson, The Paradoxical Value of Privacy, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session3_syverson.pdf

Tony Vila and Rachel Greenstadt and David Molnar, Why We Can't be Bothered to Read Privacy Policies Models of Privacy Economics as a Lemons Market, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session3_molnar.greenstadt.vila.pdf, (later published in pp. 143-154, Ch. 11, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Vol. 12, 2004, New York, NY). comment: Direct incentives are required to protect privacy. The market by itself will not reach a equilibrium where privacy policies are readable, read and reliable.

Adam Shostack, Paying for Privacy: Consumers and Infrastructures, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session3_shostack_privacy.pdf

Alessandro Acquisti and Jens Grossklags, Losses, Gains, and Hyperbolic Discounting: An Experimental Approach to Information Security Attitudes and Behaviors, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session6_acquisti.grossklags.pdf

Allan Friedman and L. Jean Camp, Making Security Manifest, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session6_camp.friedman.pdf

Bruce Schneier, Evaluating Security Systems: A Five-Step Process, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session6_schneier.pdf

Esther Gal-Or and Anindya Ghose, The Economic Consequences of Sharing Security Information, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session7_galor.ghose.pdf, (later published in pp. 95-105, Ch. 8, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Springer, Vol. 12, 2004, New York, NY). Comment: illustrates that the sharing of information by an organization is a complement to security investment, and that because security can cause upward pressure on prices indicates that such sharing is particularly valuable in low-margin businesses

Lawrence A. Gordon and Martin P. Loeb and William Lucyshyn, Economic Aspects of Controlling Capital Investments in Cyberspace Security for Critical Infrastructure Assets, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session7_lucyshyn.loeb.gordon.pdf

Patrick Legros and Andrew F. Newman, Interfering in e-Contracting, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session6_legros.newman.pdf

Tom Lookabaugh and Douglas C. Sicker, Security and Lock-In: The Case of the U.S. Cable Industry, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session8_lookabaugh.sicker.pdf

Mauro Sandrini, We Want Security But We Hate It. The Foundations of Security Technoeconomics in the Social World, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session8_sandrini.pdf, (later published in pp. 213-224, Ch. 16, eds. L Jean Camp and Stephen Lewis, Economics of Information Security, Springer, Vol. 12, 2004, New York, NY). comment: Individuals seek to escape for security technologies that are controlling. Consider the end user incentives when designing security systems.

Nicholas Rosasco and David Larochelle, How and Why a More Secure Technologies Succeed in Legacy Markets: Lessons from the Success of SSH, Second Workshop on the Economics of Information Security, 2003, College Park, MD, available online, at http://www.cpppe.umd.edu/rhsmith3/papers/Final_session3_farahmand.navathe.sharp.enslow.pdf

Darrell M. Kienzle and Matthew C. Elder, Recent worms: a survey and trends, WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode, 2003, 1-10, Washington, DC, ACM Press, New York, NY,
comment: a comprehensive survey of worms that illustrates some of the most damaging have been the least novel

Hal Varian, System Reliability and Free Riding, eds. N. Sadeh, Proceedings of the ICEC 2003, 2003, 355-366, ACM Press, New York, NY,
comment: in all cases the socially optimal investment is greater than the Paredo optimal investment, excluding one degenerate case where all organizations face the same cost/benefit ratio

L. Jean Camp and Carlos Osorio, Privacy Enhancing Technologies for Internet Commerce, Trust in the Network Economy, 2003, Ch. 12, Berlin, DE, Springer-Verlag,
available online, at http://ssrn.com/abstract=329282 , comment: privacy enhancing companies send confused signals about what actual privacy they are providing. the survivors of the PET boom of the nineties are the companies that provided true privacy including the Anonymizer

Ross Anderson, Cryptography and competition policy: issues with trusted computing PODC '03: Proceedings of the twenty-second annual symposium on Principles of distributed computing, 2003, pp. 3-10, Boston, Massachusetts,
available online at http://doi.acm.org/10.1145/872035.872036, ACM Press, New York, NY

Roger Dingledine, Nick Mathewson, Paul Syverson, Reputation in P2P Anonymity Systems, Workshop on Economics of p2p Systems, 2003, Washington, DC, ACM Press, New York, NY

Camp, L. J., 2003, Design for trust, Trust, Reputation, and Security: Theories and Practice, eds. R. Falcone, Berlin, Springer-Verlag

T. S. Kent and L. I. Millett, Who Goes There? Authentication Through the Lens of Privacy on Authentication Technologies and Their Privacy Implications, Washington, DC, National Research Council, 2003

2002

Gordon, Lawrence A. and Martin P. Loeb, Return on Information Security Investments: Myths vs. Reality, Strategic Finance, November 2002, pp. 26-31

Ross Anderson, Maybe we spend too much?, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/37.txt

Bruce Schnieier, No, we don't spend enough!, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/18.doc. comment: we don't spend enough on security, and the risk is not fair to those who invest

Lawrence A. Gordon and Martin P. LoebThe Economics of Investment in Information Security ACM Transactions on Information and System Security, November 2002, pp. 438-457. (Reprinted on pages 129-142 in Economics of Information Security, 2004, Springer, Camp and Lewis, eds.)

Carl Landwehr, Improving Information Flow in the Information Security Market, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/11.doc

Li Gong, Non-Technical Influences on the Design of the Java Security Architecture, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/47.txt

Bob Blakley, The Measure of Information Security is Dollars, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/54.pdf

L. Jean Camp, Marketplace Incentives to Prevent Piracy: An Incentive for Security?, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/29.txt

Andrew Odlyzko, Privacy, Economics, and Price Discrimination on the Internet, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/52.txt

Kevin Soo Hoo, How Much Is Enough? A Risk Management Approach to Computer Security, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/06.doc

Brian Carini, Dynamics and Equilibria of Information Security Investments, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/34.doc

Kin Sing Leung, Diverging economic incentives caused by innovation for security updates on an information network, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/19.pdf

Rahul Sami, Agents' privacy in distributed algorithmic mechanisms, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/05.pdf

Hal Varian, System Reliability and Free Riding, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/49.pdf

Alessandro Acquisti, Security of Personal Information and Privacy: Economic Incentives and Technological Solutions, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/36.doc

John Mitchell, Distributed algorithmic mechanism design and network security, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/42.pdf

Tomas Sander, Economic Barriers to the Deployment of Existing Privacy Technologies, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/23.pdf

Stuart Schechter, Quantitatively Differentiating System Security, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/31.pdf

Yvo Desmedt, Using economics to model threats and security in distributed computing, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/33.ps

Mike Fisk, Causes and Remedies for Social Acceptance of Network Insecurity, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/35.pdf

Rafael Yahalom, Liability Transfers in Network Exchanges, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/46.ps

W Yurcik, Cyberinsurance: A Market Solution to Internet Security Market Failure, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/53.pdf

Robert Gehring, Software development, Intellectual Property Rights, and IT Security, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/44.pdf

Paul Thompson, Cognitive Hacking and the Value of Information, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/15.doc

Lawrence A. Gordon and Martin P. Loeb and William Lucyshyn, An Economics Perspective on the Sharing ofInformation Related to Security Breaches: Concepts and Empirical Evidence, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/51.doc. comment: overview of game theoretic findings relevant to ISACs, shows ISACs have value even if some participants are not entirely honest

Thomas-Xavier Martin, Experience of the French Gendarmerie, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/13.txt

Barb Fox, Internet TAO: The Microeconomics of Internet Standards-Setting, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA, available online, at http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/12.doc

Stuart E. Schechter, Computer Security Strength and Risk: A Quantitative Approach, Workshop on the Economics of Information Security, 2002 May 16-17, Berkeley, CA

H. Hocheiser, The platform for privacy preference as a social protocol: An examination within the U.S. policy context, ACM Trans. Internet Tech., Vol. 2, 4, 2002, 276-306,
available online at http://doi.acm.org/10.1145/604596.604598,
comment: P3P has an invalid economic and incentive model; however, it was quite effective in preventing general data protection legislation

Pam Samuelson and Suzanne Scotchmere, The Law and Economics of Reverse Engineering, Yale Law Journal, 2002, 1575-1663

H. Nissenbaum, E. Felton and Friedman, Computer Security: Competing Concepts, The 30th Research Conference on Communication, Information and Internet Policy, Sept. 2002, Washington D.C

S. Tadelis, 2002, The Market for Reputations as an Incentive Mechanism, Journal of Political Economy, Vol. 92, number= 2, pp. 854-882

Josh Lerner and Jean Tirole, The Simple Economics of Open Source, Journal of Industrial Economics, Vol. 42, pp. 197-234, 2002

Helen Nissenbaum and Ed Felton., 2002, Computer security: Competing Concepts, Washington, DC, 30th Research Conference on Communication, Information and Internet Policy,
comment: computer security is hard to build because to be optimal it must be applicable to the specific social system in which it is instantiated

T. Matsumoto and H. Matsumoto and K. Yamada, and S. Hoshino, Impact of Artificial Gummy Fingers on Fingerprint Systems, Proceedings of SPIE: Optical Security and Counterfeit Deterrence Techniques IV, pp. 4677-4689, 2002, comment: shows how to create fingerprints that fool biometrics sensors using a drinking glass and melted gummy bears

2001

Geer, Daniel E. 2001. Return on security investment: calculating the security investment equation. Secure Business Quarterly 1 (2)

R. Anderson, Why Information Security is Hard-An Economic Perspective, ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, 2001, IEEE Computer Society, Washington, DC, available online at www.cl.cam.ac.uk/ftp/users/rja14/econ.pdf
comment: describes and illustrates the need to align security technology with economic incentives

Thomas A Longstaff and Rich Pethia and C Chittister and Y Y Haimes, Are We Forgetting the Risks of Information Technology, IEEE Computer, 2001, 43-52

Jean Camp and Helen Nissenbaum and Cathleen McGrath, Trust: A Collision of Paradigms, Proceedings of Financial Cryptography, Lecture Notes in Computer Science, 2001, Springer,

Lawrence A. Gordon and Martin P. Loeb, Using information security as a response to competitor analysis systems, Commun. ACM, Vol. 44, 9, 2001, pp. 70-75,
available online at http://doi.acm.org/10.1145/383694.383709 ACM Press, New York, NY

Nissenbaum, H., Securing Trust Online: Wisdom or Oxymoron Boston University Law Review, Vol. 81, No. 3, 2001, pp. 635-664

Thomas A Longstaff and Rich Pethia and C Chittister and Y Y Haimes, Are We Forgetting the Risks of Information Technology IEEE Computer, 2001, 43-52

Ross Anderson, 2001, Security Engineering: A Guide to Building Dependable Distributed Systems, New York, John Wiley and Sons

Camp, L. J., 2001, Trust and Risk in Electronic Commerce, Cambridge, MA, The MIT Press

2000

William A. Arbaugh and William L. Fithen and John McHugh, Windows of Vulnerability: A Case Study Analysis, Computer, Vol. 33, 12, 2000, 52-59, IEEE Computer Society Press,
comment:publication of a patch does not prevent worms from spreading, rather there are periodic waves.

Pew Internet and American Life Project, Trust and privacy online: Why Americans want to rewrite the rules, Pew Foundation, NY, NY, 2000,
available online, at http://www.pewinternet.org/PPF/r/19/report_display.asp

L Jean Camp and Catherine Wolfram, Pricing Security, Proceedings of the CERT Information Survivability Workshop, 2000 Oct 24-26, pp. 31-39, Boston, MA,
available online at papers.ssrn.com/sol3/papers.cfm?abstract_id=894966},
comment: the first definition of a vulnerability as a good that can be used in a market; defines vulnerabilities as externalities; proposed a credit market for vulnerabilities.

Wei Fan, Wenke Lee, Sal Stolfo, and Matthew Miller, A Multiple Model Cost-Sensitive Approach for Intrusion Detection, Eleventh European Conference on Machine Learning (ECML '00) 2000, http://www1.cs.columbia.edu/ids/publications/cost-ecml00.ps

Michael Froomkin, 2000, The death of privacy, Stanford Law Review, Vol. 52, pp. 1461-1479.

Before 2000

R. Friedman and M. Resnick, 1998, The Social Cost of Cheap Pseudonyms, Journal of Economics and Management Strategy, Vol. 10, no=2, pp. 173-199, comment: in systems where identities are easy to create, new identities are not trusted

M. Bishop and D. Bailey, A Critical Analysis of Vulnerability Taxonomies, Technical Report CSE-96-11 Department of Computer Science at the University of California at Davis, September 1996,
available online at citeseer.csail.mit.edu/bishop96critical.html.

T. Aslam and I. Krsul and E. H. Spafford, Use of a Taxonomy of Security Faults, Proc. 19th National Information Systems Security Conference, pp. 551-560, 1996,
available online, at citeseer.csail.mit.edu/aslam96use.html

Carl E. Landwehr and Alan R. Bull and John P. McDermott and William S. Choi, A Taxonomy of Computer Program Security Flaws, with Examples, 1993,
available online, at citeseer.csail.mit.edu/article/landwehr93taxonomy.html

C. Dwork and M. Naor, 1993, Pricing via Processing, Or, Combating Junk Mail, Advances in Cryptology CRYPTO92, Lecture Notes in Computer Science, Vol. 74, pp. 139-147, Springer.