World Library  
Flag as Inappropriate
Email this Article

Economics of security


Economics of security

The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational “homo economicus” as well as behavioral economics. Economics of security addresses individual and organizational decisions and behaviors with respect to security and privacy as market decisions.

Economics of security addresses a core question: why do agents choose technical risks when there exists technical solutions to mitigate security and privacy risks? Economics addresses not only this question, but also inform design decisions in security engineering.


  • Emergence of economics of security 1
  • Examples of findings in economics of security 2
  • See also 3
  • External links 4
    • Centers that study economics of security 4.1
    • Resources in economics of security 4.2

Emergence of economics of security

National security is the canonical public good. The economic status of information security came to the intellectual fore around 2000. As is the case with innovations it arose simultaneously in multiple venues.

In 2000, Ross Anderson wrote, Why Information Security is Hard. Anderson explained that a significant difficulty in optimal development of security technology is that incentives must be aligned with the technology to enable rational adoption. Thus, economic insights should be integrated into technical design. A security technology should enable the party at risk to invest to limit that risk. Otherwise, the designers are simply counting on altruism for adoption and diffusion. Many consider this publication the birth of economics of security.

Also in 2000 at Harvard, Camp at the School of Government and Wolfram in the Department of Economics argued that security is not a public good but rather each extant vulnerabilities has an associated negative externality value. Vulnerabilities were defined in this work as tradable goods. Six years later, iDEFENSE, ZDI and Mozilla have extant markets for vulnerabilities.

In 2000, the scientists at the Computer Emergency Response Team at Carnegie Mellon University proposed an early mechanism for risk assessment. The Hierarchical Holographic Model provided the first multi-faceted evaluation tool to guide security investments using the science of risk. Since that time, CERT has developed a suite of systematic mechanism for organizations to use in risk evaluations, depending on the size and expertise of the organization: OCTAVE. The study of computer security as an investment in risk avoidance has become standard practice.

In 2001, in an unrelated development, Lawrence A. Gordon and Martin P. Loeb published Using information security as a response to competitor analysis systems. A working paper of the published article was written in 2000. These professors, from Maryland's Smith School of Business, present a game-theoretic framework that demonstrates how information security can prevent rival firms from gaining sensitive information. In this context, the article considers the economic (i.e., cost-benefit) aspects of information security.

The authors came together to develop and expand a series of flagship events under the name Workshop on the Economics of Information Security.

Examples of findings in economics of security

Proof of work is a security technology designed to stop spam by altering the economics. An early paper in economics of information security argued that proof of work cannot work. In fact, the finding was that proof of work cannot work without price discrimination as illustrated by a later paper, Proof of Work can Work.

Another finding, one that is critical to an understanding of current American data practices, is that the opposite of privacy is not, in economic terms anonymity, but rather price discrimination. Privacy and price discrimination was authored by Andrew Odlyzko and illustrates that what may appear as information pathology in collection of data is in fact rational organizational behavior.

Hal Varian presented three models of security using the metaphor of the height of walls around a town to show security as a normal good, public good, or good with externalities. Free riding is the end result, in any case.

Lawrence A. Gordon and Martin P. Loeb wrote the Economics of Information Security Investment. The Gordon-Loeb Model is considered by many as the first economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.

See also

External links

Centers that study economics of security

  • Carnegie Mellon University Heinz College
  • Carnegie Mellon University Privacy Lab
  • Cambridge University Computer Science Laboratory
  • Indiana University School of Informatics
  • University of Minnesota
  • University of Michigan School of Information
  • Harvard University Division of Engineering and Applied Sciences
  • Dartmouth hosts the I3P which includes the Tuck School as well as the Computer Science Department in studying economics of information security.

Resources in economics of security

  • Ross Anderson maintains the Economics of Information Security page.
  • Alessandro Acquisti has the corresponding Economics of Privacy Resources page.
  • Jean Camp Economics of Information Security links to all the past workshops, with the corresponding papers, as well as current conferences and calls for papers. It also provides events, books, past workshops, and an annotated bibliography.
  • Return on Information Security Investment provides self-assessment questionnaire, papers and links to Information security economics resources.
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.