Credits: 5EC
Expected prior knowledge: Basic statistics, data analysis and visualization
Motivation: Information systems are particularly prone to security failure when the organization protecting them does not bear the full cost of failure. This observation is simple, yet it has profound implications and is often overlooked by many experts trying to improve cybersecurity. It is one of the many ways in which economic incentives drive the development and adoption of security technologies.
This course will provide an overview of the emerging approaches to study the interaction between cybersecurity and economic forces. We will examine different economic challenges affecting cybersecurity: misaligned incentives, information asymmetries and externalities. Drawing on economics, computer science and public policy, we will analyze cybersecurity in the real world, as well as identify ways to improve it.
Synopsis: The goal of this course is to give a comprehensive overview of the economics of information security. The economics point of view is particularly appropriate to analyse the incentives of users, service providers and other networking participants and promises solutions to security issues that arise due to misaligned incentives. This novel point of view is able to shed light on many security problems and solutions to these problems. The objective of this course is to highlight in a tangible manner the importance of economic aspects of security in different areas of businesses. Moreover, the course aims to validate, analyse and prioritise the key issues in each area.
Aim: To get knowledge, understanding and skills with respect to:
- identifying key problems in information security and distinguish non-technical obstacles
- recognizing economic concepts and applying them to information security problems
- employing security metrics and explain their limitations
- regulations and the role of the different participants in security defence
- techniques for collecting and analysing data on information security topics
Learning outcomes: The student will:
- Gain a sound understanding of the economics of cybersecurity as a systems discipline, from security policies (modelling what ought to be protected) to mechanisms (how to implement the protection goals).
- Obtain skills in collecting and analysing data on information security issues
- Gain insights into the design of effective policies to enhance and maintain cyber security must take into account a complex set of incentives facing not only the providers and users of the internet and computer software, but also those of potential attackers
- Learn to apply economic analysis and data analytics to the open issues and pending activities in cybersecurity.
Lecturers: Dr Ir Carlos H. Gañán (TUD/TPM) and Prof Dr Michel van Eeten (TUD/TPM)
Examination: The assessment will be based on data assignments where the students should apply the core concepts of the course in practice. At the start of the course, students will choose an empirical security issue to analyze during the next 5 weeks. There will be 3 groups assignments and 1 individual assignment. The group assignments will account for 40% of the final grade. The individual assignment will account for the other 60% of the final grade.
When a final report is graded lower than 6, students have one month to improve the report for re-submission. The maximum grade after re-submission is 6.
Education method: Edge edx will be used for communications and distributing study material. The course will consists of 5 weeks of intensive theory (2 hours twice per week) after which students will perform their own EconSec study.
Contents: key concepts from information security and economic; economics of spam; security metrics; standard models and metrics of security investment; measuring cybercrime; state of the art in cybercrime and its flourishing underground economy; phishing, and other security exploits; economics of privacy; incentives, rationality, and security decision making; regulations and the role of ISPs in security defense; market insurance for security and privacy; economic tools for improving information security; including cyber insurance/risk transfer, information sharing, and liability assignment.
Core text: Various papers from the literature, supported by a syllabus.
Limitation: If there is an unexpected high demand for this course, then enrollment will be based on past performance in relevant courses.