Economics of Information Security and Privacy

Are we investing too little or too much in security?
Is security of a system only as strong as its weakest link?
Is security a public good or a private good?
How can incentives be designed to improve security and privacy?


Information security and privacy is as much about economic incentives as it is about technological mechanisms. The proliferation of spam, botnets, and distributed denial-of-service attacks can all be attributed to the misalignment of incentives among the defenders and the deft exploitation by the attackers. The design and deployment of tracking and surveillance systems are driven by economic incentives as much as by security considerations.

Leveraging tools from game theory, behavioral economics, and risk management, our research group examines the incentive dynamics of security and privacy across a wide range of cybersecurity applications and scenarios, including communication networks, cyber-physical infrastructures, crypto-currencies, security crowdsourcing, and government surveillance.

People

John Chuang
Nicolas Christin
Jens Grossklags
Benjamin Johnson

Collaborators

Rainer Böhme
Alvaro Cardenas
Pern Hui Chia
Neal Fultz
Chris Hoofnagle
Paul Laskowski
Aron Laszka
Thomas Maillart
Svetlana Radosavac

Publications

T. Maillart, M. Zhao, J. Grossklags, J. Chuang. Given Enough Eyeballs, All Bugs Shallow? Revisiting Eric Raymond with Bug Bounty Markets. 15th Workshop on the Economics of Information Security (WEIS'16), June 2016. [pdf]

P. Chia, J. Chuang, Y. Chen. Whack-a-mole: Asymmetric Conflict and Guerrilla Warfare in Web Security. 15th Workshop on the Economics of Information Security (WEIS'16), June 2016. [pdf]

B. Johnson, P. Laskowski, T. Maillart, J. Chuang, N. Christin. Caviar and Yachts: How Your Purchase Data May Come Back to Haunt You. 14th Workshop on the Economics of Information Security (WEIS'15), June 2015. [pdf]

B. Johnson, A. Laszka, J. Grossklags. The Complexity of Estimating Systematic Risk in Networks. 27th IEEE Computer Security Foundations Symposium (CSF), July 2014.

B. Johnson, A. Laszka, J. Grossklags. How Many Down? Toward Understanding Systematic Risk in Networks. 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2014), June 2014.

P. Laskowski, B. Johnson, T. Maillart, J. Chuang. Government Surveillance and Incentives to Abuse Power. Workshop on the Economics of Information Security (WEIS’14), June 2014. [pdf]

A. Laszka, B. Johnson, J. Grossklags, M. Felegyhazi. Estimating Systematic Risk in Real-World Networks. Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security (FC’14), March 2014.

B. Johnson, A. Laszka, J. Grossklags, M. Vasek, T. Moore. Game-Theoretic Analysis of DDoS Attacks Against Bitcoin Mining Pools. First Workshop on Bitcoin Research. Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security (FC’14), March 2014.

A. Laszka, B. Johnson, J. Grossklags. Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks. Proceedings of the 9th Conference on Web and Internet Economics (WINE), December 2013.

A. Laszka, B. Johnson, J. Grossklags. Mitigation of Targeted and Non-Targeted Covert Attacks as a Timing Game. Proceedings of the Fourth Conference on Decision and Game Theory for Security (GameSec 2013), November 2013.

A. Laszka, B. Johnson, P. Schöttle, J. Grossklags, R. Böhme. Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats. Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS), September 2013.

P. Schöttle, B. Johnson, A. Laszka, J. Grossklags, R. Böhme. A Game-Theoretic Analysis of Content-Adaptive Steganography with Independent Embedding. Proceedings of the 21st European Signal Processing Conference (EUSIPCO), September 2013.

P. Chia, J. Chuang. Community-Based Web Security: Complementary Roles of the Serious and Casual Contributors. Proceedings of ACM CSCW, February 2012. [pdf]

B. Johnson, J. Chuang, J. Grossklags, N. Christin. Metrics for Measuring ISP Badness: The Case of Spam (Short Paper). Proceedings of the 16th International Conference on Financial Cryptography and Data Security (FC'12), February 2012. [pdf]

P. Chia, J. Chuang. Colonel Blotto in the Phishing War. Proceedings of the Conference on Decision and Game Theory for Security (GameSec 2011), November 2011. [pdf]

B. Johnson, R. Böhme, J. Grossklags. Security Games with Market Insurance. Proceedings of the 2nd Conference on Decision and Game Theory for Security (GameSec 2011), November 2011.

J. Chuang. Incentive Dynamics in Interdependent Network Security. Or: Buying a Raft and Out-Running a Bear. Plenary lecture, 2nd International Conference on Game Theory for Networks (GameNets 2011), April 2011. [pdf]

B. Johnson, J. Grossklags, N. Christin, J. Chuang. Nash Equilibria for Weakest Target Security Games with Heterogeneous Agents. Proceedings of the 2nd International Conference on Game Theory for Networks (GameNets 2011), April 2011. [pdf]

B. Johnson, J. Grossklags, N. Christin, J. Chuang.Uncertainty in Interdependent Security Games. Proceedings of the 1st Conference on Decision and Game Theory for Security (GameSec 2010), November 2010. [pdf]

B. Johnson, J. Grossklags, N. Christin, J. Chuang. Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information. Proceedings of 15th European Symposium on Research in Computer Security (ESORICS'10), September 2010. [pdf]

J. Grossklags, S. Radosavac, A. Cardenas, J. Chuang. Nudge: Intermediaries' Role in Interdependent Network Security. Proceedings of 3rd International Conference on Trust and Trustworthy Computing (Trust'10), June 2010.

J. Grossklags, B. Johnson, N. Christin. When Information Improves Information Security. Proceedings of the Fourteenth International Conference Financial Cryptography and Data Security (FC'10), January 2010. Extended version available as CyLab Technical Report, CMU, No. CMU-CyLab-09-004. [pdf]

A. Cardenas, S. Radosavac, J. Grossklags, J. Chuang, C. Hoofnagle. An Economic Map of Cybercrime. Presentation at the 37th Research Conference on Communication, Information and Internet Policy (TPRC'09), September 2009.

J. Grossklags, B. Johnson, N. Christin. The Price of Uncertainty in Security Games. Eighth Workshop on the Economics of Information Security (WEIS'09), June 2009. [pdf]

J. Grossklags, B. Johnson. Uncertainty in the Weakest-Link Security Game. Proceedings of the International Conference on Game Theory for Networks (GameNets'09), May 2009. [pdf]

N. Fultz, J. Grossklags. Blue versus Red: Towards a Model of Distributed Security Attacks. Proceedings of the Thirteenth International Conference Financial Cryptography and Data Security (FC'09), February 2009. [pdf]

J. Grossklags, N. Christin, J. Chuang. Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents. 7th Workshop on the Economics of Information Security (WEIS'08), June 2008.

J. Grossklags, N. Christin, J. Chuang. Security and Insurance Management in Networks with Heterogeneous Agents. Proceedings of ACM E-Commerce Conference (EC'08), July 2008. [pdf]

J. Grossklags, N. Christin, J. Chuang. Predicted and Observed User Behavior in the Weakest-Link Security Game. Proceedings of the 2008 USENIX Workshop on Usability, Psychology, and Security (UPSEC'08), April 2008. [pdf]

J. Grossklags, N. Christin, J. Chuang. Secure or Insure? A Game-Theoretic Analysis of Information Security Games. Proceedings of the 17th International World Wide Web Conference (WWW'08), April 2008. [pdf]

N. Christin, J. Grossklags, J. Chuang. Near Rationality and Competitive Equilibria in Networked Systems. Proceedings of ACM SIGCOMM Workshop on Practice and Theory of Incentives in Networked Systems (PINS), August 2004. [pdf]

Funding Support


 NSF    100x100 Project   UC-MICRO   DoCoMo  TRUST