The economics of user effort in information security

A significant number of security breaches result from employees' failures to comply with security policies. The cause is often an honest mistake, such as when an employee enters their password in a phishing website, believing it to be a legitimate one.1 It can also be a workaround when faced with an impossible task, such as when an employee has so many different passwords that they must be written down

Survey on economics of information security

Economics of information security has recently become a rapidly growing field of research that is vitally important for managing the decisions and behaviors in cyberspace security. This field provides valuable insights not only for security experts, but also for policy makers, business managers, economists and psychologists.In this paper, we are going to discuss the emergence and evolution of economics of information security; where it came from, where it is today and its future directions. Research conducted for this survey explores the literature on economic issues in information security and review the advantages, drawbacks, and future research directions to set the scene that the assessment and analysis of the economics of information security publications followed it. Furthermore, we provide a structured discussion and overview of selected sets of works and highlight the models and theories in this field by organizing the presented works into six main categories namely information security investment, trust and privacy, network security, malicious program and malware economics, penetration testing and digital forensics and software security. Additionally, this survey aims to familiarize readers with major areas of this field already in hand to indicate the gaps and overlooked issues in the economics of security

Modelling the costs and benefits of Honeynets

For many IT-security measures exact costs and benefits are not known. This makes it difficult to allocate resources optimally to different security measures. We present a model for costs and benefits of so called Honeynets. This can foster informed reasoning about the deployment of honeynet technology.Comment: was presented at the "Third Annual Workshop on Economics and Information Security" 2004 (WEIS04

Ethical guidelines for nudging in information security & privacy

There has recently been an upsurge of interest in the deployment of behavioural economics techniques in the information security and privacy domain. In this paper, we consider first the nature of one particular intervention, the nudge, and the way it exercises its influence. We contemplate the ethical ramifications of nudging, in its broadest sense, deriving general principles for ethical nudging from the literature. We extrapolate these principles to the deployment of nudging in information security and privacy. We explain how researchers can use these guidelines to ensure that they satisfy the ethical requirements during nudge trials in information security and privacy. Our guidelines also provide guidance to ethics review boards that are required to evaluate nudge-related research

Hospital Bed Capacity in Nevada Counties

This Fact Sheet shows data on hospital bed capacity within Nevada’s 17 counties, as originally published by High Country News on March 19, 2020. The original data source includes maps and charts compiled by Megan Lawson of Headwater Economics. The data include information from the Department of Homeland Security and the Department of Commerce

Game Theory Meets Network Security: A Tutorial at ACM CCS

The increasingly pervasive connectivity of today's information systems brings up new challenges to security. Traditional security has accomplished a long way toward protecting well-defined goals such as confidentiality, integrity, availability, and authenticity. However, with the growing sophistication of the attacks and the complexity of the system, the protection using traditional methods could be cost-prohibitive. A new perspective and a new theoretical foundation are needed to understand security from a strategic and decision-making perspective. Game theory provides a natural framework to capture the adversarial and defensive interactions between an attacker and a defender. It provides a quantitative assessment of security, prediction of security outcomes, and a mechanism design tool that can enable security-by-design and reverse the attacker's advantage. This tutorial provides an overview of diverse methodologies from game theory that includes games of incomplete information, dynamic games, mechanism design theory to offer a modern theoretic underpinning of a science of cybersecurity. The tutorial will also discuss open problems and research challenges that the CCS community can address and contribute with an objective to build a multidisciplinary bridge between cybersecurity, economics, game and decision theory