Economics

Goals

• Apply an economic lens to security
• Use economics to better understand user behavior
• Use economics to better understand attacker behavior

Overview

• Why can economics help us understand security?
• What is the standard economic model for individuals?
  • How does reality differ from this model?

Understanding Users

• What are some examples of security advice that users appear to ignore?
• What are the direct benefits and direct costs to users of following security advice?
• How should we evaluate the these costs and benefits across the entire population?
• What threshold is needed for the benefit of advice to outweigh the cost?
• How much does user effort cost?
  • How can we estimate it?

Understanding Adversaries

Nigerian Scammers

• Where do most Nigerian-scam emails say they are from?
• What does it mean that viability is not observable?
• From an attacker’s standpoint, what is a false positive? A false negative?
• What does a ROC curve show?
• How do we calculate an optimal operating point?
• What are the implications when victim density is low?
• Why is it difficult to achieve very high classifier accuracy?
• Why do Nigerian scammers say they are from Nigeria?

Spam Economy

• How do the costs of spam compare to the benefits to the spammers?
• What are the various elements of the spam value chain?
• What is an affiliate?
• How can the spam economy be studied?
  • What makes such a study challenging?
• How can we identify bottlenecks in the value chain?
  • What criteria should we use?
  • What proved to be the weakest link?