Sound understanding of the economics of cybersecurity as a systems discipline, from security policies (modelling what ought to be protected) to mechanisms (how to implement the protection goals)
How to design security metrics to capture information security issues
How the design of effective policies to enhance and maintain cybersecurity must take into account a complex set of incentives facing not only the providers and users of the Internet and computer software, but also those of potential attackers
This economics course provides an introduction to the field of cybersecurity through the lens of economic principles. Delivered by four leading research teams, it will provide you with the economic concepts, measurement approaches and data analytics to make better security and IT decisions, as well as understand the forces that shape the security decisions of other actors in the ecosystem of information goods and services.
Systems often fail because the organizations that defend them do not bear the full costs of failure. In order to solve the problems of growing vulnerability to computer hackers and increasing crime, solutions must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. This requires a technical comprehension of security threats combined with an economic perspective to uncover the strategies employed by cyber hackers, attackers and defenders.
The course covers five main areas:
Introduction to key concepts in security economics. Here, we provide an overview of how information security is shaped by economic mechanisms, such as misaligned incentives, information asymmetry, and externalities.
Measuring cybersecurity. We introduce state of the art security and IT metrics and conceptualize the characteristics of a security metric, its challenges and advantages.
Economics of information security investment. We discuss and apply different economic models that help determine the costs and benefits of security investments in network security.
Security market failures. We discuss market failures that may lead to cybersecurity investment levels that are insufficient from society’s perspective and other forms of unsafe behaviour in cyber space.
Behavioural economics for information security, policy and regulation. We discuss available economic tools to better align the incentives for cybersecurity, including better security metrics, cyber insurance/risk transfer, information sharing, and liability assignment.
After finishing this course, you will be able to apply economic analysis and data analytics to cybersecurity. You will understand the role played by incentives on the adoption and effectiveness of security mechanisms, and on the design of technical, market-based, and regulatory solutions to different security threats.
None. Familiarity with basic concepts of information security is recommended.