Abstract:
The economics of information security is a growing research area with a diverse set of participating researchers from various disciplines. Economics as a tool for security analysis has gained in importance since the economy of attackers has become increasingly rational (e.g., motivated by greed). This increasingly rational behavior stands in contrast to that exhibited by the hacker communities of the 1980s and 1990s, who valued reputation, intellectual achievement, and even entertainment above financial incentives.
In practice, there is a large variety of situations in which users face security threats in networked systems, and an equally large number of possible responses to threats. However, in this talk I will argue that one can model most security interactions through a handful of ‘security games,’ and with a small number of decision parameters upon which each user can act.
More precisely, building upon public goods literature, I consider the classical best shot, total effort, and weakest-link games, and will analyze them in a security context. I complement these three games with a novel model, called the weakest-target game, which enables an analysis of a whole class of attacks ranging from insider threats to very aggressive worms. Furthermore, while most research on the economics of security focuses on security investments as a problem with a single variable (e.g., amount of money spent on security), the analysis in this talk is the first to decouple protection investments (e.g., setting up a firewall) from insurance coverage (e.g., archiving data as back up).
This analysis reveals several explanations for the inefficiencies observed in user behaviors and network security. However, I amend that this study is only a first step toward a more comprehensive modeling of user attitudes toward security issues. Indeed, the present study relies on game theory, inheriting several limiting assumptions about user behavior. As such, I also present results from initial laboratory experiments with human participants challenging our theoretical results.

Biography of the speaker:
Jens Grossklags is a Ph.D. candidate at the School of Information at the University of California, Berkeley. Jens is also a graduate student researcher at the Samuelson Law, Technology and Public Policy Clinic at Boalt Hall School of Law. His current work focuses on the economics of networked systems and technology policy with respect to privacy and security.
Jens has published on the topics of consumer privacy, security and networking research. His papers appeared in technical journals, magazines and conference proceedings as well as in legal publications. His prior organizing activities include workshops on privacy in ubiquitous computing systems in Gothenburg, Sweden, and Tokyo, Japan, in 2003 and 2005, respectively. He has served as conference program committee member and reviewer for several academic conferences and journals. Jens has been honored with two best paper awards at international conferences. Further, he contributed to the Federal Trade Commission Public Hearings on Protecting Consumers in the Next Tech-ade in 2006, and the FTC Workshop on Analyzing Negative Option Marketing in 2007.
He received a Masters degree in Information Management and Systems at the University of California, Berkeley and a Diploma in Business Administration at Humboldt-University Berlin, Germany.