Article

Complementary Perspectives on Privacy and Security: Economics

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

Economics and behavioral economics offer different but complementary approaches to understanding privacy and security. This article explains briefly their differences and similarities, and why they matter in our thinking about security and privacy.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... Sharing Sensitivity: Interruption literature has reported that interruptions that provide useful information are viewed more positively [11,19,25,28]. This has also been noticed in the context of privacy decisions: if the reward outweighs the cost of sharing, it seems rational to do so [1]. Even though every privacy-related interruptions should be considered important and worthy of an interruption, some requests can have a higher risk/costs than others. ...
Conference Paper
This paper presents an organized set of variables that can aid intelligent privacy agents in predicting the best and necessary moments to interrupt users in order to give them control and awareness over their privacy, avoiding information overload or over choice.
Article
Full-text available
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend at most a small fraction (1/e) of the expected loss due to a security breach.
Article
Full-text available
In the United States, identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with up to 35 percent of known identity thefts caused by corporate data breaches. Many states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. Although the laws are expected to reduce identity theft, their effect has yet to be empirically measured. We use panel data from the U.S. Federal Trade Commission to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2009. We find that adoption of data breach disclosure laws reduce identity theft caused by data breaches, on average, by 6.1 percent. © 2011 by the Association for Public Policy Analysis and Management.
Chapter
Full-text available
CONSIDERS THE TOPIC, INVASION OF PRIVACY, AND SUGGESTS THAT "THE VALUES INVOLVED CAN BEST BE UNDERSTOOD IN TERMS OF THE MANAGEMENT OF COMMUNICATION RATHER THAN THE SANCTITY OF PRIVACY."
Article
Full-text available
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.
Article
Full-text available
In this article, the author discusses why users compromise computer security mechanisms and how to take remedial measures. Confidentiality is an important aspect of computer security. It depends on authentication mechanisms, such as passwords, to safeguard access to information. Traditionally, authentication procedures are divided into two stages: identification and secret password. To date, research on password security and the usability of these mechanisms has rarely been investigated. Since security mechanisms are designed, implemented, applied and breached by people, human factors should be considered in their design. It seems that currently, hackers pay more attention to the human link in the security chain than security designers do, by using social engineering techniques to obtain passwords. The key element in password security is the crackablity of a password combination. System-generated passwords are essentially the optimal security approach; user-generated passwords are potentially more memorable and thus less likely to be disclosed. Password composition, alphanumeric password is more secure than one composed of letters alone. INSET: Recommendations.
Article
Privacy is viewed as a process of boundary regulation, controlling how much (or how little) contact an individual maintains with others. Self-disclosure involves the verbal transmission of information. Adjustment of self-disclosure outputs and inputs is boundary regulation; the extent of control one maintains over this exchange of information contributes to the amount of privacy one has in a social relationship. Regulation of interpersonal boundaries affects the kinds of relationships we maintain with others (as in friendships and power relationships). There also are implications for personality functioning. Reconceptualizing self-disclosure as a form of boundary adjustment in the maintenance of privacy may provide a useful framework for integrating the self-disclosure literature.
Article
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Se-curity advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims an-nually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
Book
As Internet-based commerce becomes commonplace, it is important that we examine the systems used for these financial transactions. Underlying each system is a set of assumptions, particularly about trust and risk. To evaluate systems, and thus to determine one's own risks, requires an understanding of the dimensions of trust: security, privacy, and reliability. In this book Jean Camp focuses on two major yet frequently overlooked issues in the design of Internet commerce systems—trust and risk. Trust and risk are closely linked. The level of risk can be determined by looking at who trusts whom in Internet commerce transactions. Who will pay, in terms of money and data, if trust is misplaced? When the inevitable early failures occur, who will be at risk? Who is "liable" when there is a trusted third party? Why is it necessary to trust this party? What exactly is this party trusted to do? To answer such questions requires an understanding of security, record-keeping, privacy, and reliability. The author's goal is twofold: first, to provide information on trust and risk to businesses that are developing electronic commerce systems; and second, to help consumers understand the risks in using the Internet for purchases and show them how to protect themselves. Rather than propose a single model of an Internet commerce system, the author provides the information and insights needed by merchants and consumers as they develop the Internet for commerce.
Conference Paper
Security is both a feeling and a reality. And they’re not the same. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, it’s not even hard; insurance companies do it all the time.
Conference Paper
According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.
Article
Dichotomies between privacy attitudes and behavior have been noted in the literature but not yet fully explained. We apply lessons from the research on behavioral economics to understand the individual decision making process with respect to privacy in electronic commerce. We show that it is unrealistic to expect individual rationality in this context. Models of self-control problems and immediate gratification o#er more realistic descriptions of the decision process and are more consistent with currently available data. In particular, we show why individuals who may genuinely want to protect their privacy might not do so because of psychological distortions well documented in the behavioral literature; we show that these distortions may a#ect not only `nave' individuals but also `sophisticated' ones; and we prove that this may occur also when individuals perceive the risks from not protecting their privacy as significant.
Article
User errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. Is this simply due to a failure to apply standard user interface design techniques to security? We argue that, on the contrary, effective security requires a different usability standard, and that it will not be achieved through the user interface design techniques appropriate to other types of consumer software. To test this hypothesis, we performed a case study of a security program which does have a good user interface by general standards: PGP 5.0. Our case study used a cognitive walkthrough analysis together with a laboratory user test to evaluate whether PGP 5.0 can be successfully used by cryptography novices to achieve effective electronic mail security. The analysis found a number of user interface design flaws that may contribute to security failures, and the user test demonstrated that when our test participants were g...
What Price Privacy? Economics of Infor-mation Security
  • A Shostack
  • P Syverson
A. Shostack and P. Syverson, " What Price Privacy? " Economics of Infor-mation Security, 2004, pp. 129–142.