In response to the changing cybersecurity challenges, spending on information security has grown steadily and might eventually reach a point that’s inefficient and unaffordable. Both governments and market-oriented organizations must carefully balance tradeoffs between security and privacy.
To subscribe digitally to IEEE S&P magazine, go here.
IEEE Security&Privacy
From the Editors
Autonomy, Robotics, and Dependability
Robin E. Bloomfield
Abstract: There is currently intense interest in robotic and autonomous systems, both in the technical and engineering communities and more broadly. These systems have always been appealing as they blend social impact, technology, science fiction, and philosophy with newsworthy speculation and sensationalism in imagined futures. These futures might arrive much faster than we thought as technology (sensors, actuators, power, and sensing and learning) converges with strong business drivers and social need.
Interview
Silver Bullet Talks with Bart Preneel
Gary McGraw, Cigital
Abstract: Gary McGraw discusses cryptology and information security with Bart Preneel, a professor at one of the world’s oldest universities.
Guest Editors’ Introduction
What’s New in the Economics of Cybersecurity?: Observational and Empirical Studies
Massimo Felici, HP Labs
Nick Wainwright, HP Labs
Fabio Bisogni, Fondazione FORMIT
Simona Cavallini, Fondazione FORMIT
Abstract: The articles in this special issue, together with those in the companion issue, highlight the need for large, complex observational and empirical studies and represent the kind of studies that will advance our understanding of cybersecurity economics.
Economics of Cybersecurity, Part 1
Economics of Fighting Botnets: Lessons from a Decade of Mitigation
Hadi Asghari, Delft University of Technology
Michel J.G. van Eeten, Delft University of Technology
Johannes M. Bauer, Michigan State University
DOI: 10.1109/MSP.2015.110 [paywall]
Abstract: The fight against botnets has been going on for more than a decade, but they still impose significant costs. ISPs have become increasingly central to the effort, as they can undertake mitigation more economically and efficiently than end users. A study evaluates the role and performance of ISPs in botnet mitigation across 60 countries.
Economics of Cybersecurity, Part 1
The Value of Web Search Privacy
Sören Preibusch, Microsoft Research
DOI: 10.1109/MSP.2015.109 [paywall]
Abstract: A pioneering study of behavioral economics examines the value of search engine privacy features to consumers, particularly compared with convenience and search result quality.
Economics of Cybersecurity, Part 1
Improving Security Policy Decisions with Models
Tristan Caulfield, University College London
David Pym, University College London
DOI: 10.1109/MSP.2015.97 [paywall]
Abstract: A rigorous methodology, grounded in mathematical systems modeling and the economics of decision making, can help security managers explore the operational consequences of their design choices and make better decisions.
Economics of Cybersecurity, Part 1
Assessing a Potential Cyberattack on the Italian Electric System
Clementina Bruno, University of Eastern Piedmont
Luca Guidi, Enel
Azahara Lorite-Espejo, Innovation and Entrepreneurship Business School
Daniela Pestonesi, Enel
DOI: 10.1109/MSP.2015.99 [paywall]
Abstract: This case study explores a hypothetic but plausible attack on the Italian electric system. Under particular scenarios of grid weakness, it could lead to a blackout costing the local economy 35 to 46 million euros in damages.
Economics of Cybersecurity, Part 1
IT Interdependence and the Economic Fairness of Cybersecurity Regulations for Civil Aviation
Martina De Gramatica, University of Trento
Fabio Massacci, University of Trento
Woohyun Shim, University of Trento
Alessandra Tedeschi, Deep Blue SRL
Julian Williams, Durham University
DOI: 10.1109/MSP.2015.98 [paywall]
Abstract: Interviews about emerging cybersecurity threats and a cybersecurity public policy economic model for civil aviation illustrate stakeholders’ concerns: interdependency issues can lead to aviation regulations that put smaller airports at a disadvantage.
Biometric Spoofing
Biometric Liveness Detection: Challenges and Research Opportunities
Zahid Akhtar, University of Udine
Christian Micheloni, University of Udine
Gian Luca Foresti, University of Udine
DOI: 10.1109/MSP.2015.116 [paywall]
Abstract: In a spoofing attack, an impostor masquerades as a legitimate user by replicating that user’s biometrics. Although methods exist to determine whether a live person or biometric artifact is in front of a biometric sensor, spoofing attacks remain a problem.
Education
Cybersecurity Competitions: The Human Angle
Masooda Bashir, University of Illinois at Urbana-Champaign
April Lambert, University of Illinois at Urbana-Champaign
Boyi Guo, University of Illinois at Urbana-Champaign
Nasir Memon, New York University Polytechnic School of Engineering
Tzipora Halevi, New York University Polytechnic School of Engineering
DOI: 10.1109/MSP.2015.100 [paywall]
Abstract: As a first step in a larger research program, the authors surveyed Cybersecurity Awareness Week participants. By better understanding the characteristics of those who attend such events, they hope to design competitions that will inspire students to pursue cybersecurity careers.
Privacy Interests
Vidal-Hall and Risk Management for Privacy Breaches
Katrine Evans, Hayman Lawyers
DOI: 10.1109/MSP.2015.94 [paywall]
Abstract: The recent English Court of Appeal case of Google v. Vidal-Hall raises three issues for many Internet-based businesses: whether they can be sued in tort for misuse of private information, whether browser-generated information is defined as personal data, and whether compensation for emotional distress without accompanying financial loss can be awarded.
Crypto Corner
High-Assurance Cryptography: Cryptographic Software We Can Trust
Gilles Barthe, IMDEA Software Institute
DOI: 10.1109/MSP.2015.112 [paywall]
Abstract: In response to recent cyberattacks, mathematicians, cryptographers, and security experts have advocated developing alternative approaches for building “high-assurance” cryptographic software. There’s evidence that computer tools that deliver high-assurance cryptographic software are within our reach.
Security & Privacy Economics
Protecting Patient Data-The Economic Perspective of Healthcare Security
Juhee Kwon, City University of Hong Kong
M. Eric Johnson, Vanderbilt University
DOI: 10.1109/MSP.2015.113 [paywall]
Abstract: Despite the ambiguities of healthcare security costs and benefits, market mechanisms can nudge healthcare organizations toward effective proactive and voluntary security actions. However, the effectiveness of market mechanisms suffers from the economic forces of the imperfect US healthcare market. Thus, market-driven investments must be supplemented with regulator intervention across all types of healthcare organizations. However, such regulatory intervention should focus on reinforcing the economic impact of information security rather than simply trying to force specific behavior.
Building Security In
Securing Cloud-Based Applications, Part 1
Jonathan Margulies, Qmulos
DOI: 10.1109/MSP.2015.117 [paywall]
Abstract: In the first article of a series on building software as a service (SaaS) applications with security in mind, the author discusses best practices for user authentication, including cloud-based authentication services, key derivation functions, and two-factor authentication options.
In Our Orbit
It’s All Over but the Crying: The Emotional and Financial Impact of Internet Fraud
David Modic, University of Cambridge Computer Laboratory
Ross Anderson, University of Cambridge Computer Laboratory
DOI: 10.1109/MSP.2015.107 [paywall]
Abstract: Drawing from their survey on Internet fraud’s emotional consequences, the authors conclude that the psychological effects of victimization are just as critical as the financial. Respondents reported that romance scams and advance fee fraud had the highest emotional impact.
Last Word
Children of the Magenta
Daniel E. Geer, In-Q-Tel
Abstract: There is a cacophony of calls for cybersecurity automation. The most experienced people are no longer directly solving problems but instead are supervising largely automated processes. More and more, digital devices are tuning out small failures, from attacks and misconfigurations to version mismatches and service disconnects.