IEEE Security & Privacy’s Special Issue on the Economics of Cybersecurity

S&P magazine cover

In response to the changing cybersecurity challenges, spending on information security has grown steadily and might eventually reach a point that’s inefficient and unaffordable. Both governments and market-oriented organizations must carefully balance tradeoffs between security and privacy.

To subscribe digitally to IEEE S&P magazine, go here.

IEEE Security&Privacy

Volume 13, Issue 5


From the Editors

Autonomy, Robotics, and Dependability

Robin E. Bloomfield

DOI: 10.1109/MSP.2015.106

Abstract: There is currently intense interest in robotic and autonomous systems, both in the technical and engineering communities and more broadly. These systems have always been appealing as they blend social impact, technology, science fiction, and philosophy with newsworthy speculation and sensationalism in imagined futures. These futures might arrive much faster than we thought as technology (sensors, actuators, power, and sensing and learning) converges with strong business drivers and social need.



Silver Bullet Talks with Bart Preneel

Gary McGraw, Cigital

DOI: 10.1109/MSP.2015.101

Abstract: Gary McGraw discusses cryptology and information security with Bart Preneel, a professor at one of the world’s oldest universities.


Guest Editors’ Introduction

What’s New in the Economics of Cybersecurity?: Observational and Empirical Studies

Massimo Felici, HP Labs
Nick Wainwright, HP Labs
Fabio Bisogni, Fondazione FORMIT
Simona Cavallini, Fondazione FORMIT

DOI: 10.1109/MSP.2015.105

Abstract: The articles in this special issue, together with those in the companion issue, highlight the need for large, complex observational and empirical studies and represent the kind of studies that will advance our understanding of cybersecurity economics.


Economics of Cybersecurity, Part 1

Economics of Fighting Botnets: Lessons from a Decade of Mitigation

Hadi Asghari, Delft University of Technology
Michel J.G. van Eeten, Delft University of Technology
Johannes M. Bauer, Michigan State University

DOI: 10.1109/MSP.2015.110 [paywall]

Abstract: The fight against botnets has been going on for more than a decade, but they still impose significant costs. ISPs have become increasingly central to the effort, as they can undertake mitigation more economically and efficiently than end users. A study evaluates the role and performance of ISPs in botnet mitigation across 60 countries.


Economics of Cybersecurity, Part 1

The Value of Web Search Privacy

Sören Preibusch, Microsoft Research

DOI: 10.1109/MSP.2015.109 [paywall]

Abstract: A pioneering study of behavioral economics examines the value of search engine privacy features to consumers, particularly compared with convenience and search result quality.


Economics of Cybersecurity, Part 1

Improving Security Policy Decisions with Models

Tristan Caulfield, University College London
David Pym, University College London

DOI: 10.1109/MSP.2015.97 [paywall]

Abstract: A rigorous methodology, grounded in mathematical systems modeling and the economics of decision making, can help security managers explore the operational consequences of their design choices and make better decisions.


Economics of Cybersecurity, Part 1

Assessing a Potential Cyberattack on the Italian Electric System

Clementina Bruno, University of Eastern Piedmont
Luca Guidi, Enel
Azahara Lorite-Espejo, Innovation and Entrepreneurship Business School
Daniela Pestonesi, Enel

DOI: 10.1109/MSP.2015.99 [paywall]

Abstract: This case study explores a hypothetic but plausible attack on the Italian electric system. Under particular scenarios of grid weakness, it could lead to a blackout costing the local economy 35 to 46 million euros in damages.


Economics of Cybersecurity, Part 1

IT Interdependence and the Economic Fairness of Cybersecurity Regulations for Civil Aviation

Martina De Gramatica, University of Trento
Fabio Massacci, University of Trento
Woohyun Shim, University of Trento
Alessandra Tedeschi, Deep Blue SRL
Julian Williams, Durham University

DOI: 10.1109/MSP.2015.98 [paywall]

Abstract: Interviews about emerging cybersecurity threats and a cybersecurity public policy economic model for civil aviation illustrate stakeholders’ concerns: interdependency issues can lead to aviation regulations that put smaller airports at a disadvantage.


Biometric Spoofing

Biometric Liveness Detection: Challenges and Research Opportunities

Zahid Akhtar, University of Udine
Christian Micheloni, University of Udine
Gian Luca Foresti, University of Udine

DOI: 10.1109/MSP.2015.116 [paywall]

Abstract: In a spoofing attack, an impostor masquerades as a legitimate user by replicating that user’s biometrics. Although methods exist to determine whether a live person or biometric artifact is in front of a biometric sensor, spoofing attacks remain a problem.



Cybersecurity Competitions: The Human Angle

Masooda Bashir, University of Illinois at Urbana-Champaign
April Lambert, University of Illinois at Urbana-Champaign
Boyi Guo, University of Illinois at Urbana-Champaign
Nasir Memon, New York University Polytechnic School of Engineering
Tzipora Halevi, New York University Polytechnic School of Engineering

DOI: 10.1109/MSP.2015.100 [paywall]

Abstract: As a first step in a larger research program, the authors surveyed Cybersecurity Awareness Week participants. By better understanding the characteristics of those who attend such events, they hope to design competitions that will inspire students to pursue cybersecurity careers.


Privacy Interests

Vidal-Hall and Risk Management for Privacy Breaches

Katrine Evans, Hayman Lawyers

DOI: 10.1109/MSP.2015.94 [paywall]

Abstract: The recent English Court of Appeal case of Google v. Vidal-Hall raises three issues for many Internet-based businesses: whether they can be sued in tort for misuse of private information, whether browser-generated information is defined as personal data, and whether compensation for emotional distress without accompanying financial loss can be awarded.


Crypto Corner

High-Assurance Cryptography: Cryptographic Software We Can Trust

Gilles Barthe, IMDEA Software Institute

DOI: 10.1109/MSP.2015.112 [paywall]

Abstract: In response to recent cyberattacks, mathematicians, cryptographers, and security experts have advocated developing alternative approaches for building “high-assurance” cryptographic software. There’s evidence that computer tools that deliver high-assurance cryptographic software are within our reach.


Security & Privacy Economics

Protecting Patient Data-The Economic Perspective of Healthcare Security

Juhee Kwon, City University of Hong Kong
M. Eric Johnson, Vanderbilt University

DOI: 10.1109/MSP.2015.113 [paywall]

Abstract: Despite the ambiguities of healthcare security costs and benefits, market mechanisms can nudge healthcare organizations toward effective proactive and voluntary security actions. However, the effectiveness of market mechanisms suffers from the economic forces of the imperfect US healthcare market. Thus, market-driven investments must be supplemented with regulator intervention across all types of healthcare organizations. However, such regulatory intervention should focus on reinforcing the economic impact of information security rather than simply trying to force specific behavior.


Building Security In

Securing Cloud-Based Applications, Part 1

Jonathan Margulies, Qmulos

DOI: 10.1109/MSP.2015.117 [paywall]

Abstract: In the first article of a series on building software as a service (SaaS) applications with security in mind, the author discusses best practices for user authentication, including cloud-based authentication services, key derivation functions, and two-factor authentication options.


In Our Orbit

It’s All Over but the Crying: The Emotional and Financial Impact of Internet Fraud

David Modic, University of Cambridge Computer Laboratory
Ross Anderson, University of Cambridge Computer Laboratory

DOI: 10.1109/MSP.2015.107 [paywall]

Abstract: Drawing from their survey on Internet fraud’s emotional consequences, the authors conclude that the psychological effects of victimization are just as critical as the financial. Respondents reported that romance scams and advance fee fraud had the highest emotional impact.


Last Word

Children of the Magenta

Daniel E. Geer, In-Q-Tel

DOI: 10.1109/MSP.2015.91

Abstract: There is a cacophony of calls for cybersecurity automation. The most experienced people are no longer directly solving problems but instead are supervising largely automated processes. More and more, digital devices are tuning out small failures, from attacks and misconfigurations to version mismatches and service disconnects.