IEEE Security and Privacy’s Special Issue on the Economics of Cybersecurity, Part 2


This special issue presents readers with a look at how the changing roles of cyberactors highlight interaction approaches, business models, and organizational practices relate to cybersecurity economics.

To subscribe digitally to IEEE S&P magazine, go here.

IEEE Security&Privacy

Volume 14, Issue 3

From the Editors

Trust Me. Trust Me Not.

Bill Horne

DOI: 10.1109/MSP.2016.56

Abstract: n the physical world, our day-to-day lives are arguably governed more by trust than security. As technology continues to become more engrained in our physical lives, is it possible that trust gives way to security? What’s the future of trust?


Silver Bullet Talks with Jamie Butler

Gary McGraw, Cigital

DOI: 10.1109/MSP.2016.63

Abstract: Gary McGraw talks to Jacob West–chief architect for security products at NetSuite–about secure design, the critical difference between bugs and flaws, and wearable device security.

Guest Editor’s Introduction

What’s New in the Economics of Cybersecurity

Massimo Felici , Hewlett Packard Enterprise
Nick Wainwright , Hewlett Packard Enterprise
Simona Cavallini , FORMIT Foundation
Fabio Bisogni , FORMIT Foundation

DOI: 10.1109/MSP.2016.64

Abstract: Cyberactors are increasingly adopting traditional and innovative security measures to protect valuable information in the cyberworld. Information–and any aspect of it, such as its abundance, distortion, misuse, and value–governs the cyberworld. In this context, new actors are emerging alongside traditional ones with an essential role for intermediaries, who aim to systematically identify, handle, filter, monitor, and disseminate information. Cyberactors’ changing roles highlight how interaction approaches, business models, and organizational practices relate to cybersecurity economics.

Economics of Cybersecurity, Part 2

The Navigation Metaphor in Security Economics

Wolter Pieters , Delft University of Technology
Jeroen Barendse , LUST
Margaret Ford , Consult Hyperion
Claude P.R. Heath , Royal Holloway, University of London
Christian W. Probst , Technical University of Denmark
Ruud Verbij , KPMG Netherlands

DOI: 10.1109/MSP.2016.47 [paywall]

Abstract: The navigation metaphor for cybersecurity merges security architecture models and security economics. By identifying the most efficient routes for gaining access to assets from an attacker’s viewpoint, an organization can optimize its defenses along these routes. The well-understood concept of navigation makes it easier to motivate and explain security investment to a wide audience, encouraging strategic security decisions.

Economics of Cybersecurity, Part 2

Chasing Data in the Intermediation Era: Economy and Security at Stake

Aurelien Faravelon , INRIA
Stephane Frenot , University of Lyon, INSA
Stephane Grumbach , INRIA

DOI: 10.1109/MSP.2016.50 [paywall]

Abstract: Online intermediation platforms play an increasing role in the economy and carry a growing responsibility for ensuring the global security of society. This article aims to better define algorithmic intermediation by establishing a hierarchy of intermediation actors based on their degree of abstraction from specific services. This hierarchy helps to show that the more platforms offer abstract services, the more power they have.

Economics of Cybersecurity, Part 2

Mules, Seals, and Attacking Tools: Analyzing 12 Online Marketplaces

Ziming Zhao , Arizona State University
Mukund Sankaran , Arizona State University
Gail-Joon Ahn , Arizona State University
Thomas J. Holt , Michigan State University
Yiming Jing , Arizona State University
Hongxin Hu , Clemson University

DOI: 10.1109/MSP.2016.46 [paywall]

Abstract: A six-year analysis of 12 multilingual online marketplaces focuses on underground commerce, including stolen user data, fake identities, and attacking tools and services. Migration trends, items for sale, and seller and buyer characteristics reveal commonalities among these fraudulent markets.

Economics of Cybersecurity, Part 2

Designing Cybersecurity into Defense Systems: An Information Economics Approach

Chad Dacus , Air University Cyber College
Panayotis A. Yannakogeorgos , Air University Cyber College

DOI: 10.1109/MSP.2016.49 [paywall]

Abstract: Hackers have compromised the designs of numerous major US weapon systems. Safeguarding mission-critical systems requires effective network security and secure firmware and software. To achieve this, the US Defense Department should carefully screen contractors based on their past cybersecurity prowess and provide incentives for them to produce and maintain secure systems.

Economics of Cybersecurity, Part 2

Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers

Fabio Massacci , University of Trento
Raminder Ruprai , National Grid, UK
Matthew Collinson , University of Aberdeen
Julian Williams , Durham University

DOI: 10.1109/MSP.2016.48[paywall]

Abstract: What’s the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.


HbbTV Security and Privacy: Issues and Challenges

Marco Ghiglieri , Technische Universität Darmstadt
Michael Waidner , Technische Universität Darmstadt

DOI: 10.1109/MSP.2016.54[paywall]

Abstract: Hybrid Broadcast Broadband TV (HbbTV) is a standardized technology that delivers Web content directly to smart TVs and set-top boxes. Unlike PCs and mobile devices, smart TVs don’t allow consumers to configure privacy and security options. A review of HbbTV considers the implications of this limitation.

Systems Security

Machine Learning in Adversarial Settings

Patrick McDaniel , Pennsylvania State University
Nicolas Papernot , Pennsylvania State University
Z. Berkay Celik , Pennsylvania State University

DOI: 10.1109/MSP.2016.51[paywall]

Abstract: Recent advances in machine learning have led to innovative applications and services that use computational structures to reason about complex phenomenon. Over the past several years, the security and machine-learning communities have developed novel techniques for constructing adversarial samples–malicious inputs crafted to mislead (and therefore corrupt the integrity of) systems built on computationally learned models. The authors consider the underlying causes of adversarial samples and the future countermeasures that might mitigate them.

It All Depends

Quantifiably Trusting the Cloud: Putting Metrics to Work

Ruben Trapero , Technische Universität Darmstadt
Jesus Luna , Technische Universität Darmstadt
Neeraj Suri , Technische Universität Darmstadt
DOI: 10.1109/MSP.2016.65[paywall]

Abstract: Emerging solutions for assessing cloud trustworthiness must consider the interactions among security, privacy, and risk. They will require a quantitative mind-set to use, and should be an integral part of life cycles that increase transparency in the provision and adoption of trustworthy cloud services.

In Our Orbit

Security Dialogues: Building Better Relationships between Security and Business

Debi Ashenden , Cranfield University at the Defence Academy of the United Kingdom
Darren Lawrence , Cranfield University at the Defence Academy of the United Kingdom

DOI: 10.1109/MSP.2016.57 [paywall]

Abstract: In the real world, there’s often a discrepancy between an organization’s mandated security processes and what actually happens. The social practice of security flourishes in the space between and around formal organizational security processes. By recognizing the value of risk management as a communication tool, security practitioners can tap opportunities to improve the security dialogue with staff.

Last Word

Attack Surfaces

Steven M. Bellovin , Columbia University

DOI: 10.1109/MSP.2016.55

Abstract: Attack surface–the set of ways that a system might be susceptible to an attack–is one of those core concepts that never gets the attention it deserves. But properly understood, it not only helps people analyze system designs, but also explains why some system changes help and others hinder.