CSE5390/7390:
	Economics of Information Security
	SMU, Fall 2012
	Instructor: Tyler Moore
	Home	Course Info	Schedule	Resources

Data Sources and Ideas for Topics

Data sources

There are many more potential sources of security data than I have listed here. Please do not limit your search to these websites.

If you are considering an empirical paper, look at some data sources and see if you can find one that you can do suitable analysis on. In particular, look for datasets that include numerical and categorical variables. Another approach is to pick a class of cybercrime and try to find as much information as you can to come up with an estimate of its cost, who is affected by it, and what the likelihood of attack is.

• ONI assessment of country-level censorship filtering
• Copyright and government requests to Google for content removal
• Data breaches
• Hacked online databases
• Country ZeroAccess botnet
• PhishTank repository of phishing URLs
• SANS Internet Storm Center (including API with lots of data access), list of suspicious domains, observed compromised IPs
• Shadowserver Botnet Statistics
• AA419 volunteers tracking advanced-fee fraud scams

Linking data sources

• US Hospital database
• US University database
• IP to ASN mapping
• Geolite IP to country mapping
• Geolite Python library

Again this is a partial list. The idea here is to find supplemental data that can shed more light on existing security-related data sources.

Economic Indicators

• Internet access statistics
• GDP and traditional economic indicators from World Bank

Topics

Please note that this is not an exhaustive list. You are strongly encouraged to select a topic that is not on this list if it is of interest to you.

• Patching policies
• Vulnerability disclosure
• Cyberwar
• ISP assistance in cleaning up malware on consumer machines
• Information sharing
• Interdependent security
• Cyberinsurance
• Bitcoin
• Data breach research
• Attitudes towards privacy
• Behavioral economics of information security
• Extensions to Gordon-Loeb model
• Advertising fraud (empirical analysis, models)
• Fake antivirus software
• Challenges in empirical computer security research
• Network security (BGP, DNSSEC, ...)
• Proactive versus reactive security investment models
• Payment system security
• Economic issues in identity management
• Mapping false-positive and negative rates between ROC curves and known costs

Example empirical projects

In addition to basing an empirical project on the topics above, here are a few topics for an empirical project.

1. Data breaches at universities. Combine reports of data breaches with information on universities. Join the two data sets based on names and then examine the data to see if particular characteristics of the university affect the probability of a breach occurring (e.g., public vs. private, enrollment, etc.). One could also look at university rankings to see if there is any correlation between university ranking and breach probability.
2. Data breaches at hospitals. Combine reports of data breaches with information on hospitals. Join the two data sets based on names and then examine the data to see if particular characteristics of the hospital affect the probability of a breach occurring (e.g., hospital size,).
3. Online password database hacks. Examine a dataset on web password database breaches to estimate the annual probability of a breach occurring, how many customers are affected per breach, and the success rate per hacker group.
4. Compare malware and phishing distribution by TLD. Compare a dataset of known malware domains to known phishing domains. For malware, one can also look at differences in the type of site as classified by the data. Also, identify the TLDs that are most afflicted by malware and phishing by normalizing according to the number of registrations per top-level domain, as indicated in the appendix of this document.

Paper resources

Curated Paper Lists and Literature Reviews

• Ross Anderson's Economics and Security Resources Page: This page provides a curated list of relevant papers on a range of topics relevant to security economics.
• Alessandro Acquisti's Page on the Economics of Privacy: Similar to Ross Anderson's page, but the emphasis is on topics related to information privacy
• Jean Camp's Information Security Economics Bibliography: Jean Camp also maintains a list of relevant security economics articles, including many of those appearing at venues other than WEIS such as Financial Cryptography and Data Security.
• Literature Review of Security Economics
• Literature Review of Cybercrime Research

Relevant Conferences

Here are some relevant conferences that have papers on security economics topics. In addition, you are encouraged to use search engines on Google Scholar and DBLP. Here's a hint for DBLP searches -- include "venue:weis" in the search to restrict results to WEIS.

• WEIS 2012 - Workshop on the Economics of Information Security
• WEIS 2002-2011

Here are some top computer security conferences where papers on security economics are occasionally published:

• ACM CCS
• IEEE Security and Privacy
• USENIX Security Symposium
• Financial Cryptography and Data Security
• NDSS

Papers are also published in information-school and business-school journals, such as Management Science and Information Systems Research.

---

© 2012 Tyler Moore (Some course material also jointly developed with Rainer Böhme)

Last modified: Tue Nov 6 12:13:58 2012