Workshop on Economics of Information Security

One of the most difficult problems information-assurance managers face is integrating IA into the financial management architecture underlying modern organizations. Because of the lack of centralized, verifiable reporting on information security breaches and their costs, it is impossible to emulate the actuarial statistics common to other forms of loss avoidance such as insurance, preventive maintenance, and healthcare.

Strictly numerical methods such as annualized loss expectancies are of limited value in our field because of uncertain probabilities of occurrence and due to nebulous cost estimates for recovery from events that have not yet occurred in a specific environment.

Readers interested in this subject who can travel to the lovely New England town of Hanover, N.H., at the end of June this year will be able to spend a few days concentrating on a range of topics centering on “risks, decision-making behaviors and metrics for evaluating business and policy options.”

The home page for the 2008 Workshop on the Economics of Information Security continues by asking, “How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?”

This seventh Workshop follows successful events hosted by leading universities in the United States and the United Kingdom from 2002 through 2007. Topics this year include the following (see the program for details including the full titles and the speakers):

* Cyber Policy and Regulation
- Risk in Retail Payments
- Identity Theft
- Security Economics and European Policy
* Media Panel: Journalists’ Perspective on Communicating Security
* CISO Panel: Evaluating ad Communicating Information Risk
* Risk Management and Security Investment
- Homogeneous and Heterogeneous User Agents
- Business-Oriented Management of Information Security
- Productivity Space of Information Security
- Communicating the Economic Value of Security Investments
* Technology and Policy Adoption
- USB Memory Stick Security
- Information Governance
- Digital Rights Management
* Combatting Cybercrime
- The Disclosure Debate
- Incentives
- Malicious Web sites and the Underground Economy in China
- Botnet Economics
* Cybercrime Panel: Investigating and Prosecuting Cybercrime
* End-to-End Trust
* Disclosure and Firm Valuation
- SOx and Role of the Media
- Information Security Disclosures and Incidents
- Cyber Insurance
* Privacy and Trust
- Economics of Covert Community Detection and Hiding
- Transparency in Personal Data Processing
- Distributed Trust
- Competition for Information

The Workshop is hosted this year by the Center for Digital Strategies of the Tuck School of Business at Dartmouth College. The Dartmouth campus is a three-hour drive from Boston (not counting rush hour) and is a two-hour interstate-highway drive from Manchester-Boston Regional Airport (code MHT) in New Hampshire and from the Burlington International Airport (code BTV) in Vermont. Once in New Hampshire or in Vermont, congestion is measured in rush minutes and the scenery is spectacularly lush in mid-summer.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.