Information Security as a Social Science

Instructors

• Stuart Schechter (Microsoft Research)
• Jaeyeon Jung (Intel Research)

Course Description

Most information security textbooks address security as the study of building operating systems and networks that can ensure the confidentiality, integrity, and availability of data in they work with. They may also examine mechanisms through which one system can verify properties of information received from other systems (e.g. who actually sent it).

No real system will be secure if those who design it, purchase it, deploy it, and use it dont have the knowledge or incentives to ensure that the system remains secure. Economic and psychological forces often have a far greater effect on the overall security of a system than choice of cryptography or the strength of the operating systems security primitives.

In this course we will study information security from a social science perspective, focusing on the economics, psychology, and studies of security usability. The readings have been selected to provide a wide cross-section of work in these areas. They have also been selected to include works that are both groundbreaking and entertaining.

This two-week course will be taught in English, offered for a single credit, and will be graded pass-fail.

Class Dates

2008 February 11, 13, 15, 18, & 22 from 2:30pm to 5:00pm

Prerequisites

• Must be willing to read, discuss, and present in English.
• Experience reading academic papers is recommended.

Language

English

Assignments

• Ten academic papers to read (two per class)
• One thirty minute presentation of one of the course readings
• One short final paper or study plan

Lecture Notes

• Feb. 11, 2008

Readings

Feb. 13 (Wed), 2008

• [Presenter: Jaeyeon] Why Johnny Cant Encrypt: A Usability Evaluation of PGP 5.0
  Alma Whitten and J. Doug Tygar
• [Presenter: Stuart] Why information security is hard - an economic perspective
  Ross Anderson

Feb. 15 (Fri), 2008

• System Reliability and Free Riding
  Hal R. Varian
• The Economics of Information Security Investment
  Lawrence Gordon and Martin Loeb

Feb. 18 (Mon), 2008

• [Presenter: Donghyun] Proof-of-Work Proves Not to Work.
  Ben Laurie and Richard Clayton
• [Presenter: Hyunwoo] Adverse Selection in Online Trust Certifications
  Ben Edelman

Feb. 20 (Wed), 2008

• [Presenter: Joowon] Why Phishing Works
  Rachna Dhamija, J. Doug Tygar, & Marti Hearst
• [Presenter: Yoonchan] The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study
  Janice Tsai, Serge Egelman, Lorrie Cranor, & Alessandro Acquisti

Feb. 22 (Fri), 2008

• [Presenter: Junsup] An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks
  Collin Jackson, Dan Simon, Desney Tan, & Adam Barth
• [Presenter: Changhyun] Evaluating the Wisdom of Crowds in Assessing Phishing Websites
  Tyler Moore and Richard Clayton