Prospectus

nl en

Cyber Security Economics

Course
2019-2020

Admission requirements

Admission only after intake, see website of the Cyber Security Academy.
Elective in Master’s programme Cyber Security

Description

This course aims at:

  • students (technical and non-technical) who are expected to deal with on the “economic” forces that shape cyber security policies or actions.

  • students who are expected to design or anticipate on market incentives based cyber security measures and policies.

This course provides an elaboration on the relation between economic theory and practice and cyber- and information security, which is covered briefly in previous semesters. Concepts from economics that are key in understanding the relation between economics and cyber security are introduced and applied to real world situations. The recent rise of interest in of cyber security insurance as a risk transfer instrument within risk management frameworks is the motivation to use this topic as an illustration of the application of the concepts in a more extensive analysis.

During the course first an overview is given of current status of cyber- and information security with relation to economics. The introduction immediately gives rise to questions like: What is the estimated damage to the Dutch economy due to cybercrime? How can cybersecurity incidents or failures be understood from the incentives of market parties involved in delivering these services? What are the (economic) consequences of a lack of cyber security and therefore trust for subjects like privacy, identity, e-commerce etc. How can we measure security and its effects? Why are the markets not working sufficiently? Can conditions be designed such that incentives line up to create a functioning market? What role play regulation, standards and liabilities in this context? Does the market for commercial CA’s work? How to improve it? Who should invest in security? End users? ISP’s? What is the ROI on cyber security investments for these parties?

During the course the following (non-exhaustive) list of concepts is discussed in relation to the above questions:
Asymmetric information, lemons market, externalities, indivisibility of investments, misalignment of incentives, network interdependence, markets and incentives, availability, integrity, privacy, identity, decisions under uncertainty, tragedy of the commons, adverse selection, insurance, risk mitigation, risk avoidance, risk acceptance, risk transfer, costs, benefits, ROI, liability, regulation, metrics, underreporting, moral hazard.
The above concepts are subsequently applied to above stated questions as well as to questions raised by the discussions between the students.

Course objectives

Participants have:

  • a basic knowledge and understanding of the key economic forces that drive cyber risk security in practice

  • a basic knowledge and understanding of the government’s policy options with regard to cyber security and its consequences for businesses and individuals

  • a basic understanding of the concept of cyber security insurance, its potential and its role within a risk management framework and the current problems associated with cyber security insurance

Participants are able to:

  • understand concepts such as incentives, information asymmetry, externalities, indivisibility of investments, moral hazard, network interdependence and their consequences for cyber security

  • apply these concepts and knowledge in evaluating cyber security models and proposals, determine which factors will contribute positively, negatively to cyber security

  • understand the economic effects of regulation, liabilities and standards on structure of markets relevant to cyber security

  • determine how economic reasoning and methodology helps to better address cyber security issues. This from the perspective of government as well as businesses to explain and discuss the application of economic concepts with respect to cyber security with technical staff as well as management and/or policy departments

Timetable

4 Fridays:
Friday 20 September 2019 from 13.30 until 17.00
Friday 27 September 2019 from 9.30 until 17.00
Friday 4 October 2019 from 9.30 until 17.00
Friday 11 October 2019 from 9.30 until 17.00 (class in the morning, exam in the afternoon)

Mode of instruction

(Online) lectures, seminars, exercises, class discussion

Lecturers:
Prof.dr. M.J.G van Eeten (TUD), dr. Carlos Hernandez Ganan (TUD) and others

Course Load

3 EC

Assessment method

Assignment (100%)

The resit will take the same form.

Blackboard

Yes, for posting slides of lectures, relevant literature and assignments.

Reading list

Compulsory literature and literature for further consultation will be announced via Blackboard.

Registration

No registration is required for lectures and exams.

Contact

Chantal de Groot, study coordinator

Remarks

For more information see the website of the Cyber Security Academy.