cyber security economics

  • MARKET - CYBER SECURITY - Indicators and Metrics


    In the past, a great variety of indicators have been developed to measure cyber-security related aspects. 

    Three fields can be differentiated:

    • Firm-level cyber-security indicators
    • Industry-level cyber-security indicators
    • Economy-level cyber-security indicators


    Firm-level Cyber-security Indicators

    These differ according to the organization’s goals. Some indicators are supposed to measure return on security investments, others have the primary intention to measure security risk or policy compliance. It is observable, however, that the tendency is to find quantitative measures in order to be better able to track security policies in organizations.
    There are hundreds of metrics to choose from and an organization’s mission, industry, and size will affect the nature and scope of the task as well as the metrics and combinations of metrics appropriate to accomplish it.
    There is an abundance of such indicators and for organizations it is typically difficult to judge on what indicators to use once security policies are to be evaluated. In the area of measurement comprehensive overviews already exist, Table 1 below lists some of them. Overviews are also presented by Mateski at al. (2012) and Swanson et al. (2003), among many others.

    Table 1 Some References to Measurement of Cyber-security Aspects

    Author Explanation
    Herrmann (2007) The author lists more than 900 privacy and security metrics, that measure compliance, resilience and return on investment.The metrics are also scaled by information sensitivity, asset criticality, and risk.
    Brotby and Hinson (2013)

    In Brotby and Hinson (2013) more than 150 metrics are listed, ranging from risk management metrics to IT security metrics to compliance and assurance metrics. The authors have made the list accessible over the Internet by putting it on their website 

    or directly as an XLS on the IPACSO website.



    Notes: This literature overview is not meant to be complete, but to provide a starting point of research for the interested reader.

    This is an area, where we will witness an expansion of consultancy services in the cyber-security market in future, because the need for improved information security policies is increasing.


    IPACSO overview on risk metric lists

    While there are areas of overlap (for example with respect to data breaches), privacy metrics are more focused on the subject matter of compliance with data protection laws and the protection of personal data.

    More information on privacy metrics.


    Industry-level Cyber-security Indicators

    At this stage, there are more indicators to choose from at the level of the firm compared to the level of industries. There are, however, now a number of reports on the costs of cyber-crime and data breaches.

    IPACSO overview
    These reports typically differ in terms of coverage of firms, methodology and region covered (information is given in the Excel file). Most of the reports are surveys of firms with respect to data breaches (e.g. Verizon, Javelin Strategy & Research). Others are using information delivered by threat surveillance networks owned by the publisher (e.g. McAfee, Kaspersky Labs).

    More of this type of industry-level data will come from the CERTs.


    Economy-level Cyber-security Indicators 

    Maybe least researched is the area of economy-level indicators that are supposed to map cyber-security preparedness or resilience of different countries.

    Figure 1 Global Cybersecurity Index of ITU-ABIresearch



    There is only a small number of institutions providing this kind of information. In the following a short list with references to some organizations that compile such indices is provided.

    Examples of Country Ratings:

    1. Global Cybersecurity Index: This index (developed by ITU-ABIresearch) measures the cybersecurity capacities of countries. It uses five categories for its rating: legal measures, technical and organizational measures, capacity building and cooperation. It then ranks countries according to their cybersecurity capabilities (not vulnerabilities). The index is available for a rounded 190 countries (2014).

    2. Cyber Power Index: The Cyber Power Index (developed by Booz Allen Hamilton / EUI) is supposed to map the ability of countries to withstand cyber-attacks (and to deploy secure critical infrastructure). The index uses indicators in four areas, including legal and regulatory framework, economic and social context, technology infrastructure and industry application. It is available for 19 leading economies.

    3. Cyber-security readiness:   This index (published by McAfee and Security & Defence Agenda (SDA) ranks 23 countries on their readiness. This indicator is based upon leading experts' subjective perceptions of a nation's defense system. While no country gets the highest mark (five stars), Israel, Sweden and Finland lead the list of countries being prepared.


    There are also other sources that use metrics at the country level. For example in the BSA (The Software Alliance) EU Cybersecurity Dashboard countries are given a status (“Yes”, “No”, “Partial”, or “Not Applicable”) in each criteria used. There is no overall ranking, but policy makers can judge their country on weaknesses.

    This is not to be confused with the European Commission’s Digital Agenda Scoreboard, which is primarily devoted to map how advanced in digitalization the European Member States are.


    Quoted References:
    Brotby, W.K. and G. Hinson (2013). Pragmatic Security Metrics: Applying Metametrics to Information Security, CRC Press,
    Herrmann, D. (2007). Complete Guide to Security and Privacy Metrics Measuring regulatory compliance, operational resilience, and ROI, Auerbach Publications,
    Mateski, M. C.M. Trevino, C.K. Veitch, J. Michalski, J.M. Harris, S. Maruoka, J. Frye (2012) Cyber Threat Metrics, SANDIA REPORT, SAND2012-2427,
    Swanson, M. Nadya Bartol, John Sabato, Joan Hash, and Laurie Graffo (2003). Security Metrics Guide for Information Technology Systems, National Institute for Standards and Technology (NIST),


    Back to MARKET


    IPACSO Publications and further links:

    Jentzsch, N. (2015) State-of-the-Art of the Economics of Cyber-Security and Privacy, IPACSO - Innovation Framework for ICT Security Deliverable 4.1.

  • MARKET - Economics - CYBER SECURITY - Decision Models

    MARKET - Economics - CYBER SECURITY - Decision Models


    Economic Decision Models in Cyber-Security

    Traditional management models rely on cost-benefit trade-offs in order to assess whether it is worthwhile to make an investment. Such cost/benefit trade-offs are important in order to assess whether a security strategy is really effective in achieving the stated goal of greater protection of information assets and information systems.

    Assessing costs and benefits is a difficult undertaking in the privacy and cyber-security (PACS) domains. For example, there are direct costs that only accrue to the firm making the decision (such as a purchase) and indirect costs (if the product fails, it might jeopardize the buyer’s supply chain). In the digital supply chain, the investment of one firm in a more secure system indirectly improves another firms’ security, if they are connected (so-called externalities).


    Proactive and Reactive Investment Strategies

    Firms face the choice of reactive versus proactive PACS investment strategies (Research Triangle Institute, 2006). According to this research, many firms (in different industries) state that they rely on existing technologies that enable quick implementation of patches, once vulnerabilities are identified.

    Widespread anecdotal evidence suggests that firms beef up security, once they have been hit by a data breach (CBC News (2014). Target CIO resigns as security revamped over data breach). Many firms characterize themselves as employing a mix of proactive and reactive security strategies, presented as iso-security curves (Figure 1). The further these are away from the origin, the higher the level of security reached in this theoretical model.

    Fig. 1 Firm Selection of Optimal Proactive/Reactive Mix


    Source: Research Triangle Institute (2006)

    An iso-security curve marks the trade-off of one strategy for the benefit of the other strategy. At the point $/PA for example, the firm devotes all its funds to the reactive strategy. The optimal mix of proactive and reactive strategies is given at the point of tangency of the budget line with the highest iso-security curve attainable given the budget constraint.


    Costs and Benefits of PACS Products and Services

    Table 1 shows some of the major components of the cost-benefit categories regarding PACS investments. Companies developing innovative PACS products/services will have a problem in making a value proposition, if benefits cannot be firmly ascertained, i.e., in terms of a tangible quantitative reduction of estimated risk. Moreover, there are “teachable moments:” Often, companies only react with increased spending on IT security after a large-scale data breach has occurred. It is then easier for IT staff to make a business case for greater IT investment spending.


    Tab. 1 Costs vs. Benefits of Cyber-security Investments

    Costs Benefits
    Personnel costs (set up of new in-house teams, tiger teams, etc.) Decrease in security incidents & cybercrime losses
    Purchase cost (hardware, software, consultancy services) Reduction in costs of liability for breaches
    Administrative costs Increase in trust of customers
    In-house R&D Increase in company reputation
    Opportunity costs Protection from unfair competition (industrial espionage)
      Reduction in switching of disgruntled customers to competitors
      Increase in compliance (if a security duty of care is mandatory)

    Source: Jentzsch (2015).



    Investment Obstacles in Innovation


    Innovation is defined as the implementation of new or significantly improved procedures, products or services (OECD 2005: 46). Innovative privacy and cyber-security products need to prove their value added to top current systems in use. For decision-makers, innovative products are often related to several unknowns. Is a new seller really trustful? Is the new technology offered better than a tested and patched one? Does it tangibly reduce the risk of data breaches? Is it worth the investment? How does it change the vulnerability of a firm? Such unknowns make it harder for new technologies to penetrate a market. The ambiguity bias in decision makers (aversion of options with unknown probabilities) is a hurdle to overcome, for example by test-runs that enable the assessment of risks.


    Security Returns on Investment Model

    There are several models for the calculation of the returns on security investments (see references at the end of this website).

    Returns on Investment:ROI is the expected return (eR) minus the investment costs (I) divided by I. For security investments, Sonnenreich et al. (2006) propose the ROSI model.


    Returns on Security Investment

    It includes the following factors:
    RE = risk exposure (i.e. past observations on attacks)
    I = investment costs
    RM = mitigated risk (i.e. reduction risk)

    Finding and developing risk metrics is not a problem. Finding accurate numbers to fill the variables with meaningful values is a challenge, though. Especially tricky is the problem of risk exposure: While the damage of discovered hacker attacks can be assessed, there might be a number of unobserved attacks and near-misses. Another complicating factor is the ever-changing nature of technology, datasets and networks, which constantly changes the risk landscape firms are facing.

    In traditional fields of insurance, the probability of events and their damages can be derived from the actuarial tables. Actuarial tables in cyber-security and privacy are in development.The traditional Security Returns on Investment Model (see Figure 2) sets the costs of security measures in relation to the security level reachable by expending funds. Such models are typically used by the industry to demonstrate the value proposition of a product.


    Fig. 2 Security Return on Investment Model


    Moreover, decision makers need to employ them in order to compare different investment strategies with relation to privacy and cyber-security investments. Such investment, once regarded as sunk costs, are increasingly seen as economic enabler.

    According to the above model the optimal level of security is reached when the cost of security countermeasures equals the costs of security breaches. Beyond this point, any increase in security expenditures does not compensate for the reduction in the cost of security breaches.
    The above is a brief introduction in order to give practitioners an overview of decision models in use. It should not be understood as a support for any individual model as they do have their strengths and weaknesses as discussed.

    Take me to the introduction on risks metrics.

    The calculation of risk arising through mutual exposure along with other horizontal and vertical relations among market players, is a complex and almost impossible task, because it entails security information of the interconnected firms. These, however, have in general no incentive to share such information for fear of competition, litigation and reputation effects. The aforementioned network externalities also inhibit accurate calculation of security returns on investment. Sonnenreich et al. (2006) propose a computation of exposure as follows:

    Annualized loss exposure:which is the product of Single Loss Exposure (SLE) times the Annual Rate of Occurrence (ARO). Again, the problem of correct measurement exists, i.e., filling the variables with meaningful values. Future development of metrics ought to account for the aforementioned externalities. Big Data analysis might in future remedy some of the lack of data.

    Cyber-security Metrics

    In the area of measurement comprehensive overviews already exist. For example, Herrmann (2007) lists more than 900 security metrics. In Brotby and Hinson (2013) more than 150 metrics are listed, ranging from risk management metrics to IT security metrics to compliance and assurance metrics. The authors have made the list accessible over the Internet by putting it on their website as Excel file. Overviews are also presented by Mateski at al. (2012) and Swanson et al. (2003), among many others. Cyber-resilience metrics are discussed in Linkov et al. (2013). Privacy metrics, an area not well researched to date, will be discussed in the IPACSO framework (click here).


    Back to MARKET


    Related IPACSO Publications

    Jentzsch, N. (2015). State-of-the-Art of the Economics of Cyber-Security and Privacy, IPACSO - Innovation Framework for ICT Security Deliverable 4.1.


    Other quoted Publications

    Research Triangle Institute (2006). Economic Analysis of Cyber-security, AFRL-IF-RS-TR-2006-227, Final Technical Report (July 2006).

    Schneier, Bruce (2008). Security ROI: Fact or Fiction? Data Protection, Essay.

    Sonnenreich, W., J. Albanese and B. Stout (2006). Return On Security Investment (ROSI): A Practical Quantitative Model, Report.

  • MARKET - Economics - CYBER SECURITY - Introduction and Basics

    MARKET - Economics - Cyber Security - Introduction and Basics


    Economics of Cyber-Security as Research Field

    The economics of cyber-security applies principles of economics to the analysis of cyber-security problems. The main focus is strategic decisions under incomplete information faced by rational market players (firms, consumers) in situations, where the goal is to protect an information system and its contents from harm. The field also covers the analysis of market mechanisms and market failures as well as the economic impact of regulation on the level of cyber-security.


    Cyber-security models include as players firms and consumers, but sometimes also government and third-party players (hackers, etc.). A good share of the literature is devoted to the modelling cyber-crime and cyber-security investment decisions. Other works are devoted to the measurement of cybercrime costs, the modelling cyber-insurance and the welfare effects of critical incidence information sharing among firms.

    Get an overview of the research field.



    Economic Incentivization of Cyber-security

    An economic incentive is an inducement that leads to an action or behavior, which is rendering a (positive) payoff for the actor. Payoffs are outcomes of cost-benefit trade-offs. A rational actor seeks the optimal choice by maximizing payoff. In economics, utility functions model cost-benefit trade-offs and therefore represent the preferences of actors. Where the outcomes of choices are uncertain, risk or ambiguity are introduced into the decision model.


    If a payoff is positive, it is a reward that provides an incentive for a specific action. If a payoff is negative, it is a penalty that acts as disincentive.

    Payoffs can be solely monetary, but can also involve non-monetary psychological costs and benefits. For example, if a computer system is compromised and the stolen data are used to commit a financial crime, the damaged party suffers a monetary loss. However, if the security incident is made public through the media, the targeted firm also suffers a reputational damage. Such reputational effects may severely impair (or not) trust that customers place in the firm’s security procedures.Table 1 provides a generic overview of the costs and benefits associated with the adoption of privacy and cyber-security technologies.


    Tab. 1 Potential Costs versus Benefits of Privacy and Cyber-security Investments

    Costs Benefits
    Personnel costs (set up of new in-house teams, external tiger teams, etc.)

    Decrease in security incidents and

    cybercrime losses

    Acquisition costs (security hardware, software, consultancy services) Reduction in costs of liability for breaches
    Administrative costs Increase in trust of customers
    In-house R&D Increase in company reputation
    Opportunity costs* Reduction in switching of disgruntled customers to competitors
      Protection from unfair competition (industrial espionage)
      Increase in compliance (if a security duty of care is mandatory)


    Read more on cyber-security decision-modelling.



    Cyber-Security Markets and Market Players

    The cyber-security market is a physical or virtual place, where demand and supply for cyber-security products and services meet. A company is a player in the cyber-security market, if it actively offers at least one product (or a portfolio of cyber-security products or services) in the cyber-security market. Ideally, the main share of revenue of a firm would be associated with the sale of cyber-security products and/or services. If a company's main share of revenues is attributable to cyber-security (or privacy), it can be considered to be part of the cyber-security industry.

    Players that are active in the ICT market are not automatically firms with a separately identifiable portfolio of cyber-security products and services. So while all cyber-security firms are active in the ICT, the reverse does not hold. This means that not all firms that are active in ICT are also active in cyber-security.

    Moreover, there are large and very large companies that are primarily active in completely different areas, such as defense, air and space systems (examples are Boing, Raytheon and Lockheed Martin). These companies are neither ICT companies nor purely cyber-security companies, but they are important players in the cyber-security industry.



    Fig. 1 The Cyber-security Industry as Embedded Industry


                                                                                      Source: Jentzsch (2015).


    There is an increasing number of cyber-security industry studies published. They vary in terms of industry or market definitions, range of countries covered, time frames of survey, and survey methodologies, among other key aspects. An overview for the interested reader is provided here.

    Some of the players in the cyber-security markets are end-to-end providers of cyber-security solutions. End-to-end providers offer solutions that combine software, hardware and services. There are also many specialized firms that are only active in one specific segment, such as IT security consultancy services or encryption providers (see also Figure 2).

    Fig. 2 Providers of Cyber-security Solutions


     Source: Jentzsch (2015).


    For a full-scale dependency analysis, one would need to do a horizontal analysis (see also market analysis), as well as a vertical analysis.


    Economic and Technological Dependencies

    Many security solutions used by industries in Europe are sold by companies that have their head quarter located outside of the European Union. A full-scale analysis of economic and technological dependencies needs to identify these players, and analyze the main customers (especially critical infrastructure organizations) as well as the security solutions sold. It needs to then also identify European alternatives. If there are none, the technological dependency can be rated as fairly high. 


    Economics of Cybercrime and Data Black Markets

    In the past, a number of grey markets (where legality is unclear) or black markets (outright illegal) have developed. On these markets, different products and services are offered and peddled. There are markets for hacking tools and exploits, stolen personal data (e.g. credit card information), as well as for botnet capacities.

    The economics of cybercrime and data black markets typically looks at the laws of demand and supply in these markets as well as the trade-offs made by market participants. Although the economics of cybercrime was not part of the IPACSO research spectrum, the author of these websites has put together an information sheet on different studies from Norton, McAfee, Verizon and PayPal, see this Table.



    IPACSO Publications:

    Jentzsch, N. (2015) State-of-the-Art of the Economics of Cyber-Security and Privacy, IPACSO - Innovation Framework for ICT Security Deliverable 4.1.

    Jentzsch, N. (2015) Horizontal and Vertical Analysis of Privacy and Cyber-security Markets, IPACSO - Innovation Framework for ICT Security Deliverable 4.2A.

  • MARKET - Economics - Cyber Security - Overview of the Research Field

    MARKET - Economics - Cyber Security - Overview of the Research Field


    State-of-the-art: Overview of the Research Field

    The economics of cyber-security is an active research field, where academics apply principles and tools of economics to the analysis of cyber-security problems. At the center of focus are strategic decisions under incomplete information faced by rational market players in situations, where the goal is to protect an information system and its contents from harm. The field also covers the analysis of market mechanisms and market failures as well as the economic impact of regulation on the level of cyber-security.
    The following Table gives the interested reader a short-cut overview of the research field and the different security problems in the focus of the authors. It separates the field into five areas:

    • Game-theoretic approaches to cyber-security (incl. discussions of market failures)
    • Experimental and psychological research
    • Victim Studies (incl. psychological research)
    • Methodological advances
    • Other research

    Game-theoretic approaches to cyber-security : Game-theoretical models in the economics of cyber-security are preoccupied with situations of attacker-defender or with modelling markets for supply and demand for Botnet services. Other works are devoted to the analysis of risk sharing or information sharing among market participants, as well as the modelling of their security decisions.

    Experimental and psychological research: This research uses methods of experimental economics of experimental computer science in order to study the behavioral elements of cyber-security or privacy decisions. Especially interesting are new approaches such as the infiltration of Botnets. Other authors study the behavioral aspects of security-decision making in individual users.

    Victim Studies: This line of research was separated, as it especially focuses on the impact of data breaches and cyber-crime on the victims of it. Methods used for this research are often interviews as well as surveys, in which persons explain how they became a victim and the financial and psychological damages they suffered.

    Methodological advances and other research: In this field, the focus is on finding new methods and further developing existing ones in order to better measure cyber-crime, for example. Other research that cannot be summarized into one of the aforementioned fields is devoted to testing the effect of data breaches on stock prices, for example.


    Table 1 Overview of the Research Field of Cyber-security Economics

    Line of Research Explanation Authors
    Game-theoretic Approaches to Cyber-security (incl. Discussions of Market Failures)
    Attacker-defender models

    Weakest link game – security depends on the weakest link in the system (i.e. minimum effort)1

    Best shot game – System security depends on the maximum effort exerted

    Total effort game – System security depends on total effort of all participants

    Network games – Network economics of cyber crime

    Böhme and Moore (2010); Grossklags et al. (2008a, 2008b); Johnson et al. (2011); Nagurney et al. (2013)

    Economics of Botnets This research formalizes economic models of Botnets, i.e. the underground market for Botnets, where there is a demand and supply of Botnet services

    Bensoussan et al. (2010);

    Li et al. (2009)

    Cyber-insurance models These works assess how cyber-insurance affects IT security and welfare of players, including conditions for taking on insurance. Other risk-sharing mechanisms among players are analysed as well Shetty et al. (2010); Gordon et al. (2003a)
    Security investment models These papers analyse problems of interdependent security and characterize equilibria of rational players Gordon and Loeb (2002); Kunreuther and Heal (2003)
    Information sharing models These works focus on how to improve cyber-security through sharing of critical incidence information among competitors Gal-Or and Ghose (2005); Gordon et al. (2003b)
    Experimental and Psychological Research
    Privacy breaches This experimental research is related to breaches of consumer privacy simulated in the laboratory Feri et al. (2013)
    Behavioural cybercrime analytics One article conducts the infiltration of an existing Botnet to analyse spam conversions. Other works focus on psychological characteristics of computer fraudsters or apply SN analysis of cybercrime (interviews of card fraudsters in forum)

    Kanich et al. (2008);

    Rogers et al. (2006);

    Yip (2012)

    Security decision-making This research uses experiments in order to explore user behaviour with respect to security decisions or the response of users’ security behaviour to framing

    Caputo (2011);

    Grossklags et al. (2008b);

    Hess and Holt (2007);

    Rossof et al. (2013)

    Victim Studies (incl. Psychological Research)
    Psychological impact of identity theft This research uses interviews/surveys to study the patterns of identity theft as well as the financial and psychological impact on victims

    Anderson et al. (2008);

    Pontell et al. (2008);

    Van Vliet and Dicks (2010)

    Measurement of consumer reactions / vulnerability These works are focused on the consumers perceptions and reactions to cyber-crime and surveys of who is vulnerable to fall for phishing Böhme and Moore (2012); Sheng et al. (2010)
    Methodological Advances
    Measurement of cybercrime* These works are focused on the methodological question of how to measure cyber-crime Anderson et al. (2012)
    Other research
    Data breach notifications and share prices These works concentrate on the impact of data breaches announced on the stock prices of companies

    Campbell et al. (2003); Muntermann and Roßnagel (2009)


    Notes: This literature overview notes works identified by the author, it is not a complete list of research works in the field. * The measurement of cybercrime is a topic of almost every industry report, these are not specifically listed here. 1 The original papers are Hirshleifer (1983) and Van Huyck et al. (1990). Here, recent articles with a specific focus on information security are quoted


    Back to MARKET


    IPACSO Publications:

    Jentzsch, N. (2015) State-of-the-Art of the Economics of Cyber-Security and Privacy, IPACSO - Innovation Framework for ICT Security Deliverable 4.1.

    Jentzsch, N. (2015) Horizontal and Vertical Analysis of Privacy and Cyber-security Markets, IPACSO - Innovation Framework for ICT Security Deliverable 4.2A.



    Literature list:

    Anderson, R., C. Barton, R. Böhme, R. Clayton, M. van Eeten, M. Levi, T. Moore, and S. Savage (2012). Measuring the cost of cybercrime. WEIS 2012 presentation.

    Anderson, K.B., E. Durbin, and M.A. Salinger (2008). Identity Theft. Journal of Economic Perspectives 22 (2), 171–192.

    Bensoussan, A., M. Kantarcioglu, C. H. SingRu (2010). A Game-Theoretical Approach for Finding Optimal Strategies in a Botnet Defense Model. Decision and Game Theory for Security, Lecture Notes in Computer Science Volume 6442, 2010, pp. 135-148.

    Böhme, R. and T. Moore (2012). How do consumers react to cybercrime? In APWG eCrime Researchers Summit (eCrime), October 2012.

    Böhme, R. and T. Moore (2010). The iterated weakest link. IEEE Security & Privacy, 8(1): 53-55.

    Caputo, D.D. (2011). Leveraging Human Behavior to reduce Cyber-security Risk: Spear-fishing Study Design, Results and Discussion, Presentation,

    Campbell, K., L. Gordon, M. Loeb, and L. Zhou (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11(3):431–448, 2003.

    Feri F., C. Giannetti, and N. Jentzsch (2013). Disclosure of Personal Information under Risk of Privacy Shocks, Working Papers wp875, Dipartimento Scienze Economiche, Universita di Bologna.

    Gal-Or, E. and A. Ghose (2005). The Economic Incentives for Sharing Security Information, Information Systems Research 16(2): 186–208.

    Gordon, L.A., Loeb, M., Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM 46(3), 81–85.

    Gordon, L.A., M.P. Loeb (2002). The economics of information security investment. ACM Transactions on Information Systems Security 5(4), 438–457.

    Grossklags, J., N. Christin, J. Chuang (2008a). Predicted and Observed User Behavior in the Weakest-Link Security Game. Proceedings of the 2008 USENIX Workshop on Usability, Psychology, and Security (UPSEC'08), April 2008.

    Grossklags, J., N. Christin, J. Chuang (2008b). Secure or Insure? A Game-Theoretic Analysis of Information Security Games. Proceedings of the 17th International World Wide Web Conference (WWW'08), April 2008.

    Hess, R., C. Holt, and A. Smith (2007). Coordination of strategic responses to security threats: Laboratory evidence. Experimental Economics, 10(3):235-250.

    Johnson, B., J. Grossklags, N. Christin, J. Chuang (2011). Nash Equilibria for Weakest Target Security Games with Heterogeneous Agents. Proceedings of the 2nd International Conference on Game Theory for Networks (GameNets 2011), April 2011.

    Kanich, C., C. Kreibich, K. Levchenko, B. Enright, G.M. Voelker, V. Paxson, S. Savage (2008). Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Proceedings of ACM Conference on Computer and Communications Security (CCS), 3–14. ACM Press.

    Kunreuther, H. and G. Heal (2003). Interdependent Security, Journal of Risk and Uncertainty 26 (2-3): 231-249.
    Li, Z., Q. Liao, A. Siegel (2008). Botnet Economics: Uncertainty Matters, Workshop on the Economics of Information Security,

    Muntermann, J. and H. Roßnagel (2009). On the Effectiveness of Privacy Breach Disclosure Legislation in Europe: Empirical Evidence from the US Stock Market, in: Lecture Notes in Computer Science , A. Jøsang, T. Maseng and S. Knapskog (eds.), Springer Berlin / Heidelberg, 1-14.

    Nagurney, A., Wayne Burleson, Mila Sherman, Senay Solak, and Chris Misra (2013). Network Economics of Cyber Crime with Applications to Financial Service Organizations, University of Massachusetts Amherst, Massachusetts 01003, INFORMS Annual Meeting, Minneapolis, Minnesota, October 6-9, 2013,

    Pontell, H.N, G.C. Brown, A. Tosouni (2008). Stolen Identities: A Victim Survey. Crime Prevention Studies, 23, pp. 57-85.

    Rogers, M.K., K. Seigfried, K. Tidke (2006). Self-reported computer criminal behavior: A psychological analysis, Digital Investigation 3: 116-120.

    Rosoff, H., Cui, J., Richard J.S. (2013). Heuristics and biases in cyber-security dilemmas. Environment Systems and Decisions 33 (4): 517–529.

    Shetty, N., G. A. Schwartz, M. Felegyhazi, and J. Walrand (2010). Competitive cyber-insurance and internet security, in T. Moore, D. Pym, and C. Ioannidis, editors, Economics of Information Security and Privacy, pp. 229-247, Springer-Verlag.

    Van Vliet, K., and J. Dicks (2010). The psychological impact of identity theft: Preliminary findings of a qualitative study. Mimeo, University of Alberta.

    Yip, M., N. Shadbolt, T. Tiropanis and C. Webber (2012). The digital underground economy: a social network approach to understanding cybercrime. In: Digital Futures 2012 - The Third Annual Digital Economy All Hands Conference, Aberdeen, GB, 23 - 25 Oct 2012.



Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework


Joomla! Debug Console


Profile Information

Memory Usage

Database Queries