
Why Information Security Is Hard – An Economic Perspective (2001) [pdf] - rchen8
https://www.acsac.org/2001/papers/110.pdf
======
raesene9
A very interesting read, and worth noting that most/all of the base problems
described are still very much present.

Ross Anderson's security engineering book that gets a mention is this paper is
available online for free at
[http://www.cl.cam.ac.uk/~rja14/book.html](http://www.cl.cam.ac.uk/~rja14/book.html)

------
sinnet3000
On EDx you can find a cybersecurity economics course by Ross Anderson and
other experts in the field.

I took it a few years ago and at that time it was not free, now it is. If
somebody is interested here is the link: [https://www.edx.org/course/cyber-
security-economics-delftx-s...](https://www.edx.org/course/cyber-security-
economics-delftx-secon101x)

~~~
rchen8
Thanks for sharing, this is great!

------
jbpetersen
Abstract:

According to one common view, information security comes down to technical
measures. Given better access control policy models, formal proofs of
cryptographic protocols, approved firewalls, better ways of detecting
intrusions and malicious code, and better tools for system evaluation and
assurance, the problems can be solved. In this note, I put forward a contrary
view: information insecurity is at least as much due to perverse incentives.
Many of the problems can be explained more clearly and convincingly using the
language of microeconomics: network externalities, asymmetric information,
moral hazard, adverse selection, liability dumping and the tragedy of the
commons.

