The Ninth Workshop on the Economics of Information Security (WEIS 2010)

Harvard University, USA

June 7-8, 2010

All events take place in the Northwest Building at
52 Oxford St unless otherwise noted.
Sunday, June 6, 2010

4:30pm-6pm Tour of Historical Harvard and Cambridge
Meeting Point: Maxwell Dworkin Lobby, 33 Oxford St
6pm-8pm Welcome Reception (serving drinks and hors d'oeuvres)
Location: Maxwell Dworkin Lobby, 33 Oxford St
Monday, June 7, 2010

8:15am–9:00am Breakfast and Registration

9:00am–9:15am Conference Opening
Tyler Moore and Allan Friedman

Keynote Address
Tracey Vispoli, Chubb Insurance

10:15am–10:45am Break

Session 1
Data Breaches and Organizational Security

Session Chair: Stuart Schechter

Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal? - Sasha Romanosky, Richard Sharp and Alessandro Acquisti (Carnegie Mellon) [ Paper | Presentation ]

Encryption and Data Loss - Amalia R Miller and Catherine Tucker (MIT) [ Paper | Presentation ]

Market Impact on IT Security Spending - Bora Kolfal, Raymond Patterson and Lisa Yeo (Alberta) [ Paper available by contacting Lisa Yeo | Presentation ]

Outsourcing Information Security: Contracting Issues and Security Implications - Asunur Cezar, Huseyin Cavusoglu, and Srinivasan Raghunathan (UT Dallas and Middle East Technical University) [ Paper | Presentation ]

12:15pm–1:45pm Lunch

Session 2
Privacy and Controversial Social Issues

Session Chair: Rainer Boehme

Is the Internet for Porn? An Insight Into the Online Adult Industry - Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel (TU Vienna, Institute Eurecom and UCSB) [ Paper | Presentation ]

Guns, Privacy, and Crime - Alessandro Acquisti (Carnegie Mellon) and Catherine Tucker (MIT) [ Paper | Presentation ]

Misplaced Confidences: Privacy and the Control Paradox - Laura Brandimarte, Alessandro Acquisti and George Loewenstein (Carnegie Mellon) [ Paper | Presentation ]

A Welfare Analysis of Secondary Use of Personal Data - Nicola Jentzsch (German Institute for Economic Research) [ Paper | Presentation ]

3:15pm–3:45pm Break

Session 3
Empirical Studies

Session Chair: Lawrence Gordon

The password thicket: technical and market failures in human authentication on the web - Joseph Bonneau and S�ren Preibusch (Cambridge) [ Paper | Presentation ]

Please Continue to Hold: An empirical study on user tolerance of security delays - Serge Egelman, David Molnar, Nicolas Christin, Alessandro Acquisti, Cormac Herley and Shriram Krishnamurthi (Brown, Microsoft Research and Carnegie Mellon) [ Paper | Presentation ]

Inglourious Installers: Security in the Application Marketplace - Jonathan Anderson, Joseph Bonneau and Frank Stajano (Cambridge)[ Paper ]

5:00pm Adjourn

5:45pm–7:30pm Conference Banquet
Location: Legal Sea Foods, Harvard Square
Tuesday, June 8, 2010

8:15am–9:00am Breakfast and Registration

Session 4
Economic and Policy Considerations for ISPs

Session Chair: Ross Anderson

Might Governments Clean-up Malware? - Richard Clayton (Cambridge) [ Paper | Presentation ]

The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data - Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie and Dave Rand (TU Delft, Michigan State and Trend Micro) [ Paper | Presentation ]

Security Games in Online Advertising: Can Ads Help Secure the Web? - Nevena Vratonjic, Jean-Pierre Hubaux, Maxim Raya and David Parkes (EPFL and Harvard) [ Paper | Presentation ]

Towards a Cooperative Defense Model Against Network Security Attacks - Harikrishna Narasimhan, Venkatanathan Varadarajan and Pandu Rangan Chandrasekaran (Anna and IIT Madras) [ Paper | Presentation ]

10:00am–10:30am Break

Panel: Policy for Payment System Security

Richard J. Sullivan (Federal Reserve Bank of Kansas City) - The Changing Nature of US Card Payment Fraud: Issues for Industry and Public Policy [ Paper | Presentation ]
Mark MacCarthy (Georgetown) - Information Security Policy in the U.S. Retail Payments Industry[ Paper | Presentation ]
Ross Anderson (Cambridge)[ Presentation ]

Tyler Moore (Harvard)

12:15pm–1:45pm Lunch

Session 5
Scale and the Economics of the Cloud

Session Chair: Rahul Telang

Self Hosting vs. Cloud Hosting: Accounting for the security impact of hosting in the cloud - David Molnar and Stuart Schechter (Microsoft Research) [ Paper ]

Modeling Cyber-Insurance: Towards A Unifying Framework - Rainer Boehme and Galina Schwartz (ICSI Berkeley) [ Paper | Presentation ]

The Plight of the Targeted Attacker in a World of Scale - Cormac Herley (Microsoft Research) [ Paper | Presentation ]

On the Security Economics of Electricity Metering - Ross Anderson and Shailendra Fuloria (Cambridge) [ Paper | Presentation ]

3:15pm–3:45pm Break

Session 6
Open Source and Security Management

Session Chair: Nicolas Christin

An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software - Sam Ransbotham (Boston College) [ Paper | Presentation ]

The Mathematics of Obscurity: On the Trustworthiness of Open Source - Hermann H�rtig, Claude-Joachim Hamann and Michael Roitzsch (TU Dresden) [ Paper | Presentation ]

Structured Systems Economics for Security Management - Adam Beautement (UCL) and David Pym (Aberdeen) [ Paper | Presentation ]

Rump Session

Brent Rowe - ISPs as Cyberecurity Providers

Doron Becker - Security as Goodwill?

Mark Felegyhazi - Security Investment with Penetration Testing

Steven Murdoch - Chip and PIN Policy

Tyler Moore - Policy Recommendations for Improving Cybersecurity

Kanta Matsuura - Product-Validation Systems and EIS

Jonathan Anderson - Rewards for Returning Lost Property

Haruo Takasaki - Consumer Acceptance for Secondary Use

Russell Cameron Thomas - Announcements

Joseph Bonneau - Passwords and Intimacy

Debin Liu - Incentive-based Access Control

Steve Borbash - Determining the Difficulty of Security Problems

Roger Dingledine - We Have Data!

6:30pm Adjourn

June 9-11, 2010

11th ACM Conference on Electronic Commerce (separate registration)