Tales of Lifelong Learning: EconSec101x Economics of Cybersecurity

By Fernando Montenegro (@fsmontenegro)
Sat 07 March 2015 | tags: blog, mooc, education, -- (permalink)

I’m thrilled to be invited to share my perspective after taking a rather unique MOOC offering - Economics of CyberSecurity, organized by TU Delft. This was a 5-week course covering several aspects of ‘Information Security’ from the perspective of ‘security economics’, which is the discipline that has been evolving since the early 2000’s. As someone with quite some time in this industry and with a strong interest in economics, fraud, and data science, this was definitely a ‘kid in the candy store’ kind of opportunity…

The course was part of edX’s first “Professional Education” batch - a series of fee-based courses tailored to professionals. The fee for EconSec was USD 250 (paid out-of-pocket). I think it will be released as a ‘free’ course later this year, but without the certificate credits and such.

I signed up when I first heard about it back in November, and eagerly awaited the start of the course in late January. I watched every lecture, answered the quizzes and wrote the final essay. There were also separate ‘webminars’ in Q&A format, but I only got to watch/participate in one of them (need some more treadmill/commute time to catch up on the others). Weeks rolled by quickly:

  • Week 1 was the introduction, by Ross Anderson. History of the discipline, then straight into economics of information goods. Great content, but not for the faint-hearted: the syllabus mentioned some econ background would help, and Ross wasted no time getting into microecon topics such as marginal costs, price equilibrium, and monopolies. Excellent, but fast-paced.
  • Week 2 discussed metrics and measurement, led by Michel van Eeten and Carlos Gañán. Discussion was a little more theoretical than I had hoped and the examples were a little strained (there was a discussion on Apple’s app store versus Cydia that I think missed the mark). Still, it presented good material on how to look at metrics.
  • Week 3 focused on Security Investment and Management, led by Rainer Böhme. There was a brief discussion on understanding the ecosystem - security providers versus security industry versus security consumers - and then a fast-paced trip through security investment topics, including the Gordon-Loeb model and cyber insurance. Like week 1 and microeconomics, some notion of investment theory, insurance models and statistics were helpful here…
  • Week 4 had Tyler Moore guide us through a revision of ‘market failures’ from week 1, now discussing policy alternatives such as regulation and liability shifts. It touched on a couple of nice case studies around phishing and payment card security.
  • Finally, week 5 had content from Sophie Van Der Zee, David Modic, and a wrap-up by Ross Anderson. The focus for this week was behaviour economics and privacy, with good sessions on Heuristics, Biases, Persuasion, and Privacy. The course wrapped up with a discussion around “what can governments do in the face of market failures?”

Every week we had online quizzes to fill, optional readings, optional discussions on the forums, optional webminar (except week 1), and a final peer-reviewed essay to write.

So, how was it? I came to this course as a professional (I work for a security vendor as an SE) looking for content to support better discussions than ‘my product is better than the other one because X’. I think we need to have a better understanding of the economics behind CyberSec so that non-security executives take us more seriously. The whole initiative behind Data Driven Security is, to me, just like EconSec: another aspect of coming to the table with more than ‘you need security because FUD’.

The Good:

  • I was really happy to be able to tie content together between Economics and CyberSecurity. The content from this course is indeed 101”, but it is a step in the right direction.
  • I like the reading lists provided and will follow up on many of them.
  • The course covered a broad spectrum, from the market failures of misaligned incentives for software developers, to the human failures in behavioural econ. Very nice overview of the field, with a consistent message of ‘beware the incentives at play’ throughout.

The Bad:

  • I found the content of the quizzes often didn’t quite line up well with the lectures during the week. Sure, it did require a bit more thinking than what I was used to on other MOOCs, but even then I felt they could have made the linkages a bit clearer. As a side note, one of the quizzes was actually coded wrong, so the ‘correct’ answer was the inverse of what you expected.
  • Also on the quizzes, clicking “show answer” should probably give a little background as to why the answer is right or wrong, not just show a green checkmark next to what you already know the answer to be…

The Ugly:

  • As for the MOOC platform, I have a preference for Coursera over edX. I find the edX UX inefficient, with poor use of screen real estate, horrible subtitle placement and unwieldy system of navigating course content. This course was no exception.

Was it worth it? While I may be biased by the ‘endowment effect’, I think it was. I was looking for the conceptual bridge between economic theory and typical information/cyber security topics. While there’s a ton more that could be covered, the course was able to do that very well.

Security Economics, as an academic discipline, has a yearly gathering - the Workshop on the Economics of Information Security. The 2015 version happens to be hosted at TU Delft, the same folks that organized this course. Having attended EconSec, do I feel prepared to attend WEIS? Not by a long shot - as a CompSci major, there’s a lot more economics readings in my future before that - but this course was a GREAT step in the right direction.

All in all, the content was good, the experience was OK, the platform was, well… the platform. Will I recommend this to others? YES! If you find yourself trying to see past the vendor content, past the operational noise, past the echo chamber, this course glimpses at a deeper understanding of the Gordian knot that is CyberSecurity.

comments powered by Disqus