CONCLUSION

In this chapter we have seen that the economics of cybersecurity is a powerful tool to analyze security failures. By surveying the literature, we looked at the incentives of soft­ware vendors, organizations, end users, Internet intermediaries and attackers; where they align and produce security; and where the market fails.

In the end, focusing on incentives rather than the technology helps to understand trade-offs and develop sound cybersecurity policy. Given the dynamic nature of cyberse­curity, all the issues discussed in this chapter are the subject of ongoing research. Among emerging topics are security on mobile communications platforms, in the cloud, in the Internet of Things (IoT) and the industrial Internet, user behavior and education across life stages, the establishment of better national and international governance frameworks for security, and the development of better and more reliable metrics.

NOTES

1. In addition to WEIS, proceedings of USENIX Security, IEEE S&P, ACM CCS, SOUPS were perused. Key journals that were reviewed in detail included IEEE Security & Privacy, Communications of the ACM, Telecommunications Policy, and Information Systems Research. Key search terms for other journals included ‘economics, security’ and ‘internet, security’.

2. Due to the scope of this chapter, we will not delve further into these topics. The interested reader is referred to works presented at the annual Symposium on Usable Privacy and Security (SOUPS).

3. These debates are all important for the Internet economy and a number of them are looked at explicitly in other chapters of this Handbook; we retain our focus on cybersecurity.

4. In the USA these safeguards were contained in the safe harbor provision of the Digital Millennium Copyright Act (DMCA) of 1998. While US ISPs were reclassified as common carriers early in 2015 (see Federal Communications Commission, In the Matter of Protecting and Promoting the Open Internet, GN Docket No. 14 28, adopted 26 February 2015), they are subject to similar protections under common carrier law. In the European Union, such protections are contained in the ‘mere conduit’ provision of the Electronic Commerce Directive.

5. Much research has been done into the technical aspects of online fraud, including analyzing malware, detecting fraudulent transactions and reverse engineering banking protocols. These topics touch upon economics but fall out of our scope. Cryptocurrency is another topic that has received much attention in the literature due to its technical, economic and regulatory aspects. The inter­ested reader is referred to the conferences of the International Financial Cryptography Association (IFCA).

REFERENCES

Akerlof, G.A. (1970), ‘The market for “lemons”: Quality uncertainty and the market mechanism’, The Quarterly Journal of Economics, 84 (3), 488-500.

Anderson, J., J. Bonneau and F. Stajano (2010), ‘Inglorious installers: Security in the application mar­ketplace’, in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS^,10), Harvard University, 7-8 June, accessed 6 January 2016 at https://www.cl.cam.ac.uk/~fms27/papers/2010- AndersonBonSta-inglourious.pdf.

Anderson, R. (2001), ‘Why information security is hard - an economic perspective’, in Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC^,01), IEEE Computer Society, December, accessed 11 July 2015 at http://www.acsac.org/2001/papers/110.pdf.

Anderson, R. (2008), Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edition, Tokyo and New York: Wiley.

Anderson, R. and T. Moore (2006), ‘The economics of information security’, Science, 314 (5799), 610-13.

Anderson, R., R. Bohme, R. Clayton and T. Moore (2008), Security Economics and the Internal Market, study commissioned by the European Union Agency for Network and Information Security (ENISA), accessed 12 July 2015 at http://www.enisa.europa.eu/publications/archive/economics-sec.

Anderson, R., C. Barton and R. Bohme et al. (2013), ‘Measuring the cost of cybercrime’, in R. Bohme (ed.), The Economics of Information Security and Privacy, Berlin: Springer, pp. 265-300.

Arnbak, A. and N. van Eijk (2012), ‘Certificate authority collapse: Regulating systemic vulnerabilities in the HTTPS value chain’, 40th Research Conference on Communication, Information and Internet Policy (TPRC), accessed 11 July 2015 at http://ssrn.com/abstract=2031409.

Arnbak, A., H. Asghari, M. van Eeten and N. van Eijk (2014), ‘Security collapse in the HTTPS market’, Communications of the ACM, 57 (10), 47-55.

Arora, A., R. Krishnan, R. Telang and Y. Yang (2010), ‘An empirical analysis of software vendors’ patch release behavior: Impact of vulnerability disclosure’, Information Systems Research, 21 (1), 115-32.

August, T. and T.I. Tunca (2011), ‘Who should be responsible for software security? A comparative analysis of liability policies in network environments’, Management Science, 57 (5), 934-59.

Bohme, R. (2005), ‘Cyber-insurance revisited’, in Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS’05), Harvard University, accessed 12 July 2015 at http://infosecon.net/work shop/pdf/15.pdf.

Bohme, R. (2010), ‘Security metrics and security investment models’, in Advances in Information and Computer Security, Berlin: Springer, pp. 10-24.

Bohme, R. and T. Moore (2009), ‘The iterated weakest link - A model of adaptive security investment’, in Proceedings of the Eight Workshop on the Economics of Information Security (WEIS^,09), University College, London, 24-25 June, accessed 12 July 2015 at https://www.is.uni-muenster.de/security/publications/ BM2009_IteratedWeakestLink_WEIS.pdf.

Bohme, R. and G. Schwartz (2010), ‘Modeling cyber-insurance: Towards a unifying framework’, in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS’10), Harvard University, 7-8 June, accessed 14 July 2015 at http://www.icsi.berkeley.edu/pubs/networking/modelingcyber10.pdf.

Bonneau, J., C. Herley, P.C. van Oorschot and F. Stajano (2012), ‘The quest to replace passwords: A frame­work for comparative evaluation of web authentication schemes’, paper in Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), 20-23 May, San Francisco, CA, pp. 553-67.

Bradbury, D. (2014), ‘Testing the defences of bulletproof hosting companies’, Network Security, 2014 (6), 8-12. Branscomb, A.W. (1994), Who Owns Information? From Privacy to Public Access, New York: Basic Books.

Bravo-Lillo, C., L.F. Cranor, J.S. Downs and S. Komanduri (2011), ‘Bridging the gap in computer security warnings: A mental model approach’, IEEE Security & Privacy, 9 (2), 18-26.

Brecht, M. and T. Nowey (2013), ‘A closer look at information security costs’, in R. Bohme (ed.), The Economics of Information Security and Privacy, Berlin and Heidelberg: Springer, pp. 3-24.

Brown, I. and C.T. Marsden (2013), Regulating Code: Good Governance and Better Regulation in the Information Age, Cambridge, MA: MIT Press.

Camp, L.J. (2013), ‘Beyond usability: Security interactions as risk perceptions’, in Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS), 24-26 July, Newcastle, UK, accessed 14 July 2015 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.385.7530&rep=rep1&type=pdf.

Canali, D., D. Balzarotti and A. Francillon (2013), ‘The role of web hosting providers in detecting compromised websites’, in Proceedings of the 22nd International Conference on World Wide Web (WWW’13), 13-17 May, Rio de Janeiro, Brazil, pp. 177-88.

Cavusoglu, H., B. Mishra and S. Raghunathan (2004), ‘A model for evaluating IT security investments’, Communications of the ACM, 47 (7), 87-92.

Chen, M., V.S. Jacob, S. Radhakrishnan and YU. Ryu (2012), ‘The effect of fraud investigation cost on pay- per-click advertising’, in Proceedings of the Eleventh Workshop on the Economics of Information Security (WEIS’12), 25-26 June, Berlin, accessed 14 July 2015 at http://weis2012.econinfosec.org/papers/Chen_ WEIS2012.pdf.

Christin, N. (2013), ‘Traveling the silk road: A measurement analysis of a large anonymous online marketplace’, in Proceedings of the 22nd International Conference on World Wide Web (WWW’13), 13-17 May, Rio de Janeiro, pp. 213-24.

Clayton, R. (2011), ‘Might governments clean-up malware?’, Communication & Strategies, 81, 87-104.

Colander, David (2005), ‘The making of an economist redux’, Journal of Economic Perspectives, 19 (1), 175-98.

CSIS and McAfee (2014), ‘Net losses: Estimating the global cost of cybercrime’, accessed 14 July 2015 at http:// www.cyberriskinsuranceforum.com/sites/default/files/pictures/rp-economic-impact-cybercrime2.pdf.

CVE (2015), ‘Common vulnerabilities and exposures list master copy’, accessed 14 July 2015 at https://cve. mitre.org/cve/cve.html.

Davenport, T.H. and J.C. Beck (2001), The Attention Economy: Understanding the New Currency of Business, Boston, MA: Harvard Business School Press.

Demetz, L. and D. Bachlechner (2013), ‘To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool’, in R. Bohme (ed.), The Economics of Information Security and Privacy, Berlin and Heidelberg: Springer, pp. 25-47.

Dredge, S. (2015), ‘MySpace - what went wrong: “The site was a massive spaghetti-ball mess”’, The Guardian, 6 March, accessed 14 July 2015 at http://www.theguardian.com/technology/2015/mar/06/ myspace-what-went-wrong-sean-percival-spotify.

Durumeric, Z., J. Kasten, M. Bailey and J.A. Halderman (2013), ‘Analysis of the HTTPS certificate ecosys­tem’, in Proceedings of the 2013 Internet Measurement Conference (IMC’13), 23-25 October, Barcelona, pp.

Edelman, B. (2011), ‘Adverse selection in online “trust” certifications and search results’, Electronic Commerce Research and Applications, 10 (1), 17-25.

Fershtman, C. and N. Gandal (2012), ‘Migration to the cloud ecosystem: Ushering in a new generation of platform competition’, CEPR Discussion Paper No. DP8907, accessed 14 July 2015 at http://ssrn.com/ abstract=2034125.

Financial Fraud Action UK (2015), ‘Scams and computer viruses contribute to fraud increases - calls for national awareness campaign’, accessed 14 July 2015 at http://www.financialfraudaction.org.uk/cms/ assets/1/2014%20annual%20fraud%20figures%20release%20-%20final.pdf.

Florencio, D. and C. Herley (2010), ‘Where do security policies come from?’, in Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS), 14-16 July, Redmond, WA.

Florencio, D. and C. Herley (2013a), ‘Sex, lies and cyber-crime surveys’, in B. Schneier (ed.), Economics of Information Security and Privacy III, New York and London: Springer, pp. 35-53.

Florencio, D. and C. Herley (2013b), ‘Where do all the attacks go?’, in B. Schneier (ed.), Economics of Information Security and Privacy III, New York and London: Springer, pp. 13-33.

Fox-IT (2011), ‘DigiNotar certificate authority breach - ‘Operation Black Tulip’’, accessed 14 July 2015 at http:// www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1. html.

Franklin, J., A. Perrig, V. Paxson and S. Savage (2007), ‘An inquiry into the nature and causes of the wealth of internet miscreants’, in Proceedings of the ACM Conference on Computer and Communications Security (CCS’07), 29 October-2 November, Alexandria, VA, pp. 375-88.

Fryer, H., R. Moore and T. Chown (2013), ‘On the viability of using liability to incentivise internet security’, in Proceedings of the Twelfth Workshop on the Economics of Information Security (WEIS^,13), 11-13 June, Georgetown University, Washington, DC, accessed 15 July 2015 at http://weis2013.econinfosec.org/papers/ FryerMooreChownWEIS2013.pdf.

Gaynor, M.S., M.Z. Hydari and R. Telang (2012), ‘Is patient data better protected in competitive healthcare markets?’, in Proceedings of the Eleventh Workshop on the Economics of Information Security (WEIS’12), 25-26 June, Berlin, accessed 15 July 2015 at http://weis2012.econinfosec.org/papers/Gaynor_WEIS2012.pdf.

Geer, D., K.S. Hoo and A. Jaquith (2003), ‘Information security: Why the future belongs to the quants’, IEEE Security & Privacy, 1 (4), 24-32.

Goldfarb, A. and C. Tucker (2011), ‘Search engine advertising: Channel substitution when pricing ads to context’, Management Science, 57 (3), 458-70.

Gordon, L.A. and M.P. Loeb (2002), ‘The economics of information security investment’, ACM Transactions on Information and System Security (TISSEC), 5 (4), 438-57.

Gordon, L.A., M.P. Loeb and L. Zhou (2011), ‘The impact of information security breaches: Has there been a downward shift in costs?’, Journal of Computer Security, 19 (1), 33-56.

Gottinger, H.W. (2003), Economies of Network Industries, London: Routledge.

Graves, J., A. Acquisti and N. Christin (2014), ‘Should payment card issuers reissue cards in response to a data breach?’, in Proceedings of the Thirteenth Workshop on the Economics of Information Security (WEIS^,14), College Park, MD, accessed 23 July 2015 at http://weis2014.econinfosec.org/papers/GravesAcquistiChristin- WEIS2014.pdf.

Groenewegen, John (ed.) (2007), Teaching Pluralism in Economics, Cheltenham, UK and Northampton, USA: Edward Elgar Publishing.

Grosse, E. (2012), ‘Security warnings for suspected state-sponsored attacks’, Google Online Security Blog, 5 June, accessed 15 July 2015 at http://googleonlinesecurity.blogspot.com/2012/06/security-warnings-for- suspected-state.html.

Herley, C. (2009), ‘So long, and no thanks for the externalities: The rational rejection of security advice by users’, in Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW’09), 8-11 September, Oxford, UK, pp. 133-44.

Herley, C. (2012), ‘Why do Nigerian scammers say they are from Nigeria?’, in Proceedings of the Eleventh Workshop on the Economics of Information Security (WEIS’12), 25-26 June, Berlin, accessed 15 July 2015 at http://weis2012.econinfosec.org/papers/Herley_WEIS2012.pdf.

Herley, C. and D. Florencio (2010), ‘Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy’, in T. Moore, D.J. Pym and C. Ioannidis (eds), Economics of Information Security and Privacy, New York: Springer, pp. 33-53.

Hofmann, J. (2010), ‘The libertarian origins of cybercrime: Unintended side-effects of a political utopia’, London School of Economics Discussion Paper, No. 62, accessed 15 July 2015 at http://ssrn.com/ abstract= 1710773.

Hofmeyr, S., T. Moore, S. Forrest, B. Edwards and G. Stelle (2013), ‘Modeling Internet-scale policies for clean­ing up malware’, in B. Schneier (ed.), Economics of Information Security and Privacy III, New York and London: Springer, pp. 149-70.

Ioannidis, C., D. Pym and J. Williams (2013a), ‘Fixed costs, investment rigidities, and risk aversion in infor­mation security: A utility-theoretic approach’, in B. Schneier (ed.), Economics of Information Security and Privacy III, New York and London: Springer, pp. 171-91.

Ioannidis, C., D. Pym and J. Williams (2013b), ‘Sustainability in information stewardship’, in Proceedings of the Twelfth Workshop on the Economics of Information Security (WEIS’13), 11-13 June, Georgetown University, Washington, DC, accessed 15 July 2015 at http://weis2013.econinfosec.org/papers/ IoannidisPymWilliamsWEIS2013.pdf.

Kanich, C., C. Kreibich and K. Levchenko et al. (2008), ‘Spamalytics: An empirical analysis of spam market­ing conversion’, in Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08), 28-31 October, Alexandria, VA, pp. 3-14.

Kelley, T. and L.J. Camp (2012), ‘Online promiscuity: Prophylactic patching and the spread of computer transmitted infections’, in Proceedings of the Eleventh Workshop on the Economics of Information Security (WEIS’12), 25-26 June, Berlin, accessed 15 July 2015 at http://weis2012.econinfosec.org/papers/Kelley_ WEIS2012.pdf.

Kramer, A.D.I., J.E. Guillory and J.T. Hancock (2014), ‘Experimental evidence of massive-scale emotional contagion through social networks’, in Proceedings of the National Academy of Sciences, 111 (24), 8788-90.

Krebs, B. (2011), ‘72M USD scareware ring used Conficker worm’, 23 June, accessed 15 July 2015 at http:// krebsonsecurity.com/2011/06/72m-scareware-ring-used-conficker-worm/.

Kunreuther, H. and G. Heal (2003), ‘Interdependent security’, Journal of Risk and Uncertainty, 26 (2-3), 231-49.

Kwon, J. and M.E. Johnson (2011), ‘An organizational learning perspective on proactive vs. reactive investment in information security’, in Proceedings of the Tenth Workshop on the Economics of Information Security (WEIS’11), 14 15 June, George Mason University, Fairfax, VA, accessed 15 July 2015 at http://weis2011. econinfosec.org/papers/An%200rganizational%20Learning%20Perspective%20on%20Proactive%20vs.%20 Rea.pdf.

Kwon, J. and M.E. Johnson (2013), ‘Healthcare security strategies for regulatory compliance and data security’, 46th Hawaii International Conference on System Sciences (HICSS), 7-10 January, Wailea, HI, pp. 3972-81.

Landau, S. and T. Moore (2012), ‘Economic tussles in federated identity management’, First Monday, 17 (10), accessed 15 July 2015 at http://uncommonculture.org/ojs/index.php/fm/article/view/4254.

Lessig, L. (1999), Code and Other Laws of Cyberspace, New York: Basic Books.

Levchenko, K., A. Pitsillidis and N. Chachra et al. (2011), ‘Click trajectories: End-to-end analysis of the spam value chain’, in Proceedings of the IEEE Symposium on Security and Privacy, 22-25 May, Berkeley, CA, pp. 431-46.

Lewis, J.A. (2005), ‘Aux armes, citoyens: Cyber security and regulation in the United States’, Telecommunications Policy, 29 (11), 82-30.

Liu, H., K. Levchenko and M. Felegyhazi et al. (2011), ‘On the effects of registrar level intervention’, in Proceedings of the 4th USENIX Workshop on Large-scale Exploits and Emergent Threats (LEETTl): Botnets, Spy ware, Worms, and More, 29 March, Boston, MA.

Miller, A.R. and C.E. Tucker (2011), ‘Encryption and the loss of patient data’, Journal of Policy Analysis and Management, 30 (3), 534-56.

Moore, T. and R. Anderson (2012), ‘Internet security’, in M. Peitz and J. Waldfogel (eds), Oxford Handbook on the Digital Economy, Oxford and New York: Oxford University Press, pp. 572-99.

Moore, T. and R. Clayton (2007), ‘Examining the impact of website take-down on phishing’, in Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit (eCrime^,07), 4 5 October, Pittsburgh, PA, pp. 1-13.

Moore, T. and R. Clayton (2009), ‘The impact of incentives on notice and take-down’, in M.E. Johnson (ed.), Managing Information Risk and the Economics of Security, New York: Springer, pp. 199-223.

Musgrave, R.A. and P.B. Musgrave (1973), Public Finance in Theory and Practice, New York: McGraw-Hill.

Nieuwesteeg, B.F.H. (2013), ‘The legal position and societal effects of security breach notification laws’, MA thesis, Delft University of Technology, the Netherlands, accessed July 15 2015 at http://repository.tudelft.nl/ view/ir/uuid:38d4fa0e-8a3a-4216-9044-e8507a60ed66/.

Noam, E.M. (2009), Media Ownership and Concentration in America, New York: Oxford University Press.

OECD (2012), ‘Proactive policy measures by Internet service providers against botnets’, OECD DigitalEconomy Papers No. 199, Paris: OECD, accessed 15 July 2015 at http://dx.doi.org/10.1787/5k98 tq42t18w-en.

Perset, K. (2010), ‘The economic and social role of internet intermediaries’, OECD Digital Economy Papers, No. 171, Paris: OECD, accessed 15 July 2015 at http://dx.doi.org/10.1787/5kmh79zzs8vb-en.

Pfleeger, S.L. and R.K. Cunningham (2010), ‘Why measuring security is hard’, IEEE Security & Privacy, 8 (4), 46-54.

Ransbotham, S. and S. Mitra (2013), ‘The impact of immediate disclosure on attack diffusion and volume’, in B. Schneier (ed.), Economics of Information Security and Privacy III, New York and London: Springer, pp. 1-12.

Riccardi, M., R. di Pietro, M. Palanques and J. Aguila Vila (2013), ‘Titans’ revenge: Detecting Zeus via its own flaws’, Computer Networks, Special Issue on Botnet Activity: Analysis, Detection and Shutdown, 57 (2), 422-35.

Romanosky, S., R. Telang and A. Acquisti (2011), ‘Do data breach disclosure laws reduce identity theft?’, Journal of Policy Analysis and Management, 30 (2), 256-86.

Rosen, H.S. (2004), ‘Public finance’, in C.K. Rowley and F. Schneider (eds), The Encyclopedia of Public Choice, Dordrecht and Boston, MA: Kluwer Academic Publishers, pp. 252-61.

Rysman, M. (2009), ‘The economics of two-sided markets’, The Journal of Economic Perspectives, 23 (3), 125-43.

Schneier, B. (2004), ‘Hacking the business climate for network security’, Computer, 37 (4), 87-9.

Schneier, B. (2007), ‘A security market for lemons’, Schneier on Security Blog, accessed 15 July 2015 at https:// www.schneier.com/blog/archives/2007/04/a_security_mark.html.

Schneier, B. (2012), ‘When it comes to security, we’re back to Feudalism’, Schneier on Security Blog, 26 November, accessed 15 July 2015 at https://www.schneier.com/essays/archives/2012/11/when_it_comes_ to_sec.html.

Shapiro, C. and H.R. Varian (1998), Information Rules: A Strategic Guide to the Network Economy, Boston, MA: Harvard Business School Press.

Shetty, N., G. Schwartz, M. Felegyhazi and J. Walrand (2010), ‘Competitive cyber-insurance and Internet security’, in T. Moore, D.J. Pym and C. Ioannidis (eds), Economics of Information Security and Privacy, New York: Springer, pp. 229-47.

Shim, W. (2006), ‘Interdependent risk and cyber security: An analysis of security investment and cyber insur­ance’, PhD dissertation, East Lansing, MI: Michigan State University.

Singer, P.W. and A. Friedman (2013), Cybersecurity: What Everyone Needs to Know, Oxford, UK: Oxford University Press.

Stajano, F. and P. Wilson (2011), ‘Understanding scam victims: Seven principles for systems security’, Communications of the ACM, 54 (3), 70-75.

Stone-Gross, B., C. Kruegel, K. Almeroth, A. Moser and E. Kirda (2009), ‘Fire: Finding rogue networks’, in Proceedings of the Annual Computer Security Applications Conference 2009 (ACSAC^,09), 7-11 December, Honolulu, HI, pp. 231-40.

Stone-Gross, B., R. Abman and R.A. Kemmerer et al. (2013), ‘The underground economy of fake antivirus software’, in B. Schneier (ed.), Economics of Information Security and Privacy III, New York and London: Springer, pp. 55-78.

Sullivan, K. (2012), The Internet Health Model for Cybersecurity, New York: East West Institute, accessed 15 July 2015 at http://issuu.com/ewipublications/docs/internethealth?e=0/5313787.

Sunshine, J., S. Egelman, H. Almuhimedi, N. Atri and L.F. Cranor (2009), ‘Crying wolf: An empirical study of SSL warning effectiveness’, in Proceedings of the 18th USENIX Security Symposium (Security’09), 14-18 August, Montreal, Canada, pp. 399-416, accessed 15 July 2015 at http://static.usenix.org/legacy/events/sec09/ tech/full_papers/sec09_browser.pdf.

Symantec (2015), Internet Security Threat Report 2015, accessed 15 July 2015 at http://www.symantec.com/ security_response/publications/threatreport.jsp?themeid=threatreport.

Tang, Q., L. Linden, J.S. Quarterman and A.B. Whinston (2013), ‘Improving Internet security through social information and social comparison: A field quasi-experiment’, in Proceedings of the Twelfth Workshop on the Economics of Information Security (WEIS’13), 11-13 June, Georgetown University, Washington, DC, accessed 15 July 2015 at http://weis2013.econinfosec.org/papers/TangWEIS2013.pdf.

Thomas, K., D.Y Huang and D. Wang et al. (2015), ‘Framing dependencies introduced by underground commoditization’, in Proceedings of the Fourteenth Workshop on the Economics of Information Security (WEIS’15), 22-23 June, Delft University of Technology, Delft, the Netherlands, accessed 15 July 2015 at http://weis2015.econinfosec.org/papers/WEIS_2015_thomas.pdf.

Thomas, R.C., M. Antkiewicz, P. Florer, S. Widup and M. Woodyard (2013), ‘How bad is it? A branching activity model to estimate the impact of information security breaches’, accessed 15 July 2015 at http://ssrn. com/abstract=2233075.

Van Eeten, M.J.G. and J.M. Bauer (2008), ‘The economics of malware: Security decisions, incentives and externalities’, Directorate for Science, Technology and Industry, Committee for Information, Computer and Communications Policy, DSTI/ICCP/REG(2007)27, Paris: Organisation for Economic Co-operation and Development.

Van Eeten, M.J.G. and J.M. Bauer (2009), ‘Emerging threats to Internet security: Incentives, externalities and policy implications’, Journal of Contingencies and Crisis Management, 17 (4), 221-32.

Van Eeten, M.J.G. and J.M. Bauer (2013), ‘Enhancing incentives for Internet security’, in I. Brown (ed.), Research Handbook on Governance of the Internet, Cheltenham, UK and Northampton, MA: Edward Elgar Publishing, pp. 445-84.

Van Eeten, M.J.G. and M.L. Mueller (2012), ‘Where is the governance in Internet governance?’, New Media & Society, 5 (5), 720-36.

Van Eeten, M.J.G., J.M. Bauer and S. Tabatabaie (2009), Damages from Internet Security Incidents: A Framework and Toolkit for Assessing the Economic Costs of Security Breaches, unpublished report for the Independent Post and Telecommunications Authority (OPTA), The Hague.

Van Eeten, M.J.G., J.M. Bauer, H. Asghari, S. Tabatabaie and D. Rand (2010), ‘The role of Internet service providers in botnet mitigation: An empirical analysis based on spam data’, accessed 14 July 2015 at http:// ssrn.com/abstract=1989198.

Vasek, M. and T. Moore (2012), ‘Do malware reports expedite cleanup? An experimental study’, CSET, https:// www.usenix.org/system/files/conference/cset12/cset12-final20.pdf.

Vratonjic, N., J. Freudiger, V. Bindschaedler and J.-P. Hubaux (2013), ‘The inconvenient truth about web cer­tificates’, in B. Schneier (ed.), Economics of Information Security and Privacy III, New York and London: Springer, pp. 79-117.

Wash, R. (2010), ‘Folk models of home computer security’, in Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS’10), 14-16 July, Redmond, WA.

Wondracek, G., T. Holz, C. Platzer, E. Kirda and C. Kruegel (2010), ‘Is the Internet for porn? An insight into the online adult industry’, in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS’10), Harvard University, 7-8 June, accessed 14 July 2015 at http://iseclab.org/papers/ weis2010.pdf.

Wood, D. and B. Rowe (2011), ‘Assessing home internet users’ demand for security: Will they pay ISPs?', accessed 14 July 2015 at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.308.9669&rep=rep1&ty pe=pdf.

Zhang, J., Z. Durumeric, M. Bailey, M. Liu and M. Karir (2014), ‘On the mismanagement and maliciousness of networks’, in Proceedings of the Symposium on Network and Distributed System Security (NDSS^,14), 23-26 February, San Diego, CA.

Zittrain, J. (2008), The Future of the Internet - and How to Stop It, New Haven, CT: Yale University Press.

14.