Research on Security and Identity Management (by Marco Casassa Mont) : WEIS 2008

WEIS 2008 and “Economics of Identity Management”

marcocasassamont — Tue, 10 Jun 2008 21:47:00 GMT

R&D papers and work presented at the Workshops on Economics of Information Security (WEIS) discuss and explore how economic theory and economic analysis can be successfully applied to information security, instead of focusing just on the traditional technology-driven approaches.

What are the “Economics of Identity Management”? Something I believe it would be worth exploring too, with a scientific approach.

The 7^th workshop on Economics of Information Security - WEIS 2008 is going to take place in Hanover, HN, June 25-28, 2008:

“Information security requires not only technology, but a clear understanding of risks, decision-making behaviors and metrics for evaluating business and policy options. How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?

The 2008 Workshop on the Economics of Information Security, the seventh workshop, will build on a strong and growing interdisciplinary tradition, bringing together information technology academics and practitioners with social scientists and business and legal scholars to better understand security and privacy threats. Until recently, research in security and dependability focused almost exclusively on technical factors, rather than incentives. However, we know that economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. The application of economic analysis to these problems has proven to be an exciting and fruitful area of research.”

Most of the above points also apply to the “Identity Management” field. An opportunity to contribute.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Data Breach Disclosure Laws Are Not so Effective in Reducing Identity Theft …

marcocasassamont — Fri, 06 Jun 2008 17:11:00 GMT

This is the message I got from a very interesting paper, titled “Do Data Breach Disclosure Laws Reduce Identity Theft?” (Authors: Sasha Romanosky, Rahul Telang, Alessandro Acquisti), that is going to be presented at the 7^th workshop on Economics of Information Security - WEIS 2008, Hanover, HN, June 25-28, 2008.

Based on their current studies, the authors found “no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce”. The full abstract of a draft version of their paper (accessible online) follows:

“Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured.

We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.”

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---