Economics of cybersecurity and data privacy

Dr. Biczók Gergely

As evidenced in the last 10-15 years, cybersecurity is not a purely technical discipline. Decision-makers, whether sitting at security providers (IT companies), security demanders (everyone using IT) or the security industry, are mostly driven by economic incentives. Understanding these incentives are vital for designing systems that are secure in real-life scenarios [1]. Parallel to this, data privacy has also shown the same characteristics: proper economic incentives and controls are needed to design systems where sharing data is beneficial to both data subject and data controller. An extreme example to a flawed attempt at such a design is the Cambridge Analytica case [2]. 
The prospective student will identify a cybersecurity or data privacy economics problem, and use elements of game theory and other domain-specific techniques and software tools to transform the problem into a model and to propose a solution. Potential topics include: 


  • CPSFlipIt: attacker-defender dynamics in cyber-physical systems
  • Incentives in secure software development: why should programmers have proper security training?
  • Interdependent privacy: modeling inference with probabilistic graphical models
  • Interdependent privacy through the eyes of insurance policy
  • BYOT: Bring Your Own Topic!

Required skills: model thinking, good command of English
Preferred skills: basic knowledge of game theory, basic programming skills (e.g., python, matlab, NetLogo)


[1] Anderson, Ross, and Moore, Tyler. "The Economics of Information Security." Science 314.5799(2006):610-613.
[2] Symeonidis, Iraklis and Biczók, Gergely. " Interdependent privacy in effect: the collateral damage of third-party apps on Facebook. CrySyS Blog.