Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Externalities, lock-in, and public goods

This week, we will continue reading the Tyler Moore paper on the economics of cybersecurity.
For this week, please read section 3.3 to start learning about externalities, which is one of the core ideas in economics that also plays a big role in understanding cybersecurity.

To continue learning about externalities, we will also read most of a chapter of the book Security Engineering by Ross Anderson. The book is a bit dated – its main examples are 20 years old – but it does a good job of describing the basic economics principles, and using them to discuss cybersecurity issues that are now considered to be well-understood but still happening. This book is available online through the UW Library (though you may need to search for “Security Engeering” on the UW Library website and click through before these links work).

Specifically, we will be reading most of Chapter 8. Start by reading sections 8.1, 8.2, and 8.3 (but skip section 8.3.3; we’ll read that next week). These sections will continue to describe concepts around externalities, and also discuss how they apply to technology and the tech industry (e.g. lock-in). Next, jump ahead and read sections 8.6.1 and 8.6.2 to read about two ways that these concepts played out in the cybersecurity industry: why Windows is so insecure (back in 2002) and when to disclose vulnerabilities.

For this week’s summary + question, I want you to 1) try to summarize what an externality is and 2) explain why we need to know that to understand cybersecurity. This is a complicated question, and I expect each person to have a different answer; that’s OK. This is just a first stab, and we will talk through these ideas more in class and work on applying them to real-life situations in future case studies. But for right now, try to summarize your understand of what an externality is in cybersecurity.

Optional extra reading:

  • If you feel like you don’t understand the ideas from Varian’s paper last week – weakest link vs. best effort vs. total effort – then you can also read section 8.6.3, which is another summary of those ideas.
  • Section 8.6.6 has a bunch of examples of misaligned incentives (the topic from last week) in cybersecurity.