Thursday January 18, 2007 8:00 - 8:30 Breakfast and Registration (DIMACS Lounge) 8:30 - 9:00 Welcome and Opening Remarks Fred Roberts, DIMACS Director Introductions Jean Camp, Indiana University Alessandro Acquisti, Carnegie Mellon University 9:00 - 10:20 Session 1: The Economic Perspective Internet Security, Vulnerability Disclosure, & Software Provision Neil Gandal, University of Tel Aviv Privacy, Incentives, & Contractual Efficiency in the Market for Consumer Software Jens Grossklags, UC Berkeley Perspectives from Microeconomic Theory and Game Theory Beth Allen, University of Minnesota Incentive-Centered Design for Information Security Rick Wash and Jeff Mackie-Mason, University of Michigan 10:20 - 10:50 Break 10:50 - 12:10 Session 2: Engineering & Psychology Routing Security Economics Stephen Bellovin, Columbia University Security Engineering & Economics Ross Anderson and Tyler Moore, Cambridge University The Psychology of Security Bruce Schneier, BT Counterpane Privacy Engineering Lorrie Cranor, Carnegie Mellon University and Sarah Spiekermann, Humboldt University 12:10 - 1:30 Lunch - DIMACS Lounge 1:30 - 2:50 Session 3: Policy and Law Surveillance of Emergent Associations: Freedom of Association in a Network Society Katherine J. Strandburg, DePaul University Notice of Security Breaches as a Lightweight Regulation Deirdre Mulligan, UC Berkeley Security Through Obscurity: When It Works & When It Doesn't Peter Swire, Ohio State University Data Policy Violations Dan Geer, Verdasys 2:50 - 3:20 Break 3:20 - 4:40 Breakout 1: Goal: Define core of research agenda. Find common interests, & determine common priorities. Search for useful overlaps, & discuss various methodological strengths & weaknesses. Is there a common definition of security? Enumerate the metrics, tests of validity, & implications for each others' work. 4:40 - 5:30 Breakout Reports 6:30 Workshop Banquet I3P: The Institute for Information Infrastructure Protection Dinner at: SOHO ON GEORGE - 335 George Street - New Brunswick, New Jersey with thanks to I3P: The Institute for Information Infrastructure Protection Friday January 19, 2007 8:30 - 9:00 Breakfast and Registration (DIMACS Lounge) 9:00 - 10:20 Session 4: Business Applications Vulnerability Hunters: Surveying Participants in a Poorly Understood Labor Market Stuart Schechter, MIT Lincoln Laboratories and Andy Ozment, Cambridge University Modeling & Economics of IT Risk Management & Insurance Stephanos Griztalis and Costas Lambrinoudakis, University of the Aegean Models & Measures for Correlation in Cyber-Insurance Gaurav Kataria, Carnegie Mellon University and Rainer Böhme, University of Dresden Linking the Economics of Cyber Security & Corporate Reputation Barry Horowitz, University of Virginia 10:20 - 10:50 Break 10:50 - 12:10 Session 5: Case Studies Information Security & IT Risk Management in the Real World: Results from Field Studies Scott Dynes, Dartmouth College Competing with Free: The Impact of Movie Broadcasts on DVD Sales & Internet Piracy Michael Smith and Rahul Telang, Carnegie Mellon University Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control Pau-Chen Chen, Pankaj Rohatgi and Claudia Keser, IBM Countermeasures Against Government-Scale Monetary Forgeries Nicolas Christin, Carnegie Mellon University 12:10 - 1:30 Lunch (DIMACS Lounge) 1:30 - 2:50 Session 6: Systems Valet Services: Improving Hidden Servers with a Personal Touch Paul Syverson, NRL Anonymity Services & Tor Roger Dingledine, Tor Designing Review Ranking Systems: Combining Economics with Opinion Mining Anindya Ghose, New York University Network formation, Sybil Attacks & Reputation Systems George Danezis, University of Leuven 2:50 - 3:20 Break 3:20 - 4:40 Breakout 2: Goal: Coordination Can we better serve our own ends? For example, do the assumptions in economics enable better design? Does the work in computer science inform law? Make explicit some implicit assumptions about information security economics that has hindered cross-disciplinary work. While the previous breakout focuses on goals and metrics, this should focus on methods. 4:40 - 5:30 Concluding Session: Abbreviated Breakout Reports Presentation of the set of questions to be discussed and follow-up for the creation of the workshop report.