This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Incentive-Centered Design for Security
July/August 2009 (vol. 7 no. 4)
pp. 80-83
Jeffrey K. MacKie-Mason, University of Michigan
Security problems are incentives problems: we build defenses because people want to do things that (intentionally or inadvertently) cause harm. Yet, much research disregards systematic study of the motivations of smart, responsive, autonomous humans in the loop. Meanwhile, the maturing sciences of motivated behavior offer a growing body of theoretical, statistical, and laboratory evidence on systematic responses to motivations that can be incorporated in the system design toolkit. By adjusting incentives, it's sometimes possible to induce bad guys to stay out, encourage good guys to improve secure practices, and discourage otherwise good guys with system access from becoming delinquent.

1. R. Anderson, "Why Cryptosystems Fail," Proc. 1st ACM Conf. Computer and Communications Security, ACM Press, 1993, pp. 215–227.
2. S.W. Smith, "Humans in the Loop: Human-Computer Interaction and Security," IEEE Security &Privacy, vol. 1, no. 3, 2003, pp. 75–79.
3. R. Wash and J.K. MacKie-Mason, "Incentive-Centered Design for Information Security," Usenix Hot Topics in Security (HotSec 06), Usenix Assoc., 2006; www.usenix.org/events/hotsec06/techwash.html .
4. C. Dwork and M. Naor, "Pricing via Processing for Combating Junk Mail," Proc. 12th Ann. Int'l Cryptology Conf. Advances in Cryptology, Springer-Verlag, 1993, pp. 139–147.
5. R. Wash and J.K. MacKie-Mason, "Security when People Matter: Structuring Incentives for User Behavior," Proc. 9th Int'l Conf. Electronic Commerce (ICEC 07), ACM Press, 2007, pp. 7–14.
6. L. von Ahn et al., "CAPTCHA: Using Hard AI Problems for Security," Proc. EUROCRYPT 03, Springer-Verlag, 2003, pp. 294–311.
7. C. Doctorow, "Solving and Creating CAPTCHAs with Free Porn,"27 Jan. 2004; www.boingboing.net/2004/01/27solving-and-creating.html
8. J. Zhuge et al., Characterizing the IRC-Based Botnet Phenomenon, tech. report TR-2007-010, the Honeynet Project, 2007; http://honeyblog.org/junkyard/reportsbotnet-china-TR.pdf .
9. R. Wash and J.K. -MacKie-Mason, "A Social Mechanism for Home Computer Security," Workshop on Information System Economics (WISE), 2008; http://deepblue.lib.umich.edu/handle/2027.42 62021.
10. E.J. Friedman and P. Resnick, "The Social Cost of Cheap Pseudonyms," J. Economics and Management Strategy, vol. 10, no. 2, 2001, pp. 173–199.
11. T. Loder, M.V. Alstyne, and R. Wash, "An Economic Solution to Unsolicited Communication," Advances in Economic Analysis and Policy, vol. 6, no. 1, 2006; www.bepress.com/bejeap/advances/vol6/iss1 art2.

Index Terms:
S&P economics, incentive-centered design, information security, economics, security
Citation:
Jeffrey K. MacKie-Mason, "Incentive-Centered Design for Security," IEEE Security & Privacy, vol. 7, no. 4, pp. 80-83, July-Aug. 2009, doi:10.1109/MSP.2009.94
Usage of this product signifies your acceptance of the Terms of Use.