InternetPerils   InternetPerils
What's New
All About Risk
My Account

Risk Resource Reading

InternetPerils provides links to interesting events, papers and to specific materials which are related to Internet risk.

The Perilocity Blog, written by John S. Quarterman, provides commentary on many current risk management issues.

Please check back periodically for new links.

  •   “ You can’t just fix security. Security is a process, most of which is about knowing what’s going on. Detection is more important than prevention.”
    Detection is much more important than prevention –Bruce Schneier
    John S. Quarterman

    25 July 2013

  •   “All organizations and individuals have an opportunity to be part of the process and contribute to the development of the Cybersecurity Framework. Please send us your notes, observations, suggestions, and other information to”
    Update on the Development of the Cybersecurity Framework
    CEAS 2010: Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
    working paper
    Volume 10, Issue 6
    Cambridge, Massachusetts, USA

    24 July 2013

  •   “The general presumption in the literature, based on intuitive arguments or analysis of symmetric networks, is that because security investments create positive externalities on other agents, there will be underinvestment in security. We show that this reasoning is incomplete because of a first-order economic force: security investments are also strategic substitutes.”
    Network Security and Contagion
    Daron Acemoglu and Azarakhsh Malekian and Asuman E. Ozdaglar
    CEAS 2010: Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
    ERN MIT Economics Department Working Paper Series
    Volume 10, Issue 6
    Cambridge, Massachusetts, USA

    18 July 2013

  •   “Cybersecurity is a national priority in this big data era. Because of negative externalities and the resulting lack of economic incentives, companies often underinvest in security controls, despite government and industry recommendations. Although many existing studies on security have explored technical solutions, only a few have looked at the economic motivations.”
    Improving Internet Security Through Social Information and Social Comparison: A Field Quasi-Experiment
    Qian Tang and Leigh Linden and John S. Quarterman and Andrew B. Whinston
    WEIS 2013
    Georgetown University, Washington DC

    11 June 2013

  •   “A 35-year-old Dutchman thought to be responsible for launching what’s been called “the largest publicly announced online attack in the history of the Internet” was arrested in Barcelona on Thursday (April 11) by Spanish authorities.”
    Dutchman Arrested in Spamhaus DDoS
    Brian Krebs
    Krebs on Security
    Volume 3, Issue 2, Pages 3:1-3:23
    National Research Council

    26 April 2013

  •   “If you are an information security professional, you must read this report. Don’t make decisions based on news articles, this post, or any other secondary analysis. It’s a quick read, and well worth your time, even if you only skim it.”
    How to Use the 2013 Verizon Data Breach Investigations Report
    Volume 20, Issue 3, Pages 121-139

    22 April 2013

  •   “ Lack of transparency lets organizations avoid addressing internal risks, leaving vulnerabilities that are exploited by botnets, threatening information security of other Internet participants. Their protection provides no economic benefit to the firm, so this negative externality causes underinvestment in infosec. Public policy could provide a partial solution by adding incentives for organizations to have well-configured infosec.”
    Public Policy for Internet Security
    John S. Quarterman and Qian Tang and Andrew B. Whinston
    TPRC 2012
    Volume 3, Issue 2, Pages 3:1-3:23
    Arlington, VA

    22 September 2012

  •   “The rankings did not cause that medical organization to fix the problem, but the rankings do provide additional incentives, which is the point of the rankings.”

    The Big Medical Drop in
    John S. Quarterman

    14 August 2012

  •   “What is the distribution of usage across the subscriber population? What is the distribution of usage during peak periods across the subscriber population? What do daily traffic patterns look like? What is the long-term behavior of subscribers that occasionally appear in the tails of the usage distribution? How good are various heuristics (such as total traffic over a month) at approximating contributions to peak time periods? How much is per-subscriber traffic growing yearly?”
    A Data Driven Exploration of Broadband Traffic Issues: Growth, Management, and Policy
    Steven Bauer and David D. Clark and William Lehr
    TPRC 2012
    Volume 1, Issue 4, Page 45-68
    Arlington, VA

    26 March 2012

  •   “The 13 October 2011 SEC guidance, CF Disclosure Guidance: Topic No. 2: Cybersecurity, leaves most of the decision of what sort of breaches are significant enough to disclose up to the affected organizations.”
    SEC moving towards breach disclosure requirement?
    John S. Quarterman
    Securities and Exchange Commission

    6 February 2012

  •   “Connected organizations become part of entire networks, and are subject to threats from the entire network; but members’ security profile information is private, members lack incentives to min- imize impact on peers and are not accountable.”
    Economic Mechanism to Manage Operational Security Risks for Inter-Organizational Information Systems
    F. Fang and M. Parameswaran and X. Zhao and A.B. Whinston
    DSI 2011
    Volume 10, Issue 6
    Boston, Massachusetts, USA
    Decision Sciences Institute

    20 November 2011

  •   “Many governments have established public-private partnerships to manage critical infrastructure protection, one element of which is telecommunications. However, in New Zealand these collaborative efforts have had limited success and the rapid increase in use of the Internet to support both society and commerce has led to the need for a more specific focus in this area. While regulation is an effective means of forcing action by industry, it can lead to significant unintended consequences and undesirable behaviours. This article explores how governments can have confidence in the safety and protection of their critical national infrastructures through a model of assured public-private partnership that is based on an incentivised adoption approach to drive optimal outcomes within the New Zealand context.”
    A Public-Private Partnership Model for National Cybersecurity
    Malcolm Shore and Yi Du and Sherali Zeadally
    Policy & Internet
    Volume 3, Issue 2, Pages 3:1-3:23
    Policy Studies Organization

    6 November 2011

  •   “Breaches of the ethics, confidence and trust that are embedded in the information society give rise to a range of risks that are of concern to individuals, industry and public administration.”
    Public Policy Responses to Cybercrime
    Stefan Fafinski
    Policy & Internet
    Volume 3, Issue 2, Pages 3:1-3:23
    Policy Studies Organization

    6 November 2011

  •   “Organizations don’t want poor infosec to affect their reputation, so they don’t divulge that information. Fortunately, anti-spam blocklists collect outbound spam data for every organization on the Internet. Outbound spam indicates botnets, botnets indicate vulnerabilities, and vulnerabilities indicate susceptibility to other malware, including phishing, DDoS, and other malware. ”
    Rustock Botnet and ASNs
    John S. Quarterman and Serpil Sayin and Andrew B. Whinston
    TPRC 2011
    Social Science Research Network
    Volume 3, Issue 2, Pages 3:1-3:23
    Arlington, VA

    24 September 2011

  •   “While Wright's academic credentials are impressive, he loses a lot of credibility with his opening sentence which claims that the CIA website was hacked, and that it, plus the IMF and Citibank attacks have pushed us to the brink of "cyberwar". Frankly, anyone who thinks that a website that suffered a Denial of Service attack has been "hacked" has no business writing about cyber-anything let alone something as emotionally charged and least understood as "cyberwar".”
    Thomas Wright Falsely Claims U.S. Double Standard In Cyber Warfare
    Jeffrey Carr
    27 June 2011

  •   “Spam has clearly emerged as a bane of the digital age. These days, a typical user receives somewhere in the neighborhood of 300 spam messages per month. Worse, these missives—fraught with malware and phishing schemes—potentially wreak havoc with computers.”
    How Much Spam Does Your Company Unknowingly Send?
    Samuel Greengard
    Volume 3, Issue 2, Pages 3:1-3:23

    20 June 2011

  •   “Today, as nations and peoples harness the networks that are all around us, we have a choice. We can either work together to realize their potential for greater proseperity and security, or we can succumb to the narrow intersets and undue fears that limit progress. Cyber security is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives.”
    International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World
    The White House
    27 May 2011

  •   “Attackers compromise web servers in order to host fraudulent content, such as malware and phishing websites. While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal.”
    The Impact of Public Information on Phishing Attack and Defense
    Tyler MOORE and Richard CLAYTON
    Communications & Strategies
    Volume 1, Issue 4, Page 45-68

    1st quarter 2011

  •   “This study investigates the search behavior that drives the search for information security knowledge via a search engine. Based on theories in information search and information security behavior we examine the effects of network attacks and vulnerability disclosures on search for information security knowledge by ordinary users.”
    Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures
    Wang, Jingguo and Xiao, Nan and Rao, H. Raghav
    ACM Trans. Manage. Inf. Syst.
    Volume 1, Issue 1, Pages 3:1-3:23

    6 December 2010

  •   “Information security is a fundamental concern for corporations operating in today’s digital economy. The number of firms disclosing items concerning their information security on reports filed with the U.S. Securities and Exchange Commission (SEC) has increased in recent years. A question then arises as to whether or not there is value to the voluntary disclosures concerning information security.”
    Market Value of Voluntary Disclosures Concerning Information Security
    Lawrence A. Gordon and Martin P. Loeb and Tashfeen Sohail
    MIS Quarterly
    Volume 34, Issue 3, Pages 567-A2, 30p

    29 September 2010

  •   “From a criminals perspective, targeting 3rd party programs proves to be a rewarding path, and will remain so for an extended period of time.”
    The security of end-user PCs an empirical analysis
    Stefan Frei
    DDCSW: Collaborative Data-Driven Security for High Performance Networks
    Human Relations
    Volume 7, Issue 4, Pages 117-140
    WUSTL, St. Louis, Missouri, USA

    17 August 2010

  •   “Botnets – networks of machines infected with malicious software – are widely regarded as a critical security threat. Measures that directly address the end users who own the infected machines are useful, but have proven insufficient to reduce the overall problem.”
    The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data
    Michel van Eeten and Johannes M. Bauer and Hadi Asghari and Shirin Tabatabaie and Dave Rand
    OECD Science, Technology and Industry Working Papers,
    OECD Publishing.


  •   “We conclude by recommending that the defenders of phishing attacks start co-operatively sharing all of their data about phishing URLs with each other.”
    The Consequence of Non-Cooperation in the Fight Against Phishing.
    Tyler Moore and Richard Clayton
    Third APWG eCrime Researchers Summit
    Communications & Strategies
    Volume 1, Issue 4, Page 45-68
    Atlanta, GA

    15-16 1st quart 2008

  •   “Malicious software, or malware for short, has become a critical security threat to all who rely on the Internet for their daily business, whether they are large organisations or home users. While originating in criminal behaviour, the magnitude and impact of the malware threat are also influenced by the decisions and behaviour of legitimate market players such as Internet Service Providers (ISPs), software vendors, e- commerce companies, hardware manufacturers, registrars and, last but not least, end users.”
    Economics of Malware: Security Decisions, Incentives and Externalities
    Michel J.G. van Eeten and Johannes M. Bauer
    Volume 1, Issue 4, Pages 55-69

    29 May 2008

  •   “As distributed systems are assembled from machines belonging to principals with divergent interests, we find that incentives are becoming as important as technical design in achieving dependability.”
    The economics of information security
    Ross Anderson and Tyler Moore
    Workshop on Economics and Information Security (WEIS)
    Volume 314, Issue 6, Pages 610-613

    25 July 2006

  •   “The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. ”
    Sharing information on computer systems security: An economic analysis
    Lawrence A. Gordon and Martin P. Loeb and William Lucyshyn
    Journal of Accounting Public Policy
    Volume 22, Issue 6, Pages 55-69


  •   “...information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.”
    Why information security is hard: An economic perspective
    Ross Anderson
    Workshop on Economics and Information Security (WEIS)
    Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC)
    Volume 21, Issue 6, Pages 55-70

    25 July 2001

  •   “Social comparison processes include the desire to affiliate with others, the desire for information about others, and explicit self-evaluation against others...We present evidence that in certain groups under threat, these comparison activities diverge, with explicit self-evaluation made againast a less fortunate target (downward evaluation), but information and affilliation sought out from more fortunate others (upward contacts).”
    Social comparison activity under threat: downward evaluation and upward contacts
    Shirley E. Taylor and Marci Lobel
    Psychological Review
    Volume 96, Issue 4, Pages 424-444

    14 July 1989


  • John S. Quarterman's new Risk Management book
    Risk Management Solutions for Sarbanes-Oxley Section 404
    John S. Quarterman
    PR of 1 February 2006

  •   Cringely's fed up with phishing.
    Phish or Phisher? It Is Time to Put Phishing Scams Out of Business
    Robert X. Cringely
    26 May 2005

  •   “Another undersea cable running to the Cayman Islands might have minimized the downtime, but at some point, the expense becomes greater than the risk, or at least greater than the cost of insurance for the risk. On the Internet, physical risks such as hurricanes, floods and earthquakes are not the only force majeure risks, and not the most economically significant ones.”
    Rethinking Internet Risk Management
    John S. Quarterman
    Phone+ Magazine
    December 2004

  •   Performance, reliability, and availability are key: ``Seventy-three percent of respondents said service quality/reliability was the most important criteria in selecting an Internet service provider. Sixty-nine percent selected price. Twenty-one percent of respondents selected company reputation, knowledgeable customer service staff, and availability at multiple locations/national footprint.''
    Despite Price Erosion, Business Internet Access Service Revenues Continue to Grow
    Daryl Schoolar, Kirsten Fischer
    September 27, 2004

  •   ``Rep. Adam Putnam, R-Fla., chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. "Make no mistake. The threat is serious. The vulnerabilities are extensive. And the time for action is now." Putnam said vulnerability management improvement should focus on prevention, detection and response.''
    Top administration cybersecurity officials face scrutiny
    William New DAILY BRIEFING
    June 2, 2004

  •   ``Worms represent a substantial economic threat to the U.S. computing infrastructure. An important question is how much damage might be caused, as this figure can serve as a guide to evaluating how much to spend on defenses. We construct a parameterized worst-case analysis based on a simple damage model, combined with our understanding of what an attack could accomplish. Although our estimates are at best approximations, we speculate that a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely-used services in Microsoft Windows and carrying a highly destructive payload.''
    A Worst-Case Worm
    Nicholas Weaver, Vern Paxson
    The Third Annual Workshop on Economics and Information Security (WEIS04)
    May 13-14, 2004
    University of Minnesota
    Digital Technology Center

    May 5, 2004

  •   ``Out of 162 companies contacted, 84 percent said their business operations have been disrupted and disabled by Internet security events during the last three years. Though the average rate of business operations disruption was one incident per year, about 15 percent of the surveyed companies said their operations had been halted and disabled more than seven times over a three-year period. The portends for enterprises are alarming, given the increased use of the Internet for core business activities. ...''
    The attack of the $2 million worm
    Copyright 2004
    July 6, 2004

  •   “‘The bigger the prey, the juicier it is’ for the predator, Geer said during yesterday's debate with Microsoft Chief Trustworthy Computing Strategist Scott Charney at the USENIX technical conference in Boston.”
    Geer, Charney debate threat of 'monoculture'
    Bill Brenner
    1 July 2004
    Search Security
    1 July 2004

  •   More than 30 per cent of Australia's banks are unprepared for a significant disruption to their IT systems, such as a serious virus or act of terror.
    Banks' crisis plans weak: survey
    David Adams
    Copyright 2004
    The Age
    June 1, 2004

  •   Despite increasing dependence on e-mail and the Internet, only a small percentage of businesses have cyber-liability cover. David Walsh examines why this insurance market has fallen short of predictions for growth.
    Cyber-Liability; Down the wire
    David Walsh, Managing Director CFC Underwriting
    Copyright 2004 Timothy Benn Publishing Limited
    Post Magazine
    April 29, 2004
  •   “Too much work and prestige has already been invested in Basel II and too high are the expectations that have been aroused in the financial services risk the project being abandoned,” the head of Switzerland's Federal Banking Commission, Daniel Zuberbuehler, told a news conference.
    New banking rules should not be delayed, Swiss say
    Press Release
    April 29, 2004
  •   Lord Levene, Chairman of Lloyd's, addressed US business leaders about new global risks that threaten corporations. Lord Levene called for business leaders to:
    Raise risk awareness to the boardroom; and
    Respond actively to the changing risk environment, including risks associated with business interruption and intellectual property
    Lloyd's Chairman outlines new era of risk to World Affairs Council
    Press Release
    April 21, 2004
  •   Big company CEOs, who a few months ago didn't think Internet risk was worthy of attention, after the blackout, the worms, and the Microsoft code release, now think they face a $100B risk.
    Silently preparing for the $100 billion cyber-catastrophe risk
    News Alert
    February 16, 2004
  •   Cataclysms and survivability: insurance would help.
    “Utilities, transportation and petrochemical businesses are interconnecting their previously isolated networks with Internet facilities, says William Hancock, chairman of the Internet Security Alliance, leaving vital infrastructures vulnerable.”
    The Next Big Network-Security Fiasco
    Vincent Ryan
    Enterprise Security Today
    February 5, 2004
  •   Robert Lemos looks at network security and monoculture.
    “In studying the effects of last summer's MSBlast worm, some security experts turned to an unlikely source in search of clues to the prevention of computer epidemics: plants.”
    Seeds of Destruction
    Robert Lemos
    January 15, 2004
  •   David O'Neill writes on Insurance Policies and E-business
    “When you depend on others for your business success, you can't always control the problems,...”
    Insurance Policies Expand to Cover E-Business Risks
    David O'Neill
    Sheshunoff Information Services
    June 2003
  •   Back in February 2001, Bruce Schneier wrote:
    “Sooner or later, the insurance industry will sell everyone antihacking policies.”
    SCHNEIER ON SECURITY: The Insurance Takeover
    Bruce Schneier.
    Information Security,
    February 2001
  •   Dan Geer's seminal speech of 5 years ago this month:
    ``Every financial firm of any substance has a formal Risk Management Department that consumes a lion's share of the corporate IT budget. ... The impact of Moore's Law on the financial world is inestimable -- computing has made that world rich because it has enabled risk packaging to grow ever more precise, ever more real-time, ever more differentiated, ever more manageable. ... I know I have often wondered if my market might not explode were I to get just one of the big loss-prevention insurers to make good security practices and technology into an underwriting standard. Then, just like "Do you have sprinklers?" everyone is forced to confront whether they want to pay for security or pay for non-security.''
    Risk Management is Where the Money Is
    Daniel E. Geer, Jr., Sc.D.
    Digital Commerce Society of Boston,
    3 November 1998
  •   The problems of risk management, banking, and the insurance industry were presciently described in an article by Prof. Hal Varian of the University of California, Berkeley, in June, 2000.
    Managing Online Security Risks
    Hal R. Varian
    The New York Times
    June 1, 2000
  •   The 14 August 2003 power outage in the NE US and Ontario is not the sole electrical supply problem. In October 2003, several power transmission line towers in Oregon and Northern California were sabotaged.
    Transmission Towers Sabotaged in Oregon
    Alex Breitler
    Redding [CA] Record
    25 October 2003
  •   ISS' X-Force has tracked the increasing number of new Internet vulnerabilities and old and new techniques. They reveal that merely patching will not suffice.
    ISS Xforce Alerts and Advisories Archive
    X-Force Global Threat Operations Center
    Internet Security Systems
  •   RAND Report on Internet risk management, with analogies of electric utilities as public/private collaboration and fire insurance with inspections and sprinklers to reduce premiums, and product liability as a key to enabling insurance against IT failures.
    Rewarding IT Security in the Marketplace
    Walter S. Baer, The RAND Corp.
    September 2003
  •   Effects of monoculture in software connected by a global network, and specifically how the dominance of Microsoft's products poses a risk to security.
    CyberInsecurity The Cost of Monopoly
    Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman, Bruce Schneier
    September 2003

    Related Articles:

    Press release about the report:
    Microsoft Monopoly Represents National Security Risk, Say Internet Security Experts
    September 2003

    Employer fires primary author of the report:
    Microsoft Critic Forced Out
    Jonathan Krim
    Washington Post
    Friday, September 26, 2003; Page E01
  •   The boll weevil destroyed the monoculture cotton crop in the U.S. in the early 20th century, and it is kept at bay now by means of crop diversity, more resistant cotton varieties, different planting methods, pesticides, and constant monitoring. The Internet needs all these things, as well.
    Monoculture Considered Harmful
    John S. Quarterman
    First Monday
    February 2002
  • InternetPerils helps companies manage Internet business risk.