Managing IS Security and Privacy

Background

A thorough overview on the economics of privacy is maintained by Acquisti (2008). The 1970s was a decade marked by economists and their aspirations to develop an economic model to “decrypt” the market forces. Although Hirshleifer (1971) introduced the value of information in relation to privacy in the early 1970s, economics tools were ported to the privacy domain in the late 1970s and early 1980s (e.g., Posner, 1978; Stigler, 1980). However in the 1980s the concept of information sharing and the Internet were showing signs of potential, only to be interrupted by the Morris Worm in 1988 (Seeley, 1989), and security was added into the agenda. Initially this was done in the expense of privacy. For the following years information security received substantial attention—if the members of the private sector were to invest in electronic communications and technologies, trust needed to be restored.

Formal treatment of information security was initially in the domain of cryptography, but soon expanded to access control models and intrusion detection systems. The security goals of confidentiality, integrity, and availability were defined. The escape from security being equivalent to confidentiality was soon realized in the domain of cryptography, which was enforced with Rivest’s (1990) definition of cryptography which “is about communication in the presence of adversaries.” As such, the adversary would not necessarily be interested in eavesdropping on a communication, but could elect to interrupt, modify, fabricate, or replay messages. Formally, this omnipotent adversary was initially captured in Dolev and Yao’s (1981) threat model, spawning research into cryptographic protocols.