Colleagues and I created a massively open online course in the economics of information security, which ran in 2015 and again in 2016.
I’m pleased to announce that it’s now running again until December 30th as a self-paced course. Registration is open here.
I’m currently deciding whether or not to purchase an edX Verified Certificate for this course. Leaving aside the revenue they generate for edX (which I support), I am trying to get a realistic idea of how these certificates are viewed and treated by recruiters and employers. Bottom line – are they worth paying for? I would appreciate any comments from Professor Anderson, other edX users or recruiters/employers.
Thanks for MOOC, looking forward to starting it in a few days.
Payment has a huge effect on completion.
Last year, for example, 5081 students enrolled free, 2720 started, 986 tried some problems and 260 passed – under 10%. But of the 223 who verified enrolment, 214 started, 193 tried problems and 153 passed.
It seems to be a bit like gym membership. Anyone can get fit for free by running round the park. But if you hand over some real money for a year’s fitness club membership, you see to it that get some value out of it.
I’ve completed the course; it was excellent. Thankyou very much to you and all the other lecturers for a fascinating insight to this subject. I’ve provided a lot of feedback in the post-survey which I hope is useful.
I’d like to learn more about this subject. Can you recommend any good books or courses pitched at about the same level (detailed technical knowledge with limited knowledge of economics) please? It’s clearly an approach which makes sense of the security market, as well as many other things now that I understand a bit about it from this course.
I upgraded to Verified but cancelled it and reverted after reading edX’s Privacy Policy. From what I can see the photo ID is accessible by unknown third-parties operating under unknown legislation. The Privacy Policy doesn’t give any assurances about how the image is managed, transported or protected. Ironically the course gives me an insight into why that is the case. Bottom line is I can’t allow an image of my driving license to disappear into a black hole like that.
Can the principles studied in the course be applied to shift incentives so as to end the objectionable exploitation by big companies of data gathered from consumers ?
Chris, I’m glad you enjoyed the course! For further reading you can check out the security economics chapter in my security engineering book while for the full Monty, look through the links on my security economics page.
I share your scepticism about corporate privacy policies. They are not completely unenforceable, as the FTC occasionally goes after firms that break them egregiously, although it remains to be seen how vigorously this will be done under the new administration. And, as you noticed, many policies are drafted by skilful lawyers so that they don’t really promise anything at all. They provide privacy theatre, rather than actual privacy. Truth to tell, much the same can be said about the privacy regulators in many European countries. Their governments hamstring them in various ways so that they don’t get in the way of data exploitation by business, and by government departments. To understand this, read the literatures on law and economics, and on public choice.
Hope this helps
Thanks Ross for the extra reading links. This was my first edX course and I had not spotted the “course readings” section. I’ll know for next time. I’ve now have 42 additional documents from those links to look at over the next month, plus the links in your reply.
The edX platform was great to use and made it very slick and easy to work through the course. I’ve enrolled in a few other courses now and am looking forward to those shortly.
What struck me about the Cyber Security Economics approach was that it seems to cut through the noise and get right to the heart of what is driving behaviour by all participants, from vendors to manufacturers to consumers. There was a bit of a lightbulb moment as I realised it seemed to explain other behaviour too. I’m wary of using it to explain everything but I definitely want to explore it in more detail, it’s quite fascinating.
I found it amusing that the course, running on edX, helped explain why edX might have such a poor privacy policy from the point of view of me as a ‘demander’. edX’s incentives are not aligned with mine so their behaviour does not address my concerns, and they promise vague sounding controls to try and placate customers and meet compliance. And if they directly addressed photo ID privacy, as I would like, that could paradoxically result in less overall trust, as the latter part of the course explained. The course makes this all so obvious now; it’s exciting and empowering to be able to see and understand this.
Thanks again to you Ross, Michel, Carlos, Rainer, Tyler, Sophie and David for the presentations and the course overall. Much appreciated.
Alyer, see my above reply to Chris. Privacy regulation is pretty broken in most countries, as governments go for privacy theatre rather than confronting powerful corporate interests. Washington never cared much about privacy, even under Clinton and Obama; you have a patchwork of subject-specific rules for applications such as video rentals and health records, plus the FTC using truth-in-advertising principles to sue firms that breach their privacy policies. Like it or not, the world’s privacy regulator is the European Union, whose General Data Protection Regulation will come into force next year. It promises to be a significant improvement on the previous Directive which left EU Member States too much latitude in implementation – which countries like the UK and Ireland exploited shamelessly to court US multinationals. Unlike a Directive, a Regulation becomes law in Member States directly, so there is no latitude for national parliaments to “improve” the bits they don’t like. However they will still have the ability to hand-pick regulators who are personally and ideologically pro-business and will enforce the rules as little as possible. Why, for example, do you think firms like Google and Facebook locate their EU headquarters in Ireland? Well, just take a look at the office of the Irish privacy regulator.