A very interesting read, and worth noting that most/all of the base problems described are still very much present.<p>Ross Anderson's security engineering book that gets a mention is this paper is available online for free at <a href="http://www.cl.cam.ac.uk/~rja14/book.html" rel="nofollow">http://www.cl.cam.ac.uk/~rja14/book.html</a>
On EDx you can find a cybersecurity economics course by Ross Anderson and other experts in the field.<p>I took it a few years ago and at that time it was not free, now it is. If somebody is interested here is the link: <a href="https://www.edx.org/course/cyber-security-economics-delftx-secon101x" rel="nofollow">https://www.edx.org/course/cyber-security-economics-delftx-s...</a>
Abstract:<p>According to one common view, information security
comes down to technical measures. Given better
access control policy models, formal proofs of cryptographic
protocols, approved firewalls, better ways of detecting
intrusions and malicious code, and better tools
for system evaluation and assurance, the problems can
be solved.
In this note, I put forward a contrary view: information
insecurity is at least as much due to perverse
incentives. Many of the problems can be explained
more clearly and convincingly using the language of
microeconomics: network externalities, asymmetric
information, moral hazard, adverse selection, liability
dumping and the tragedy of the commons.