edX Economics of Cybersecurity Course Review

I've been keeping an eye on the area of economics and information security for around eight years so when I saw this course pop up back in November I signed up immediately for January, despite not really knowing what to expect.

If you work in information security and are a fan of the Freakonomics series of books/podcasts, then the ideas used to analyze info sec in this course will be right up your street so just go and sign up now for the next session!

If you're not sure what on earth economics of information/cyber security is, then have a quick read of this paper and it'll give you a much better intro than I could ever give.

The course itself is the usual style of MOOC with recorded video sessions along with discussion forums, live webinars and some multiple choice questions at the end of each section.

The course material is split over six sections covering the following topics, with each section around an hour in length and with an accompanying webinar of a further hour:
  • An introduction to economics in the context of security;
  • Measurement of security; 
  • Security investment and management: 
  • Market failures and 
  • Human factors in security.

In terms of content, I thought that the material was a fantastic introduction to a wide range of aspects of economics of security and pretty much spot on for the level of detail I was expecting. I would have loved to see more detail but have to appreciate that it's an introductory course!

I found that based on my existing reading in the area, I was very familiar with the majority of the content in the course, in particularly the areas around the fundamentals of applying economics in security, measuring security, investment and risk management and behavioral heuristics/biases. However, the section on policy interventions and privacy definitely gave me some new insights.

In terms of pre-requisitions for the course, I feel that if you had never done micro economics or had any exposure to the area of economics before, then it'll probably be a bit of a shock to the system on the first week as they very much dive straight in! Because I'd read a lot on the topic, albeit in a completely unstructed way, I was pretty familiar with almost all of the topics covered and with some basic background in economics I was able to keep pace no problems.

I also felt that some of the sections could have had more context set initially to lead people from a traditional, technical information security background in. For example, the human factor section jumps straight into explaining the reasons behind poor decision making by individuals, but doesn't really explain where in information security you'd normally see these kinds of poor decisions being made. For more experienced info sec professionals, they'll immediately understand the context in relation to either risk management decisions or end user opinions, however for more junior people, outlining the examples up front in simple terms would greatly benefit the course.

I was a bit disappointed with the multiple choice questions at the end because when you got answers wrong, there was no way to get prompts as to what the right answers were and you only get the description of what the right answer was when you get the answer right... So in the end I found myself attempting to brute force the answers for a number of questions, just to understand why I go the question wrong!

I really enjoyed it personally as a refresher in the area and also learned some new aspects that I hadn't come across in the areas of market failures and policy intervention and privacy. Also, I'm always a big fan of inter-disciplinary approaches to information security as I find if you stick with just learning from people who come from the same educational/professional background as yourself, it's very easy to become siloed in the way you look at a problem.

Overall, I think that this entire course should be considered mandatory content for any security management type certifications (CISM, etc) as it provides a fantastically unique view on security that if you're working in info sec management, you really need to understand. 

I'd love to see a follow on, more in-depth course form the same lecturers to go into more detail on the topics covered in this corse, look at some practical examples of analysis and review and compare/contrast the different research that has been published in the area of economics of info sec over the past few years. Hopefully that won't be long coming!

edX: https://www.edx.org/course/economics-cybersecurity-delftx-econsec101x