Program

Breakfast

Ross Anderson WEIS Lecture (Keynote)

Susan Athey, Stanford University
Systemic Cyber Risk: Linking Measurement, Market Incentives, and Policy

Abstract:
Few would dispute that systemic (catastrophic) cyber risk is a very serious problem for the global economy and for society, and that catastrophic failures with very serious consequences are likely, with recent advances in artificial intelligence (AI) only magnifying the ability of attackers to breach our defenses. However, there is a disconnect between a high-level acknowledgment of the problem and actions taken by firms and policymakers to address the problem. In this paper, we develop a more nuanced framework that shines a spotlight on the forces behind the lack of action as well as on key areas of focus for policy, areas where the societal benefits to action are greatest and areas where we might better harness economic incentives to improve outcomes. By “shaping” markets using incentives, carefully crafted regulatory frameworks, and the provision of digital public goods, policy makers can channel market forces and better align incentives to get substantially better cybersecurity outcomes while simultaneously reducing entry barriers for firms in the cybersecurity sector, firms in the defense sector, and in industry more broadly.

Break

Paper Session I: Game Theory
Session Chair: Mingyan Liu

• Cybersecurity and Market Share in Digital Ecosystems with Network Externalities
  Daniel Arce
• LASB: A Liquidity-Adjusted Security Metric for Consensus Attacks
  Ke Wang, Wenbin Wu, and Alexander Neumueller
• Analyzing Investment Incentives under METI’s New Rating System via a Stepwise Extension of the Gordon-Loeb Model
  Ryoma Kanai and Kanta Matsuura
• Cybercrime and Prevention: Colonel Blotto in Social Engineering
  Gergely Benkő, Katalin Parti, and Gergely Biczók

Lunch

Paper Session II: Crime and Measurement
Session Chair: Jean Camp

• Stand-Alone Complex or Vibercrime? Exploring the Adoption and Innovation of GenAI Tools, Coding Assistants, and Agents within Cybercrime Ecosystems
  Jack Hughes, Ben Collier, and Daniel Thomas
• Estimating the Social Cost of Corporate Data Breaches
  Lina Alkarmi, Armin Sarabi, and Mingyan Liu
• How Do Cyber Attacks Impact Corporate Balance Sheets and Income Statements? An Empirical Study
  Teyyub Mutallimov, Dana Itzhaki, and Tyler Moore
• The Impact of Cyber Attacks on Security Investment: Evidence from Firm-Level Panel Data
  Abulfaz Hajizada, Dana Etgar Itzhaki, Noa Barnir, Tyler Moore, and Neil Gandal

Break

Paper Session III: Privacy
Session Chair: Alessandro Acquisti

• Privacy Agents in the Field
  Aileen Nielsen and Yafit Lev-Aretz
• Who Wants Privacy Anyway? Comparative Evidence on CBDC Design Preference
  Vagisha Srivastava
• Privacy Interventions and Publishers’ Revenues: Evidence on Long-Run Effects and Ad-Traffic Heterogeneity
  Tobias Kircher, Riley Grossman, Mike Smith, Alessandro Acquisti, Cristian Borcea, Yi Chen, and Cristobal Cheyre

Breakfast

Paper Session IV: Insurance and Risk Management
Session Chair: Daniel Arce

• Ransomware Insurance and Strategic Ransom Demand
  Manos Perdikakis
• Disentangling the Sources of Cyber Risk Premia
  Loïc Maréchal and Nathan Monnet
• Defending Against Intelligent Attackers at Large Scales
  Andrew Lohn
• “People were not happy when admitting mistakes”: Evolving Past Defensiveness in Running Coordinated Vulnerability Disclosure Programs
  Sandra Rivera Pérez, Amy Tjin Tjoen Jin, Michel van Eeten, and Carlos Gañán

Break

Panel: Putting Theory to Practice

This session brings together industry leaders to move beyond abstract models and spotlight real-world cyber risk quantification that drives business decisions. The panel will present concrete use cases: underwriting, portfolio management, third‑party risk, scenario modeling, and more, illustrating measurable outcomes and implementation challenges. The panel will also discuss practical collaboration opportunities between academia and industry, ensuring academic advances become operational and valuable to insurers and risk managers.

Moderator: Scott Stransky, Marsh
Panelists: 
Carol Aplin, Marsh
Davis Hake, Venable
Rich Seiersen, Qualys
Yoshi Yamamoto, At-Bay

Lunch

Paper Session V: Infrastructure Weak?
Session Chair: Kanta Matsuura

• Cybersecurity Ratings to Support Domain-Specific Financial Decisions: Applications to National Infrastructures, Cyberinsurance, Gordon-Loeb Model, and NPV Analysis
  William Yurcik, Gregory Pluta, and Fábio Miranda
• The Emergence of Public Key Infrastructures: Changing Authority Structures and the Automation of Trust in Cyberspace
  Milton Mueller
• Time Will Tell: A Longitudinal Analysis of the Evolution of Security and Privacy of Three IoT Device Types
  Swaathi Vetrivel, Michel van Eeten, and Carlos Gañán

Break

Paper Session VI: Naming Names
Session Chair: Gergely Biczók

• “I’m the mess that you wanted”: Evaluating the Accuracy of WHOIS Asset Discovery Against Self-Reported Data
  Yana Angelova, Aksel Ethembabaoglu, Rolf van Wegberg, Carlos Gañán and Michel van Eeten
• Domijn: The Security of Domain Registrars and the Risk of a Domain Name Takeover
  Koen van Hove, Jeroen van der Ham-de Vos and Roland van Rijswijk-Deij

Break

Rump Session

Conference participants are invited to give short (5-minute maximum)
talks on new research and works in progress. To reserve a spot, email
the rump session chair, Tyler Moore (tyler-moore@utulsa.edu), with the
subject “WEIS26 rump session,” along with a title and affiliation.