The economics of information security
The authors examine the economics of vulnerabilities, of privacy, of the deployment of security mechanisms including digital rights management, how regulation and certification can affect system security (and sometimes have counterintuitive adverse effects, such as Ben Edelman's finding that TRUSTe certified sites are more likely to contain malicious content than websites as a whole).
They end the paper with some open issues--attempts to develop network protocols that are "strategy-proof" to prevent cheating/free-riding/bad behavior, how network topologies have different abilities to withstand different types of attacks (and differing vulnerabilities), and how the software development process has a very high failure rate for large projects, especially in public-sector organizations (e.g., as many as 30% are death-march projects).
There are lots of interesting tidbits in this paper--insurance for vulnerabilities, vulnerability markets, the efficacy of spam on stock touting, the negligible effect of music downloads on music sales, and how DRM has moved power from record labels to platform owners (with Apple being the most notable beneficiary), to name a few.
(Hat tip to Bruce Schneier's blog, where you can find links to a slide presentation that covers the highlights of this paper.)