Software, Vendors and Reputation: An Analysis of the Dilemma in Creating Secure Software

  • Craig S. Wright
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6802)


Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. This leads to the common call for yet more legislation against vendors and other producers in order to lower the risk of insecure software. We argue that the call for nationalized intervention does not decrease risk, but rather the user of software has an economic choice in selecting features over security. In this paper, we investigate the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and in particular when assigning costs in software engineering. The users of a software product act rationally when weighing software risks and costs. The choice of delivering features and averting risk is not an option demanded by the end user. After all, it is of little value to increase the cost per unit of software if this means that users purchase the alternative product with more features. We argue that the market models proposed are flawed and not the concept of a market itself.


Security Derivatives Vulnerability Market Software Development Game theory SDLC (Software Development Life Cycle) DMCA (Digital Millennium Copyright Act) IDS (Intrusion Detection System) MTTF (Mean Time To Failure) Ploc (per (source) Lines of Code) 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arora, A., Telang, R.: Economics of Software Vulnerability Disclosure. IEEE Security and Privacy 3(1), 20–25 (2005)CrossRefGoogle Scholar
  2. 2.
    Arora, A., Telang, R., Xu, H.: Optimal Time Disclosure of Software Vulnerabilities. In: Conference on Information Systems and Technology, Denver CO (October 23-24, 2004)Google Scholar
  3. 3.
    Arora, A., Telang, R., Xu, H.: Optimal Policy for Software Vulnerability Disclosure. Management Science 54(4), 642–656 (2008)CrossRefGoogle Scholar
  4. 4.
    Bacon, D.F., Chen, Y., Parkes, D., Rao, M.: A market-based approach to software evolution. Paper presented at the Proceeding of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications (2009)Google Scholar
  5. 5.
    Beach, J.R., Bonewell, M.L.: Setting-up a successful software vendor evaluation/qualification process for ‘off-the-shelve’ commercial software used in medical devices. In: Proceedings of Sixth Annual IEEE Symposium on Paper presented at the Computer-Based Medical Systems (1993)Google Scholar
  6. 6.
    Brookes, F.: The Mythical Man-Month. Addison-Wesley, Reading (1995)Google Scholar
  7. 7.
    Campodonico, S.: A Bayesian Analysis of the Logarithmic-Poisson Execution Time Model Based on Expert Opinion and Failure Data. IEEE Transactions on Software Engineering 20, 677–683 (1994)CrossRefGoogle Scholar
  8. 8.
    Cavusoglu, H., Cavusoglu, H., Zhang, J.: Economics of Security Patch Management. In: The Fifth Workshop on the Economics of Information Security, WEIS 2006 (2006)Google Scholar
  9. 9.
    Cohen, J.: Best Kept Secrets of Peer Code Review (Modern Approach. Practical Advice). (2006)Google Scholar
  10. 10.
    de Villiers, M.: Free Radicals in Cyberspace, Complex Issues in Information Warefare. 4 Nw. J. Tech. & Intell. Prop. 13 (2005),
  11. 11.
    Dijkstra, E.W.: Notes on structured programming Structured programming, ch. I, pp. 1–82. Academic Press Ltd., London (1972)Google Scholar
  12. 12.
    Kannan, K., Telang, R.: Market for Software Vulnerabilities? Think Again. Management Science (2004)Google Scholar
  13. 13.
    Mills, H.D.: Top-down programming in large systems. In: Rustin, R. (ed.) Debugging Techniques in Large Systems. Englewoods Cliffs, Prentice-Hall, N.J (1971)Google Scholar
  14. 14.
    Murphy, R., Regnery, P.: The Politically Incorrect Guide to the Great Depression and the New Deal (2009)Google Scholar
  15. 15.
    Nissan, N., Roughgarden, T., Tardos, E., Vazirani, V. (eds.): Algorithmic Game Theory. Cambridge University Press, Cambridge (2007), P14, Pricing Game; P24, Algorithm for a simple market; P639 Information AsymmetryGoogle Scholar
  16. 16.
    Nizovtsev, D., Thursby, M.: Economic analysis of incentives to disclose software vulnerabilities. In: Fourth Workshop on the Economics of Information Security (2005)Google Scholar
  17. 17.
  18. 18.
    Ozment, A.: Bug auctions: Vulnerability markets reconsidered. In: Third Workshop on the Economics of Information Security (2004)Google Scholar
  19. 19.
    Perrow, C.: Normal Accidents: Living with High-Risk Technologies. Princeton University Press, Princeton (1984/1999)Google Scholar
  20. 20.
    Telang, R., Wattal, S.: Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation (2004),
  21. 21.
    Turing, A.: On computable numbers, with an application to the Entscheidungsproblem. Proceedings of the London Mathematical Society 42(2), 230–265 (1936)MathSciNetzbMATHGoogle Scholar
  22. 22.
    Weigelt, K., Camerer, C.: Reputation and Corporate Strategy: A Review of Recent Theory and Applications. Strategic Management Journal 9(5), 443–454 (1988)CrossRefGoogle Scholar
  23. 23.
    Donald, D.: Economic Foundations of Law and Organization (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Craig S. Wright
    • 1
  1. 1.School of Computing and MathematicsCharles Sturt UniversityWagga WaggaAustralia

Personalised recommendations