How to Buy Better Testing Using Competition to Get the Most Security and Robustness for Your Dollar

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2437)


Without good testing, systems cannot be made secure or robust. Without metrics for the quality and security of system components, no guarantees can be made about the systems they are used to construct. This paper describes how firms can make the testing process faster and more cost effective while simultaneously providing a reliable metric of quality as one of the outputs of the process. This is accomplished via a market for defect reports, in which testers maximize profits by minimizing the cost of finding defects. The power of competition is harnessed to ensure that testers are paid a fair price for the defects they discover, thereby aligning their incentives with those of the firm developing the system. The price to find, demonstrate, and report a defect that is set by the market serves as the measure of quality.


Testing Process Reward Function Security Vulnerability Mean Time Between Failure Defect Report 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akerlof, G.A.: The market for ‘lemons’: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84 (1970) 488–500CrossRefGoogle Scholar
  2. 2.
    Anderson, R.: Why information security is hard, an economic perspective. In: 17th Annual Computer Security Applications Conference. (2001)Google Scholar
  3. 3.
    Schechter, S.E.: Quantitatively differentiating system security. In: The First Workshop on Economics and Information Security. (2002)Google Scholar
  4. 4.
    Silverman, R.D.: A cost-based security analysis of symmetric and asymmetric key lengths. (2001)
  5. 5.
    Brady, R.M., Anderson, R.J., Ball, R.C.: Murphy’s law, the fitness of evolving species, and the limits of software reliability. (1999)
  6. 6.
    Camp, L.J., Wolfram, C.: Pricing security. In: Proceedings of the CERT Information Survivability Workshop. (2000) 31–39Google Scholar
  7. 7.
    Aslam, T., Krsul, I., Spafford, E.: Use of a taxonomy of security faults. In: 19th National Information Systems Security Conference. (1996)Google Scholar
  8. 8.
    Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. ACM Computing Surveys 26 (1994) 211–254CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  1. 1.Harvard UniversityUSA

Personalised recommendations