Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls
As with all aspects of business and the economy, information security is an economic function. Security can be modeled as a maintenance or insurance cost as a relative function but never in absolute terms. As such, security can be seen as a cost function that leads to the prevention of loss, but not one that can create gains (or profit). With the role of a capital investment to provide a return on investment, security is a defense against unforeseen losses that cost capital and reduce profitability. In this paper we assess the individual security cost and model our assessment in economic terms. This assessment is vital in determining the cost benefit in applying costly security controls in our systems in general and software in particular.
KeywordsSoftware Development Life Cycle Model Checking Software Verification Empirical studies
Unable to display preview. Download preview PDF.
- 2.Devanbu, P.T., Stubblebine, S.: Software engineering for security: a roadmap. In: Proceedings of the Conference on The Future of Software Engineering. ACM, Limerick (2002)Google Scholar
- 3.DShield (2006-2010), http://www.dshield.org
- 4.Hahn, R.W., Layne-Farrar, A.: The Law and Economics of Software Security, p. 283. Harv. J.L. & Pub., Pol’y (2007)Google Scholar
- 5.Jaziar, R.: Understanding Hidden Information Security Threats: The Vulnerability Black Market. Paper presented at the 40th Annual Hawaii International Conference on System Sciences HICSS (2007)Google Scholar
- 6.Peisert, S., Bishop, M.: How to Design Computer Security Experiments. In: WG 11.8 International Federation of Information Processing. Springer, Boston (2007)Google Scholar
- 7.Scott, M.D.: Tort Liability for Vendors of Insecure Software: Has the Time Finally Come. Md. L. Rev. 67(425) (2007-2008)Google Scholar
- 8.Skyrms, B.: The Stag Hunt and the Evolution of Social Structure. Cambridge University Press, Cambridge (2004)Google Scholar
- 10.White, D.S.D.: Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation. Master of Science Thesis, Department of Computer Science, Rhodes University (2006)Google Scholar
- 14.Bacon, D.F., Chen, Y., Parkes, D., Rao, M.: A market-based approach to software evolution. Paper presented at the Proceeding of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications (2009)Google Scholar
- 15.Cavusoglu, H., Cavusoglu, H., Zhang, J.: Economics of Security Patch Management. In: The Fifth Workshop on the Economics of Information Security, WEIS 2006 (2006)Google Scholar