Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls

  • Craig S. Wright
  • Tanveer A. Zia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6694)


As with all aspects of business and the economy, information security is an economic function. Security can be modeled as a maintenance or insurance cost as a relative function but never in absolute terms. As such, security can be seen as a cost function that leads to the prevention of loss, but not one that can create gains (or profit). With the role of a capital investment to provide a return on investment, security is a defense against unforeseen losses that cost capital and reduce profitability. In this paper we assess the individual security cost and model our assessment in economic terms. This assessment is vital in determining the cost benefit in applying costly security controls in our systems in general and software in particular.


Software Development Life Cycle Model Checking Software Verification Empirical studies 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ben-Itzhak, Y.: Organised cybercrime and payment cards. Card Technology Today 21(2), 10–11 (2009)CrossRefGoogle Scholar
  2. 2.
    Devanbu, P.T., Stubblebine, S.: Software engineering for security: a roadmap. In: Proceedings of the Conference on The Future of Software Engineering. ACM, Limerick (2002)Google Scholar
  3. 3.
    DShield (2006-2010),
  4. 4.
    Hahn, R.W., Layne-Farrar, A.: The Law and Economics of Software Security, p. 283. Harv. J.L. & Pub., Pol’y (2007)Google Scholar
  5. 5.
    Jaziar, R.: Understanding Hidden Information Security Threats: The Vulnerability Black Market. Paper presented at the 40th Annual Hawaii International Conference on System Sciences HICSS (2007)Google Scholar
  6. 6.
    Peisert, S., Bishop, M.: How to Design Computer Security Experiments. In: WG 11.8 International Federation of Information Processing. Springer, Boston (2007)Google Scholar
  7. 7.
    Scott, M.D.: Tort Liability for Vendors of Insecure Software: Has the Time Finally Come. Md. L. Rev. 67(425) (2007-2008)Google Scholar
  8. 8.
    Skyrms, B.: The Stag Hunt and the Evolution of Social Structure. Cambridge University Press, Cambridge (2004)Google Scholar
  9. 9.
    Stolpe, M.: Protection Against Software Piracy: A Study Of Technology Adoption For The Enforcement Of Intellectual Property Rights. Economics of Innovation and New Technology 9(1), 25–52 (2000)CrossRefGoogle Scholar
  10. 10.
    White, D.S.D.: Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation. Master of Science Thesis, Department of Computer Science, Rhodes University (2006)Google Scholar
  11. 11.
    Kolstad, C.D., Mathiesen, L.: Computing Cournot-Nash Equilibria. Operations Research 39, 739–748 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Kurz, M., Hart, S.: Pareto-Optimal Nash Equilibria Are Competitive in a Repeated Economy. Journal of Economic Theory 28, 320–346 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Arora, A., Telang, R.: Economics of Software Vulnerability Disclosure. IEEE Security and Privacy 3(1), 20–22 (2005)CrossRefGoogle Scholar
  14. 14.
    Bacon, D.F., Chen, Y., Parkes, D., Rao, M.: A market-based approach to software evolution. Paper presented at the Proceeding of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications (2009)Google Scholar
  15. 15.
    Cavusoglu, H., Cavusoglu, H., Zhang, J.: Economics of Security Patch Management. In: The Fifth Workshop on the Economics of Information Security, WEIS 2006 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Craig S. Wright
    • 1
  • Tanveer A. Zia
    • 1
  1. 1.School of Computing and MathematicsCharles Sturt UniversityAustralia

Personalised recommendations