Abstract
Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. This leads to the common call for yet more legislation against vendors and other producers in order to lower the risk of insecure software. We argue that the call for nationalized intervention does not decrease risk, but rather the user of software has an economic choice in selecting features over security. In this paper, we investigate the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and in particular when assigning costs in software engineering. The users of a software product act rationally when weighing software risks and costs. The choice of delivering features and averting risk is not an option demanded by the end user. After all, it is of little value to increase the cost per unit of software if this means that users purchase the alternative product with more features. We argue that the market models proposed are flawed and not the concept of a market itself.
| Original language | English |
|---|---|
| Title of host publication | 2nd International Conference on Trusted Systems, INTRUST 2010 |
| Place of Publication | New York |
| Publisher | Springer-Verlag London Ltd. |
| Pages | 346-360 |
| Number of pages | 15 |
| ISBN (Electronic) | 9783642252822 |
| Publication status | Published - 2011 |
| Event | 2nd International Conference on Trusted Systems, INTRUST 2010 - Beijing, China Duration: 13 Dec 2010 → 15 Dec 2010 |
Conference
| Conference | 2nd International Conference on Trusted Systems, INTRUST 2010 |
|---|---|
| Country/Territory | China |
| Period | 13/12/10 → 15/12/10 |