Abstract
Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.
Original language | English |
---|---|
Title of host publication | 8th Australian Information Security Management Conference (secau Security Congress 2010) |
Editors | Christopher Bolan |
Place of Publication | Perth, WA |
Publisher | secau - Security Research Centre, ECU |
Pages | 163-172 |
Number of pages | 10 |
ISBN (Electronic) | 9780729806886 |
Publication status | Published - 2010 |
Event | Australian Information Security Management Conference - Perth, Australia Duration: 30 Nov 2010 → 02 Dec 2010 |
Conference
Conference | Australian Information Security Management Conference |
---|---|
Country/Territory | Australia |
Period | 30/11/10 → 02/12/10 |