The Economics of Developing Security Embedded Software

Craig Wright, Tanveer Zia

Research output: Book chapter/Published conference paperConference paperpeer-review

Abstract

Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.
Original languageEnglish
Title of host publication8th Australian Information Security Management Conference (secau Security Congress 2010)
EditorsChristopher Bolan
Place of PublicationPerth, WA
Publishersecau - Security Research Centre, ECU
Pages163-172
Number of pages10
ISBN (Electronic)9780729806886
Publication statusPublished - 2010
EventAustralian Information Security Management Conference - Perth, Australia
Duration: 30 Nov 201002 Dec 2010

Conference

ConferenceAustralian Information Security Management Conference
Country/TerritoryAustralia
Period30/11/1002/12/10

Fingerprint

Dive into the research topics of 'The Economics of Developing Security Embedded Software'. Together they form a unique fingerprint.

Cite this