The Economics of Developing Security Embedded Software

Craig Wright, Tanveer Zia

Research output: Book chapter/Published conference paperConference paper

Abstract

Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.
Original languageEnglish
Title of host publication8th Australian Information Security Management Conference (secau Security Congress 2010)
EditorsChristopher Bolan
Place of PublicationPerth, WA
Publishersecau - Security Research Centre, ECU
Pages163-172
Number of pages10
ISBN (Electronic)9780729806886
Publication statusPublished - 2010
EventAustralian Information Security Management Conference - Perth, Australia
Duration: 30 Nov 201002 Dec 2010

Conference

ConferenceAustralian Information Security Management Conference
CountryAustralia
Period30/11/1002/12/10

Fingerprint

Economics
Software
Costs
Vendors
Derivative markets
Market model
End users
Imperfect information
Vulnerability
Information exchange
Software industry

Cite this

Wright, C., & Zia, T. (2010). The Economics of Developing Security Embedded Software. In C. Bolan (Ed.), 8th Australian Information Security Management Conference (secau Security Congress 2010) (pp. 163-172). Perth, WA: secau - Security Research Centre, ECU.
Wright, Craig ; Zia, Tanveer. / The Economics of Developing Security Embedded Software. 8th Australian Information Security Management Conference (secau Security Congress 2010). editor / Christopher Bolan. Perth, WA : secau - Security Research Centre, ECU, 2010. pp. 163-172
@inproceedings{04dd7f51349b435dac7f9ba25460a561,
title = "The Economics of Developing Security Embedded Software",
abstract = "Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.",
keywords = "Derivatives, Game theory, Security, Software development, Vulnerability market",
author = "Craig Wright and Tanveer Zia",
note = "Imported on 03 May 2017 - DigiTool details were: publisher = Perth, WA: secau - Security Research Centre, ECU, 2010. editor/s (773b) = Christopher Bolan; Event dates (773o) = 30 Nov - 2 Dec, 2010; Parent title (773t) = Australian Information Security Management Conference.",
year = "2010",
language = "English",
pages = "163--172",
editor = "Christopher Bolan",
booktitle = "8th Australian Information Security Management Conference (secau Security Congress 2010)",
publisher = "secau - Security Research Centre, ECU",

}

Wright, C & Zia, T 2010, The Economics of Developing Security Embedded Software. in C Bolan (ed.), 8th Australian Information Security Management Conference (secau Security Congress 2010). secau - Security Research Centre, ECU, Perth, WA, pp. 163-172, Australian Information Security Management Conference, Australia, 30/11/10.

The Economics of Developing Security Embedded Software. / Wright, Craig; Zia, Tanveer.

8th Australian Information Security Management Conference (secau Security Congress 2010). ed. / Christopher Bolan. Perth, WA : secau - Security Research Centre, ECU, 2010. p. 163-172.

Research output: Book chapter/Published conference paperConference paper

TY - GEN

T1 - The Economics of Developing Security Embedded Software

AU - Wright, Craig

AU - Zia, Tanveer

N1 - Imported on 03 May 2017 - DigiTool details were: publisher = Perth, WA: secau - Security Research Centre, ECU, 2010. editor/s (773b) = Christopher Bolan; Event dates (773o) = 30 Nov - 2 Dec, 2010; Parent title (773t) = Australian Information Security Management Conference.

PY - 2010

Y1 - 2010

N2 - Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.

AB - Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.

KW - Derivatives

KW - Game theory

KW - Security

KW - Software development

KW - Vulnerability market

M3 - Conference paper

SP - 163

EP - 172

BT - 8th Australian Information Security Management Conference (secau Security Congress 2010)

A2 - Bolan, Christopher

PB - secau - Security Research Centre, ECU

CY - Perth, WA

ER -

Wright C, Zia T. The Economics of Developing Security Embedded Software. In Bolan C, editor, 8th Australian Information Security Management Conference (secau Security Congress 2010). Perth, WA: secau - Security Research Centre, ECU. 2010. p. 163-172