The Economics of Developing Security Embedded Software

Australian Information Security Management Conference Pub Date : 1900-01-01 DOI:10.4225/75/57B5249FCD8AF

C. Wright, T. Zia

{"title":"The Economics of Developing Security Embedded Software","authors":"C. Wright, T. Zia","doi":"10.4225/75/57B5249FCD8AF","DOIUrl":null,"url":null,"abstract":"Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.","PeriodicalId":312800,"journal":{"name":"Australian Information Security Management Conference","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Australian Information Security Management Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4225/75/57B5249FCD8AF","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.

查看原文本刊更多论文

开发安全嵌入式软件的经济学

软件漏洞的市场模型在过去一直被贬低，理由是这些模型对降低不安全软件的风险几乎没有作用。在本文中，我们认为提出的市场模型是有缺陷的，而不是市场本身的概念。一个定义良好的软件风险衍生品市场将改善软件用户和供应商之间的信息交换，消除经常被吹捧的不完全信息状态，据说相信软件行业。通过这种方式，用户可以有一种合理的方法来准确地判断软件的风险和成本，这样，供应商就可以以最终用户所要求的方式，在交付功能和避免风险之间最佳地利用他们的时间。在创建安全软件的尝试中，通过超过相等的补偿控制来增加每单位软件的成本是没有什么价值的。本文认为，如果可以添加到系统中的替代控制的成本低于提高软件本身的安全性的成本，那么花费更多的时间和金钱来提高软件的安全性是不经济的。有人认为，软件衍生品市场将提供确定这些成本所需的机制。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Australian Information Security Management Conference

自引率

0.00%

发文量