Abstract
Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. This leads to the common call for yet more legislation against vendors and other producers in order to lower the risk of insecure software. We argue that the call for nationalized intervention does not decrease risk, but rather the user of software has an economic choice in selecting features over security. In this paper, we investigate the economic impact of various decisions as a means of determining the optimal distribution of costs and liability when applied to information security and in particular when assigning costs in software engineering. The users of a software product act rationally when weighing software risks and costs. The choice of delivering features and averting risk is not an option demanded by the end user. After all, it is of little value to increase the cost per unit of software if this means that users purchase the alternative product with more features. We argue that the market models proposed are flawed and not the concept of a market itself.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Arora, A., Telang, R.: Economics of Software Vulnerability Disclosure. IEEE Security and Privacy 3(1), 20–25 (2005)
Arora, A., Telang, R., Xu, H.: Optimal Time Disclosure of Software Vulnerabilities. In: Conference on Information Systems and Technology, Denver CO (October 23-24, 2004)
Arora, A., Telang, R., Xu, H.: Optimal Policy for Software Vulnerability Disclosure. Management Science 54(4), 642–656 (2008)
Bacon, D.F., Chen, Y., Parkes, D., Rao, M.: A market-based approach to software evolution. Paper presented at the Proceeding of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications (2009)
Beach, J.R., Bonewell, M.L.: Setting-up a successful software vendor evaluation/qualification process for ‘off-the-shelve’ commercial software used in medical devices. In: Proceedings of Sixth Annual IEEE Symposium on Paper presented at the Computer-Based Medical Systems (1993)
Brookes, F.: The Mythical Man-Month. Addison-Wesley, Reading (1995)
Campodonico, S.: A Bayesian Analysis of the Logarithmic-Poisson Execution Time Model Based on Expert Opinion and Failure Data. IEEE Transactions on Software Engineering 20, 677–683 (1994)
Cavusoglu, H., Cavusoglu, H., Zhang, J.: Economics of Security Patch Management. In: The Fifth Workshop on the Economics of Information Security, WEIS 2006 (2006)
Cohen, J.: Best Kept Secrets of Peer Code Review (Modern Approach. Practical Advice). Smartbearsoftware.com (2006)
de Villiers, M.: Free Radicals in Cyberspace, Complex Issues in Information Warefare. 4 Nw. J. Tech. & Intell. Prop. 13 (2005), http://www.law.northwestern.edu/journals/njtip/v4/n1/2
Dijkstra, E.W.: Notes on structured programming Structured programming, ch. I, pp. 1–82. Academic Press Ltd., London (1972)
Kannan, K., Telang, R.: Market for Software Vulnerabilities? Think Again. Management Science (2004)
Mills, H.D.: Top-down programming in large systems. In: Rustin, R. (ed.) Debugging Techniques in Large Systems. Englewoods Cliffs, Prentice-Hall, N.J (1971)
Murphy, R., Regnery, P.: The Politically Incorrect Guide to the Great Depression and the New Deal (2009)
Nissan, N., Roughgarden, T., Tardos, E., Vazirani, V. (eds.): Algorithmic Game Theory. Cambridge University Press, Cambridge (2007), P14, Pricing Game; P24, Algorithm for a simple market; P639 Information Asymmetry
Nizovtsev, D., Thursby, M.: Economic analysis of incentives to disclose software vulnerabilities. In: Fourth Workshop on the Economics of Information Security (2005)
Ounce Labs, 2, http://www.ouncelabs.com/about/news/337-the_cost_of_fixing_an_application_vulnerability
Ozment, A.: Bug auctions: Vulnerability markets reconsidered. In: Third Workshop on the Economics of Information Security (2004)
Perrow, C.: Normal Accidents: Living with High-Risk Technologies. Princeton University Press, Princeton (1984/1999)
Telang, R., Wattal, S.: Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation (2004), http://www.infosecon.net/workshop/pdf/telang_wattal.pdf
Turing, A.: On computable numbers, with an application to the Entscheidungsproblem. Proceedings of the London Mathematical Society 42(2), 230–265 (1936)
Weigelt, K., Camerer, C.: Reputation and Corporate Strategy: A Review of Recent Theory and Applications. Strategic Management Journal 9(5), 443–454 (1988)
Donald, D.: Economic Foundations of Law and Organization (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wright, C.S. (2011). Software, Vendors and Reputation: An Analysis of the Dilemma in Creating Secure Software. In: Chen, L., Yung, M. (eds) Trusted Systems. INTRUST 2010. Lecture Notes in Computer Science, vol 6802. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25283-9_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-25283-9_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25282-2
Online ISBN: 978-3-642-25283-9
eBook Packages: Computer ScienceComputer Science (R0)