Software Security Investment: The Right Amount of a Good Thing

Despite an ever-increasing amount of money and attention devoted to cybersecurity, we continue to see wide-ranging cybersecurity failures. As security practitioners examine new approaches to combat this trend, a growing community has coalesced around secure software development, or 'SWSec', as a best practice. While this movement has highlighted the role engineering process plays in combating the underlying source of vulnerabilities, it has yet to enjoy wide adoption. Anecdotal evidence points to an inability to demonstrate the return on investment (ROI) as a rationale behind this reluctance, and current information security investment models have failed to account for such expenditures. We seek to build upon such models to reflect SWSec investments, with a view to demonstrating the ROI enjoyed by SWSec practice. We summarise our current research toward these ends and identify the research required to fully reflect SWSec alongside current security investments.

[1]  Gary McGraw Software Security , 2012, Datenschutz und Datensicherheit - DuD.

[2]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[3]  Rainer Böhme,et al.  Optimal Information Security Investment with Penetration Testing , 2010, GameSec.

[4]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[5]  Martin Gilje Jaatun,et al.  Hunting for Aardvarks: Can Software Security Be Measured? , 2012, CD-ARES.

[6]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[7]  Barry Boehm,et al.  Top 10 list [software development] , 2001 .

[8]  Chris Hankin,et al.  Cybersecurity Games and Investments: A Decision Support Approach , 2014, GameSec.

[9]  Shari Lawrence Pfleeger,et al.  Cybersecurity Economic Issues: Clearing the Path to Good Practice , 2008, IEEE Software.

[10]  Bernhard Plattner,et al.  Software Security Economics: Theory, in Practice , 2012, WEIS.

[11]  Colin J. Neill,et al.  Requirements Engineering: The State of the Practice , 2003, IEEE Softw..

[12]  Lars Lundberg,et al.  Evaluating the cost reduction of static code analysis for software security , 2008, PLAS '08.

[13]  Andrew Simpson,et al.  The Days Before Zero Day: Investment Models for Secure Software Engineering , 2016 .

[14]  Rainer Böhme,et al.  Economic Security Metrics , 2005, Dependability Metrics.

[15]  Paul Dyson,et al.  Cost-Effective Security , 2007, IEEE Security & Privacy.

[16]  George Stephanides,et al.  The economic approach of information security , 2005, Comput. Secur..

[17]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[18]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[19]  E. Andrijcic,et al.  A Macro‐Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[20]  Gary McGraw,et al.  The Building Security in Maturity Model ({BSIMM}) , 2009 .

[21]  Ross Anderson,et al.  Economics and Internet Security: A Survey of Recent Analytical, Empirical, and Behavioral Research , 2011 .

[22]  Wouter Joosen,et al.  Static analysis versus penetration testing: A controlled experiment , 2013, 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE).

[23]  Rachel Rue,et al.  A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making , 2007, WEIS.

[24]  Barry W. Boehm,et al.  Software Defect Reduction Top 10 List , 2001, Computer.

[25]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.