Models for Assessing the Cost and Value of Software Assurance

It is not enough to simply estimate the cost of doing secure software assurance: you must also justify it from a value perspective. This paper presents IT valuation models that represent the most commonly accepted approaches to the valuation of IT and IT processes. These models can be categorized into four initial types: investment based, cost based, environmental/contextual, and quantitative estimation. However, the general conclusion is that there are only two valid ways to approach valuation of the secure software assurance process: quantitative and environmental. INTRODUCTION: ASSIGNING TANGIBLE VALUE TO A THEORETICAL PAYOFF The commonly accepted definition of software assurance is “a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its life cycle and that the software functions in the intended manner” [CNSS 2006]. Software assurance is a national security priority [PITAC 1999]. That is due to the common-sense fact that a computer-enabled national infrastructure is going to be as reliable as the code that underlies it [Dynes 2006, PITAC 1999]. Thus, it is easy to assume that any set of activities that increase the general level of confidence in the security and reliability of our software should be on the top of everybody’s wish list. Unfortunately, if the software assurance process is working right, the main benefit is that absolutely nothing happens [Anderson 2001, Kitchenham 1996]. And, in a world of razor-thin margins, a set of activities that drive up corporate cost without any directly identifiable return is a tough sell, no matter how seemingly practicable the principle might be [Anderson 2001, Ozment 2006, Park 2006]. The business case for software assurance is therefore contingent on finding a suitable method for valuation—one that allows managers to understand the implications of an indirect benefit such as assurance and then make “intelligent” decisions about the most feasible level of resources to commit [Anderson 2001, McGibbon 1999]. Antonio Drommi

[1]  Carlos Zozaya-Gorostiza,et al.  Valuation of Information Technology Investments As Real Options , 2000 .

[2]  R. Kaplan,et al.  Using the balanced scorecard as a strategic management system , 1996 .

[3]  Michael J. Shaw,et al.  IT Portfolio Management: A Case Study , 2008, AMCIS.

[4]  J. E. Neely,et al.  HYBRID REAL OPTIONS VALUATION OF RISKY PRODUCT DEVELOPMENT PROJECTS , 2001 .

[5]  Jun Zhang,et al.  Economics of Security Patch Management , 2006, WEIS.

[6]  T. Luehrman,et al.  Strategy as a portfolio of real options. , 1998, Harvard business review.

[7]  S. Sanders A Probability Problem , 1933 .

[8]  J. Gray Information Technology Research: Investing in Our Future , 1999 .

[9]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[10]  R. Kaplan,et al.  PUTTING THE BALANCED SCORECARD TO WORK , 1993 .

[11]  Martin S. Feather,et al.  Incorporating cost-benefit analyses into software assurance planning , 2001, Proceedings 26th Annual NASA Goddard Software Engineering Workshop.

[12]  Rajiv Kohli,et al.  Special Section: Measuring Business Value of Information Technology in E-Business Environments , 2004, J. Manag. Inf. Syst..

[13]  E. Brynjolfsson,et al.  Computing Productivity: Firm-Level Evidence , 2003, Review of Economics and Statistics.

[14]  Marilyn M. Parker,et al.  Enterprisewide Information Economics: Latest Concepts , 1989 .

[15]  R. Kaplan,et al.  The balanced scorecard--measures that drive performance. , 2015, Harvard business review.

[16]  Shari Lawrence Pfleeger,et al.  Software Quality: The Elusive Target , 1996, IEEE Softw..