Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets

As a software engineer or client, how much of your budget should you spend on software security mitigation for the applications and networks on which you depend? The authors introduce a novel way to optimize a combination of security countermeasures under fixed resources. Software engineers and their customers continuously face a complex and frustrating decision: given a fixed budget, which combination of vulnerability mitigation actions produces optimal system security? In a world without budgetary or temporal constraints, engineers could invest in whatever tools or training they deemed necessary to safeguard applications and networks. Or they could spend arbitrary amounts of time and money patching existing code and take painstaking precaution in writing new software to ensure its security. Of course, the economic reality is that software engineers are pushed to get their product to market as fast as possible, and security is often a distant priority in the face of budgetary constraints. However, fixing any remaining security vulnerabilities postproduction can be both costly and wasteful. In this article, we describe a novel methodology for quantitatively optimizing the blend of architectural and policy recommendations that engineers can apply to their products to maximize security under a fixed budget. The results of our optimization are sometimes surprising and even counterintuitive: bigger budgets don't always produce greater security, and the optimal combination of corrective actions changes nonlinearly with increasing expenditures. These findings suggest that some form of formal decision support could augment traditional methods.