Making the Business Case for Software Assurance

Abstract : This report provides guidance for those who want to make the business case for building software assurance into software products during each software development life-cycle activity. The business case defends the value of making additional efforts to ensure that software has minimal security risks when it is released and shows that those efforts are most cost-effective when they are made appropriately throughout the development life cycle. Although there is no single model that can be recommended for making the cost-benefit argument, there are promising models and methods that can be used individually and collectively for this purpose, as well as some convincing case study data that supports the value of building software assurance into newly developed software. These are described in this report. The report includes a discussion of the following topics as they relate to the business case for software assurance: cost-benefit models, measurement, risk, prioritization, process improvement, globalization, organizational development, and case studies. These topics were selected based on earlier studies and collaborative efforts, as well as the workshop "Making the Business Case for Software Assurance," which was held at Carnegie Mellon University in September 2008.

[1]  L. Bailey Robin , 1904 .

[2]  M. Byrne Kerry as It Was , .

[3]  Rose Wimenitz James , 1924, The Psychological Clinic.

[4]  S. Sanders A Probability Problem , 1933 .

[5]  J. Davenport Editor , 1960 .

[6]  Watts S. Humphrey,et al.  A method for assessing the software engineering capability of contractors , 1987 .

[7]  Watts S. Humphrey,et al.  Characterizing the software process: a maturity framework , 1988, IEEE Software.

[8]  Watts S. Humphrey,et al.  Managing the software process , 1989, The SEI series in software engineering.

[9]  Marilyn M. Parker,et al.  Enterprisewide Information Economics: Latest Concepts , 1989 .

[10]  Gerard Walschap,et al.  ERIC , 1990, The Lancet.

[11]  Mark C. Paulk,et al.  Key Practices of the Capability Maturity Model , 1991 .

[12]  G. Hofstede,et al.  Cultures and Organizations: Software of the Mind , 1991 .

[13]  R. Kaplan,et al.  The balanced scorecard--measures that drive performance. , 2015, Harvard business review.

[14]  Mark C. Paulk,et al.  Capability Maturity Model , 1991 .

[15]  R. Kaplan,et al.  PUTTING THE BALANCED SCORECARD TO WORK , 1993 .

[16]  D. Alexander Natural Disasters , 1993 .

[17]  James T. Parker,et al.  ABE , 1993 .

[18]  Capers Jones,et al.  Assessment and control of software risks , 1994, Yourdon Press Computing Series.

[19]  KARSTEN DANZMANN LISA , 1995 .

[20]  H. Raghav Rao,et al.  Information systems outsourcing , 1996, CACM.

[21]  R. Kaplan,et al.  Using the balanced scorecard as a strategic management system , 1996 .

[22]  Watts S. Humphrey,et al.  Introduction to the Personal Software Process , 1996 .

[23]  Shari Lawrence Pfleeger,et al.  Software Quality: The Elusive Target , 1996, IEEE Softw..

[24]  T. Luehrman,et al.  Strategy as a portfolio of real options. , 1998, Harvard business review.

[25]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[26]  Watts S. Humphrey,et al.  Introduction to the Team Software Process , 1999 .

[27]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[28]  J. E. Neely,et al.  HYBRID REAL OPTIONS VALUATION OF RISKY PRODUCT DEVELOPMENT PROJECTS , 2001 .

[29]  Michael J. Townsend,et al.  Thomas Piketty: Capital in the twenty-first century , 2014, Public Choice.

[30]  Mark C. Paulk,et al.  Capability Maturity Model for Software , 2001 .

[31]  Barry Boehm,et al.  Top 10 list [software development] , 2001 .

[32]  Martin S. Feather,et al.  Incorporating cost-benefit analyses into software assurance planning , 2001, Proceedings 26th Annual NASA Goddard Software Engineering Workshop.

[33]  Barry W. Boehm,et al.  Software Defect Reduction Top 10 List , 2001, Computer.

[34]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[35]  Yannis C. Stamatiou,et al.  Model-based risk assessment – the CORAS approach , 2002 .

[36]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[37]  R. Hirschheim Information Systems Outsourcing , 2002 .

[38]  E. Brynjolfsson,et al.  Computing Productivity: Firm-Level Evidence , 2003 .

[39]  Nancy R. Mead,et al.  International Liability Issues for Software Quality , 2003 .

[40]  Ding Tan Quantitative Risk Analysis Step-By-Step , 2003 .

[41]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[42]  Luo Huai,et al.  System Security Engineering Capability Maturity Model , 2003 .

[43]  Daniel E. Geer,et al.  Information Security: Why the Future Belongs to the Quants , 2003, IEEE Secur. Priv..

[44]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[45]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[46]  Rajiv Kohli,et al.  Special Section: Measuring Business Value of Information Technology in E-Business Environments , 2004, J. Manag. Inf. Syst..

[47]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[48]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[49]  Les Labuschagne,et al.  A framework for comparing different information security risk analysis methodologies , 2005 .

[50]  Robert C. Seacord,et al.  Secure coding in C and C , 2005 .

[51]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[52]  Susan Hansche,et al.  Committee on National Security Systems , 2005 .

[53]  Aubrey Dillon-Malone,et al.  Seat of Your Pants , 2005 .

[54]  Edward Colbert,et al.  Costing Secure Systems Workshop Report , 2005 .

[55]  Michael McIntosh,et al.  Business-driven application security: From modeling to managing secure applications , 2005, IBM Syst. J..

[56]  Rafael Etges,et al.  Maximizing the Return on Investment on Information Security Programs: Program Governance and Metrics , 2006, Inf. Secur. J. A Glob. Perspect..

[57]  John S N Anderson,et al.  Ben , 2006, British medical journal.

[58]  James P. Runyon,et al.  Eight ingredients of communications infrastructure: A systematic and comprehensive framework for enhancing network reliability and security , 2006, Bell Labs Technical Journal.

[59]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[60]  Günter Müller Budgeting process for information security expenditures , 2006, Wirtsch..

[61]  Jun Zhang,et al.  Economics of Security Patch Management , 2006, WEIS.

[62]  Qing Hu,et al.  Economics of Information Security Investment in the Case of Simultaneous Attacks , 2006, WEIS.

[63]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[64]  Robert Lucky Mission Impact of Foreign Influence on DoD Software , 2007 .

[65]  Benjamin B. M. Shao,et al.  The impact of offshore outsourcing on IT workers in developed countries , 2007, CACM.

[66]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[67]  Julia H. Allen,et al.  Governing for Enterprise Security (GES) Implementation Guide , 2007 .

[68]  Steven Frank,et al.  Estimating Benefits from Investing in Secure Software Development , 2007 .

[69]  Jeffrey A. Ingalsbe,et al.  Threat Modeling the Enterprise , 2008, AMCIS.

[70]  D. R. Hermanson,et al.  Tone at the Top , 2008 .

[71]  Jeffrey A. Ingalsbe,et al.  A Common Sense Way to Make the Business Case for Software Assurance , 2008 .

[72]  Robert C. Seacord The CERT C Secure Coding Standard , 2008 .

[73]  Robin M. Ruefle Defining Computer Security Incident Response Teams , 2008 .

[74]  История National Information Assurance Glossary , 2010 .

[75]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[76]  Christopher J. Alberts,et al.  Risk Management Framework , 2010 .

[77]  Sebastian Klipper,et al.  ISO/IEC 27005 , 2011 .

[78]  Salvatore J. Stolfo,et al.  Measuring Security , 2011, IEEE Security & Privacy.