A case for the economics of secure software development

Over the past 15 years the topic of information security economics has grown to become a large and diverse field, influencing security thinking on issues as diverse as bitcoin markets and cybersecurity insurance. An aspect yet to receive much attention in this respect is that of secure software development, or 'SWSec' --- another area that has seen a surge of research since 2000. SWSec provides paradigms, practices and procedures that offer some promise to address current security problems, yet those solutions face financial and technical barriers that necessitate a more thorough approach to planning and execution. Meanwhile, information security economics has developed theory and practice to support a particular world-view; however, it has yet to account for the investments, constructs and benefits of SWSec. As the frequency and severity of computer misuse has increased, both areas have struggled to impart a new mindset for addressing the inherent issues that arise in a diverse, connected and functionality-driven landscape. This paper presents a call for the establishment of an economics of secure software development. We present the primary challenges facing practice, citing relevant literature from both communities to illustrate where commonalities lie --- and where further work is needed. Those challenges are decomposed into a research agenda, deriving from the application of principles in both themes a lack of models, representation and analysis in practice. A framework emerges that facilitates discussions of security theory and practice.

[1]  Kevin M. Stine Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (French Translation) , 2022 .

[2]  Andrew C. Simpson,et al.  Misuse, Abuse and Reuse: Economic Utility Functions for Characterising Security Requirements , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[3]  Andrew C. Simpson,et al.  Motivating Security Engineering with Economics: A Utility Function Approach , 2016, 2016 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[4]  Andrew Simpson,et al.  The Days Before Zero Day: Investment Models for Secure Software Engineering , 2016 .

[5]  Andrew C. Simpson,et al.  Policy, Statistics, and Questions: Reflections on UK Cyber Security Disclosures , 2016, WEIS.

[6]  Pankaj Pandey,et al.  'Context, Content, Process' Approach to Align Information Security Investments with Overall Organizational Strategy , 2015, ArXiv.

[7]  Katerina Goseva-Popstojanova,et al.  On the capability of static code analysis to detect security vulnerabilities , 2015, Inf. Softw. Technol..

[8]  Andrew C. Simpson,et al.  When the Winning Move is Not to Play: Games of Deterrence in Cyber Security , 2015, GameSec.

[9]  Andreas L. Opdahl,et al.  Investigating security threats in architectural context: Experimental evaluations of misuse case maps , 2015, J. Syst. Softw..

[10]  Isabel Roper Good Faith, Bad Faith , 2015 .

[11]  Dan Geer,et al.  For Good Measure: The Undiscovered , 2015, login Usenix Mag..

[12]  Chris Hankin,et al.  Cybersecurity Games and Investments: A Decision Support Approach , 2014, GameSec.

[13]  Fabio Massacci,et al.  An Empirical Methodology to Evaluate Vulnerability Discovery Models , 2014, IEEE Transactions on Software Engineering.

[14]  Barack Obama,et al.  Statement on the Release of the 'Framework for Improving Critical Infrastructure Cybersecurity' by the National Institute of Standards and Technology, February 12, 2014 , 2014 .

[15]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[16]  Diomidis Spinellis,et al.  Avoiding the Top 10 Software Security Design Flaws , 2014 .

[17]  Wouter Joosen,et al.  Static analysis versus penetration testing: A controlled experiment , 2013, 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE).

[18]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).

[19]  Russell C. Thomas,et al.  How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches , 2013 .

[20]  David A. Wagner,et al.  An Empirical Study on the Effectiveness of Security Code Review , 2013, ESSoS.

[21]  G. McGraw Cyber War is Inevitable (Unless We Build Security In) , 2013 .

[22]  Rainer Böhme,et al.  The economics of information security and privacy , 2013 .

[23]  Daniel Bachlechner,et al.  The Economics of Information Security and Privacy , 2013, Springer Berlin Heidelberg.

[24]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[25]  Matt Bishop,et al.  Turtles all the way down: a clean-slate, ground-up, first-principles approach to secure systems , 2012, NSPW '12.

[26]  Martin Gilje Jaatun,et al.  Hunting for Aardvarks: Can Software Security Be Measured? , 2012, CD-ARES.

[27]  Kieron Beal,et al.  The UK OFT welcomes the proposals for reforms in private enforcement of competition law advanced by the Department for Business Innovation and Skills , 2012 .

[28]  Bernhard Plattner,et al.  Software Security Economics: Theory, in Practice , 2012, WEIS.

[29]  Laurie A. Williams,et al.  One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques , 2011, 2011 International Symposium on Empirical Software Engineering and Measurement.

[30]  Shamal Faily,et al.  A framework for usable and secure system design , 2011 .

[31]  Wen-Hsiang Tsai,et al.  Security Protection of Software Programs by Information Sharing and Authentication Techniques Using Invisible ASCII Control Code , 2010, Int. J. Netw. Secur..

[32]  Tyler Moore,et al.  The economics of cybersecurity: Principles and policy options , 2010, Int. J. Crit. Infrastructure Prot..

[33]  Simon Shiu,et al.  Decision support for systems security investment , 2010, 2010 IEEE/IFIP Network Operations and Management Symposium Workshops.

[34]  Error Cost Escalation Through the Project Life Cycle , 2010 .

[35]  Adrian Mizzi,et al.  Return on Information Security Investment - The Viability Of An Anti-Spam Solution In A Wireless Environment , 2010, Int. J. Netw. Secur..

[36]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[37]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[38]  Shari Lawrence Pfleeger,et al.  Making the Best Use of Cybersecurity Economic Models , 2009, IEEE Security & Privacy.

[39]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[40]  Mark C. Paulk,et al.  The Impact of Design and Code Reviews on Software Quality: An Empirical Study Based on PSP Data , 2009, IEEE Transactions on Software Engineering.

[41]  Lars Lundberg,et al.  Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter? , 2009, 2009 International Conference on Availability, Reliability and Security.

[42]  Hossein Saiedian,et al.  Secure Software Engineering: Learning from the Past to Address Future Challenges , 2009, Inf. Secur. J. A Glob. Perspect..

[43]  Gary McGraw,et al.  The Building Security in Maturity Model ({BSIMM}) , 2009 .

[44]  Lars Lundberg,et al.  Evaluating the cost reduction of static code analysis for software security , 2008, PLAS '08.

[45]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[46]  Felix C. Freiling,et al.  Dependability metrics: advanced lectures , 2008 .

[47]  Shari Lawrence Pfleeger,et al.  Cybersecurity Economic Issues: Clearing the Path to Good Practice , 2008, IEEE Software.

[48]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[49]  Juan E. Gilbert,et al.  Quantitative software security risk assessment model , 2007, QoP '07.

[50]  Paul Dyson,et al.  Cost-Effective Security , 2007, IEEE Security & Privacy.

[51]  Carol Woody,et al.  Considering Operational Security Risk during System Development , 2007, IEEE Security & Privacy.

[52]  Rachel Rue,et al.  A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making , 2007, WEIS.

[53]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[54]  E. Andrijcic,et al.  A Macro‐Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[55]  Suzanne Robertson,et al.  Mastering the Requirements Process (2nd Edition) , 2006 .

[56]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[57]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[58]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[59]  George Stephanides,et al.  The economic approach of information security , 2005, Comput. Secur..

[60]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[61]  Gary McGraw,et al.  Risk Analysis in Software Design , 2004, IEEE Secur. Priv..

[62]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[63]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[64]  M. Al-Humaigani,et al.  A model of return on investment for information systems security , 2003, 2003 46th Midwest Symposium on Circuits and Systems.

[65]  Daniel E. Geer,et al.  Information Security: Why the Future Belongs to the Quants , 2003, IEEE Secur. Priv..

[66]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[67]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[68]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[69]  S.A. Butler,et al.  Security attribute evaluation method: a cost-benefit approach , 2002, Proceedings of the 24th International Conference on Software Engineering. ICSE 2002.

[70]  Stuart E. Schechter,et al.  Quantitatively Differentiating System Security , 2002 .

[71]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[72]  Mary Shaw,et al.  Software Selection and Configuration in Mobile Environments: A Utility-Based Approach , 2002 .

[73]  Barry Boehm,et al.  Top 10 list [software development] , 2001 .

[74]  Andreas L. Opdahl,et al.  Capturing Security Requirements through Misuse Cases , 2001 .

[75]  Barry W. Boehm,et al.  Software Defect Reduction Top 10 List , 2001, Computer.

[76]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[77]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[78]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[79]  L. J. Camp Pricing Security , 2000 .

[80]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[81]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[82]  Suzanne Robertson,et al.  Mastering the Requirements Process , 1999 .

[83]  Jeffrey M. Voas,et al.  A 'Crystal Ball' for Software Liability , 1997, Computer.

[84]  Eugene H. Spafford,et al.  Use of A Taxonomy of Security Faults , 1996 .

[85]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[86]  M. Givskov,et al.  Crystal ball , 2000 .