Thesis: The economics of insecurity in the software business

From Software Business Community

Jump to: navigation, search


Working title: “The economics of insecurity in the software business”

Author

Abstract

Abstract—The purpose of security in software is to assure the confidentiality, in-tegrity, and availability of data. As our dependence on software in the every-day life and business has grown over the years, so have the expenditures of companies in security. While a lot of research has spawned on the issues of managing security from a technology point of view, far less work has addressed the economic- or value-based perspective. Existing security management models from the literature commonly struggle with a.) the heterogeneity of security incidents, market envi-ronments and business models they need to process and b.) scarcity of empirical data to validate the approaches.

This work plans to improve security management in software business by analys-ing the 1.) alleged causes of low levels of security in software, 2.) economic effects of security incidents on companies’; and 3.) approaches to manage security risks using qunatitative economics-based models.

The main contribution to the existing body of knowledge shall be the identification of a set of indicators for a causal relationship between the market and the security level of software products, resulting in a value based model for security manage-ment in the software business.

Motivation

IT security research has evolved into a highly inter-disciplinary research area, involv-ing a highly diverse group of people from the fields of electrical engineering, software engineering, cryptography up to management. The latter have gained increasing im-portance in controlling the future direction of security research in software business through taking control of the key investments decisions. The involvement of Man-agement in security investment has also added a new vantage point to security issues that had received only little attention in previous research work: A value based view on security in software, aimed at understanding the economics behind security and in-security in the context of software business.

Traditionally security management is seen as a process of identifying, analyzing, mitigating, and controling risks in an organization. “Value based” means that two ac-tivities are added to this process: benchmarking and grading. Decissions in value based security management are thus based on measurement rather then qualitative evaluations. Value based management models require an in-depth understanding of the relationship of its input variables to be effective. In the context of this work, these input variables are 1.) a software which represents a valuable asset to a particular company 2.) a business model which turns this asset into profit for the company 3.) an environment, usually a competitive market, where this transformation of assets into profits takes place and 4.) security incidents that threaten the relationship of 1., 2. and 3.

Security incidents can occur in a myriad of forms, like software bugs that cause cus-tomer data to leak out to the public, denial-of-service (DoS) attacks that shut down business-operations or product recalls or patching orders due to discovered flaws in already shipped products. Today’s literature still lacks the understanding of the rela-tionship between such security problems in software products and the economics be-hind them. Important questions like

  1. “what is the impact of security incidents on company value?”
  2. “how much should we invest in software security?”
  3. “How can the indirect costs of software security flaws be measured?”

have yet to be answered.

Thus, the challenge lies in developing formal models for a value based view on secu-rity in software companies to provide managers with tools for planning, evaluation and management of security investments. Today, the occurance of security problems typically causes top management to react with fast decisions, which are hardly backed by acurate firm data or apropriate deci-sion support (Neubauer2005).

Beneficiaries of researching the economics of security in software business=

Developing a formal value based model for managing security will allow corporate managers to base their decissions on more then a vague feeling when they are faced with security issues in their business.

Through using such a model, senior managers, quality managers, software architects, financial analysts, risk managers and other internal as well as external organizational stakeholders become able to analyse the individual relationships between security in their organization, it’s products and the market, thus providing them with valuable business decission support.

  • Senior managers can use a value based security management model to deter-mine the optimal amount of security expenditures based on the anticipated re-turns on their investment.
  • Quality managers and software architects are able to improve the planning of the resource distribution in their software development process to ensure an optimal amount of effort is spent on product’s security design and testing.
  • Being able to understand the impact of security incidents on a company’s eco-nomic performance and market value allows financial analyst to assess poten-tial implications on their portfolio.
  • Risk managers and security professionals use value based approaches to sup-port their claims for appropriate IT security funding towards senior manage-ment.

Goals and Contributions

Research question

“How should a value based, security management model be comprised that allows managers to determine the relationship between a company’s and its products’ security and the market to support informed security investment de-cisions?”

Research goal statement

"Develop a value based, business driven, security management model for soft-ware companies, compare it with existing security management approaches and evaluate the model's applicability empirically using historic data from the stock market."

Objectives

Constructive research

  • Identify the theories which are applicable in a value-based security management model: Analyze:

Utility theory (how important are individual values?), decision theory (how do stakeholders’ make decisions?), dependency theory (how do dependencies af-fect value?), prospect theory (human decissions under the influence of risk), and control theory (how do dynamic systems behave?)

  • Analyse how the value based approach is used in the context of security manage-ment and what are the shortcomings of current approaches.
  • Use existing work from the fields of security management, risk management, value based software engineering and market research to derive the key elements of value based management models and their metrics.
  • Use the key elements from the literature’s value-based models and the conclusions from the empirical study to develop the security management model for software business companies.

Empirical research:

  • Conduct an empirical study among public software companies to determine a pos-sible relationship between security incidents and their impact on the economic per-formance and market value of software companies. (Data: Publicly announced se-curity inicidents; Stock market share prices; Method: Event study methodology)
  • Break up found relationships according to companies’ individual business models and other characteristics.
  • Use the outcome of the empirical analysis to determine the parameter sets and seed values for the value based security management model.

Contributions

This work contribution to a research oriented target group as well as practitioners in the software industry:

The academic contribution is two-fold: By conducting a large-scale empirical study, this work brings new data to the sparse field of economics of security in software. The newly developed model adds the next step in the evolution of security management through integrating interdisciplinary value based aproaches from software engineering to risk management with the findings from empirical work. The new model improves existing approaches by adding practical applicability and the ability to cope with het-erogenious business models of companies in the software industry.

Practitioner oriented contributions are tailored to each of the individual target groups:

  1. A value based security management model for software companies supports senior management in making optimal investment decissions, based on evaluation and meas-urement of risk.
  2. A value based risk assessment, allows financial analysts to determine the market impact of security incidents and to adapt their portfolio accordingly.
  3. A value based model, allows software architects to allocate the right amount of re-sources for product security design and testing in the software development process.

Scope

The planned work is centered around the economics of security issues in the software business. The research part includes applicable theories from the fields of software process improvement, economics (econometrics), risk management and behavioral science. The empirical work focuses on analyzing the relationship between software companies that report security events (incidents) and their economic performance and market value. The output of the work will be an empirical analysis of this relationship and a formal security management model, based on evolving the literature’s ap-proaches and the findings from the empirical study. The planned thesis does not aim at developing a particular decission support software, although the developed model could be used for such an undertaking in future work. Qualitative security management models are an important groundwork for quantita-tive models and have to be considered when developing the new value-based model, but they are not the core focus of this work.

Key Terms

  • Risk management
  • Software Business Models
  • Information Security Management
  • Incident management
  • Value based management model
  • Market value

Citation

work in progress

Literature

  1. Matt Bishop. 2004, “Introduction to Computer Security”, Addison-Wesley Longman, Amsterdam
  2. Larsen, A. 1999. Global security survey: Virus attack. Available at: http://Informationweek.com/743/security.htm
  3. Anderson, R. 2001, Why information security is hard - an economic per-spective. 17th Annual Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings
  4. Telang, R. & Wattal, S. 2007, An Empirical Analysis of the Impact of Soft-ware Vulnerability Announcements on Firm Stock Price. IEEE Transactions on Software Engineering.
  5. Gordon, Loeb, the economics of information security investment, 2002, ACM Transaction on Information and System security
  6. Cusumano, MA(2004), “Who is liable for bugs and security flaws in soft-ware?” Communications of the ACM, 47(3), 25-27
  7. Andersson and Moore 2006, “The Economics of Information Security, “Sci-ence 314 (5799), pp.610-610)
  8. George Akerlof 1970 he Market for" Lemons": Quality Uncertainty and the Market 
Mechanism GEORGE A. AKERLOF Source: Quarterly Journal ofEconomics, 84 (1970), 
pp. 488-500
  9. Arora A., Caulkons, J.P., R. Telang: Provisions of Software Quality in the presence of Patching technology, Carnegie Mellon University, working paper, 2004
  10. Davidson, Worrell, 1992, “The Effects of Product recall Announcements on Shareholder Wealth”, Strategic Management Journal, 13(6), p. 467-473
  11. Jarrell and Peltzman 1985, “The impact of Product recalls on the wealth of sellers”, The journal of political economy, 93(1), o. 512-536
  12. Campbell K, LA Gordon LA, Loeb MP and L Zhou (2003) ‘The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evi-dence from the Stock Market’, Journal of Computer Security, 11(3), 431-448
  13. Cavusoglu H, Mishra B and S Raghunathan (2004) ‘The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers’ International Journal of Electronic Commerce, 9(1), 69
  14. Jarrell G and S Peltzman (1985) ‘The Impact of Product Recalls on the Wealth of Sellers’ The Journal of Political Economy, 93(1), 512-536
  15. Westland, JC (2003) ‘The Cost Behavior of Software Defects’, Decision Sciences, 37, 229-238
  16. NIST Report 2002. “The economic impacts of inadequate infrastructure for software testing”. National Institute of Standards and Technology (NIST), Gaithersburg, MD.
  17. ITIL, The Open Guide. 2007. “ITIL Incident Management” Available at: www.itlibrary.org/index.php?page=Incident_Management, visited Oct. 07 [Online]
  18. COBIT, Information Systems Audit and Control Association, www.isaca.org/COBIT, visited May 2007
  19. Mohammad Saad Saleh, Abdullah Alrabiah, Saad Haj Bakry. 2007. “Using ISO 17799: 2005 information security management: a STOPE view with six sigma approach”, International Journal of Network Management, Volume 17 , Issue 1
  20. Barry W. Boehm, Tom DeMarco, “Software Risk management”, IEEE Software, 1997
  21. Neubauer, Klemen, Biffl. 2005 “Business Process-based Valuation of IT-Security” Proceedings of the seventh international workshop on Economics-driven software engineering research EDSER 05
  22. Shuping, Wan, 2007, “Optimal Security Investment Under Tax and Trans-action Cost”, Chinese Control Conference 07(CCC)
  23. Al-Humaigani, M., Dunn, D.B. 2003. „A model of return on investment for information systems security”, Proceedings of the 46th IEEE International Midwest Symposium on Circuits and Systems (MWSCAS '03). Volume: 1, Pages: 483- 485
  24. Andy Ozment, “Bug Auctions: Vulnerability Markets Reconsidered”, Third Work- shop on the Economics of Information Security (May 2004, Minneapolis, MN)
  25. Böhme, R. (2005). “Cyber-Insurance Revisited”. Fourth Workshop on the Economics of Information Security,2005, Harvard University. Available at http://infosecon.net/workshop/pdf/15.pdf.
Retrieved from "http://swbcommunity.org/swbc/index.php/Thesis:_The_economics_of_insecurity_in_the_software_business"