From Software Business Community

The economics of security issues in the software service business - a literature review

Authors

• Christian Frühwirth

Purpose

Intended as contribution for the Service Engineering and Management summer school 2008 - SEM2008 [1]

Abstract or summary

The purpose of security in software is to assure the confidentiality, integrity and availability of data. As our dependence on software services in the every-day life and business has grown over the years, so have the expenditures of companies in security ^[1].

While a lot of research has spawned on the issues of how security can be managed from a technological side, far less work has addressed the economical perspective of security or insecurity in the software service business. This work set out to conduct a literature review on the current state of research in this area, focusing on 1.) the alleged causes of insecurity in software products, 2.) what are the possible economic effects to the companies’ performance on the market and 3.) how can they be managed using economics based formal models.

The main findings in the literature were 1.) clear indicators of a causal dependency between market incentives to produce secure software and software quality 2.) a monetary connection between software security and companies’ value on the market and 3.) the available economically based security management models suffer from a.) the heterogeneity of data they have to process and b.) a lack of empirical data to fill the variables in their calculations.

The purpose of security in software is to assure the confidentiality, integrity and availability of data. As our dependence on software services in the every-day life and business has grown over the years, so have the expenditures of companies in security ^[2].

While a lot of research has spawned on the issues of how security can be managed from a technological side, far less work has addressed the economical perspective of security or insecurity in the software service business. This work set out to conduct a literature review on the current state of research in this area, focusing on 1.) the alleged causes of insecurity in software products, 2.) what are the possible economic effects to the companies’ performance on the market and 3.) how can they be managed using economics based formal models.

The main findings in the literature were 1.) clear indicators of a causal dependency between market incentives to produce secure software and software quality 2.) a monetary connection between software security and companies’ value on the market and 3.) the available economically based security management models suffer from a.) the heterogeneity of data they have to process and b.) a lack of empirical data to fill the variables in their calculations.

1. Introduction

The purpose of security in software services is to assure the confidentiality, integrity and availability of data ^[3]. As our dependence on software services in the every-day life and business has grown over the years, so have according to a global study by Larsen ^[4] the expenditures of companies in security measures. While a lot of research has spawned since then on the issues of how security can be managed from a technological side, only a few authors like Anderson2001^[5] Telang2004^[6], Wattal2004 ^[7], Gordon and Loeb^[8] have addressed the economical perspective of security or insecurity in the software service business. This work conducted a literature review on the current state of research in the economical perspectives of security in software services, focusing on three major research questions: 1.) what are the alleged causes of insecurity in software products? 2.) What are the possible economic effects of security problems in software service business to the individual company and the market as a whole? 3.) what formal models are available to manage security from an economic perspective?

2. Alleged causes of insecurity in software products

A software service is considered insecure when its suffers from a defect which makes it vulnerable to a threat which can cause it to act outside its specified parameters^[9]. As Cusumano2004^[10] notes about the quality of software “software is a unquely complex product that will probably have some defects.”. Since software is hardly ever defect free, most software and its services can be considered insecure to a certain, although sometimes exceptionally small, extent. But why has the competition on the market not yet eliminated insecurity in software services? Andersson and Moore explain: ^[11] Insecure software survives on the market because “most users cannot distinguish it from secure software”, thus developers and vendors do not have an economic incentive to invest in software quality, hence security, as long as it remains transparent to the buyer. Georg Akerlof 1970 ^[12] described this quality uncertainty problem with graphic analogy of asymmetric information between buyers and sellers: On a market, two types of used cars are sold: some are in good condition and worth 3000 USD, they are referred to as “plums”. Others are in bad condition, worth 1000 USD and referred to as “lemons”. Buyers do not know the condition of the car before they buy them, thus the initial equilibrium price will settle at 2000,-. However, at that price, owners of good cars will no longer sell theirs and only lemons for 1000 USD will remain on the market. In the software service market it is not only all about quality, it is also about time-to market. Arora1994 ^[13]expressed the need for timely development with “I’d rather have it wrong than have it late”. Thus, insecurity is software services can be described as a result of information asymmetry between buyers and sellers, leading to misaligned incentives towards producing insecure products.

3. Possible economic effects of security issues in software

Software service insecurity was identified as a result of misaligned incentives, leading to defects. Although soft-ware defects and security issues are not the same, they are used interchangeably in the following context because of their direct causal relationship. Early work by Davidson and Worrell 1992 [ ] and Jarrell1985 [ ] found that the announcement of product defects are followed by a loss in market value for a company. However, Telang and Wat-tal2004[4] argue that software does not necessarily follow that rule because most End-user-license agreements (EULA) protect vendors from legal liability due to soft-ware defects. (Although the limited liability can protect vendors from certain economic consequences, they also represent yet another misaligned incentive to produce insecure services, as Anderson and Moore[7] note: “Sys-tems are particularly prone to failure when the person guarding them is not the person who suffers when they fail.”)

To analyze the actual economic impact on companies’ market value Telang2004 [4], Campbell2003 [ ], Cavuso-glu2004 [ ], Jarrell1985 [ ] and Davidson1992 [10] refer to measuring the cumulated abnormal return (CAR) of companies’ stock prices. The abnormal return is the dif-ference between a share’s actual return and the normal return, as defined by a reference benchmark, such as a market index or the price of close competitor. Telang2004 compared five studies on the impact of announced secu-rity problems on companies’ value and found CAR to be ranging from -0,63% to -2,1%.

Aside from losses at the stock market, faulty software also causes extensive after-market costs. Westland2003 [ ] described that repairing software defects gets sub-stantially more costly after the product has been shipped and a 2002 study by the National Institute of Standards and Technology (NIST) [ ] quantifies these costs at 60 billion annually for the US alone.

Even though the literature’s results are somewhat in-conclusive on the actual extent of the impact of insecurity or defects in products on company value, they all point in the same direction: Defects that lead to insecurity imply a significant loss of value on the stock market and large after market costs for product patching and repairs.

Managing Security risks in software services

The purpose of security management is to determine an efficient way and ultimately the optimal amount of re-sources to invest in securing a given asset. Risk manage-ment literature offers a variety of models such as ITIL [ ], COBIT [ ] and ISO17999 [ ] that are applicable in software services, however in the scope of this work we excluded qualitative approaches and focused on a se-lected number of quantitative models:

Boehm and DeMarco [ ] describe the foundation the selected models by defining risk as a product of the prob-ability of the potential loss multiplied by the size of the loss:

Risk Exposure = Prob(Loss) x Size(Loss).

This concept, is further known as Average Loss Expec-tancy (ALE) and widely used in formal models like Neu-bauer2005 [ ] to determine the optimal amount of in-vestment in security. At an exemplary probability of 0,02 per year with associated loss of 1 Mio. USD the ALE and thus the equal Security investment would be 20,000 USD. Notably a model proposed by Gordon and Loeb [5] dis-agrees with calculating the optimal investment through mere ALE.: Using an approach based on the marginal benefits of additional security investment, they find the optimal amount to be at only 37% of the ALE. However, regardless of the used model, Neubauer2005 and Gordon both state that the heterogeneity of companies and their software makes generalization difficult and using com-pany-specific data allows for more accurate results. (Other approaches that were not mentioned here for scope reasons were presented by Shuping2007 [ ] and Al-Humaigani2003 [ ]).

Ozmet2004 [ ] described a new form of externalizing the measurement of security through the use of “vulnerabil-ity markets” where security flaws can openly traded. Companies like Tipping Point have created such markets and made it their business model to resell discovered se-curity vulnerabilities to the affected software or service vendor. Anderson2004 and Böhme2005 [ ] suggest the market price for vulnerabilities can further be used to enable hedging or insurance practices that could cover the direct and indirect costs of security issues.

All reviewed models showed that the key to manage se-curity issues in software services is to be able to quantify the risk at hand. However, it is disputed whether the op-timal quantification can be provided by formal methods or market forces.

Conclusion and future work

The examinded literature presented clear indicators of a causal dependency between market incentives and the production of secure software services. Authors agree that security needs to be visible as a quality feature for the customer in order to provide vendors with the economic incentive to produce higher-quality products. However, creating such visibility remains challenging.

A monetary connection between software security inci-dents and companies’ value on the market has been found by all the analyzed studies, although the actual strength of the connection is remains unclear: Scholars noted cummulated abnormal returns on share prices from -0.63% to -2.1% on the day security incidents were an-nounced. One way to improve the analysis quality is to incorporate the heterogenity of the assessed companies into the analysis models; however, this is considered futu-re work. Raising awareness of the discovered negative effects of insecurity among the software service industry would certainly help to provide new, increased incentives for vendors to invest in higher quality products.

Quantitative security management models from today’s risk management literature have advanced beyond the traditional calculation of average loss expectencies (ALE) and are now focusing on the marginal benefits of added security investments. Despite the advances, traditional as well as newer models face the common challenge of ac-quiring empirically validated data sources as basis for their input variables. Future research work would benefit from addressing this issue by investigating the models’ propositions in real-world studies. The literature survey made clear that economics of securi-ty issues in software services is an interdisciplinary field of research, requiring the joint insight of economists, psy-chologists, and sociologists as much as the core expertise of software engineers.

How this relates to software business

Literature

1. Akerlof, George 1970 "The Market for" Lemons: Quality Uncertainty and the Market Mechanism” Quarterly Jour-nal of Economics, 84 (1970), pp. 488-500

2. Al-Humaigani, M., Dunn, D.B. 2003. „A model of return on investment for information systems security”, Pro-ceedings of the 46th IEEE International Midwest Symposium on Circuits and Systems (MWSCAS '03). Volume: 1, Pages: 483- 485

3. Anderson, R. 2001, “Why information security is hard - an economic perspective”. 17th Annual Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings

4. Anderson and Moore 2006, “The Economics of Information Security, “Science 314 (5799), pp.610-610)

5. Andy Ozment, 2004 “Bug Auctions: Vulnerability Markets Reconsidered”, Third Work- shop on the Economics of Informati-on Security

6. Arora A., Caulkons, J.P., R. Telang, 2004 “Provisions of Software Quality in the presence of Patching technology”, Carnegie Mellon University, working paper, 2004

7. Bacharach Samuel B, 1989, „Organizational Theories: Some Criteria for Evaluation“, The Academy of Management Review, Vol. 14, No. 4, 1989, pp. 496-515

8. Baer, Walter S. and Parkinson, Andrew, 2007 "Cyberinsurance in IT Security Management," IEEE Security and Privacy, vol. 5, no. 3, pp. 50-56

9. Boehm, Barry W.; DeMarco, Tom; 1997 “Software Risk management”, IEEE Software, 1997

10. Böhme, R. 2005. “Cyber-Insurance Revisited”. Fourth Workshop on the Economics of Information Security,2005, Harvard University. Available at http://infosecon.net/workshop/pdf/15.pdf.

11. Bishop, Matt. 2004, “Introduction to Computer Security”, Addison-Wesley Longman, Amsterdam

12. COBIT, Information Systems Audit and Control Association, available online at www.isaca.org/COBIT, visited May 2007

13. Campbell K, LA Gordon LA, Loeb MP and L Zhou (2003) “The Economic Cost of Publicly Announced Informa-tion Security Breaches: Empirical Evidence from the Stock Market”, Journal of Computer Security, 11(3), 431-448

14. Cavusoglu H, Mishra B and S Raghunathan (2004) ‘The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers’ International Jour-nal of Electronic Commerce, 9(1), 69

15. Cusumano, MA(2004), “Who is liable for bugs and security flaws in software?” Communications of the ACM, 47(3), 25-27

16. Davidson, Worrell, 1992, “The Effects of Product recall Announcements on Shareholder Wealth”, Strategic Man-agement Journal, 13(6), p. 467-473

17. Gordon, Loeb, 2002, “The economics of information security investment”, ACM Transaction on Information and System security 2002

18. Harrald, J.R.; Schmitt, S.A.; Shrestha, S.; 2004, “The effect of computer virus occurrence and virus threat level on antivirus companies' financial performance”, Engineering Management Conference, 2004. Proceedings. 2004 IEEE International Volume 2, 18- 21 pp. 780 - 784

19. ISO/IEC Std. ISO 17799:2005, “Information Technology – Security Techniques - Code of Practice for Information Security Management”, ISO, 2005.

20. ITIL, The Open Guide. 2007. “ITIL Incident Management” Available at: www.itlibrary.org/index.php? page=Incident_Management, visited Oct. 07 2008

21. Ishiguro M., Tanaka H., Matsuura K., Murase I., 2006, "The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market", The Workshop on the Economics of Securing the Information Infrastruc-ture (WESII) 2006

22. Jarrell and Peltzman 1985 “The Impact of Product Recalls on the Wealth of Sellers” The Journal of Political Econ-omy, 93(1), 512-536 23. Jingyue Li, Xiaomeng Su, 2007, “Making Cost Effective Security Decision with Real Option Thinking“ 2007, In-ternational Conference on Software Engineering Advances(ICSEA 2007)

24. Kesan, JP and Majuca, RP, Yurcik, W. 2005, "Cyberinsurance As a Market-Based Solution to the Problem of Cy-ber Security — A Case Study", Workshop on Economics and Information Security (WEIS2005)

25. Kitchenham Barbara, 2004, “Procedures for Performing Systematic Reviews”, Keele University, UK, Technical Report TR/SE- 0401, ISSN:1353-7776

26. Larsen, A. 1999. “Global security survey: Virus attack”. Available at: http://Informationweek.com/743/security.htm

27. NIST Report 2002. “The economic impacts of inadequate infrastructure for software testing”. National Institute of Stan-dards and Technology (NIST), Gaithersburg, MD.

28. Neubauer, Klemen, Biffl. 2005 “Business Process-based Valuation of IT-Security” Proceedings of the seventh in-terna-tional workshop on Economics-driven software engineering research EDSER 05

29. Perrine, Tom and Singer, Abe. 2001. “New Paradigms in Incident Management”, Proceedings of the 2000 work-shop on New security paradigms, Pages: 133 - 138

30. Pyzdek 2003. „The Six Sigma Handbook- A complete guide for green belts, black belts and managers at all levels.“ McGraw-Hill Professional. ISBN 0071410155.

31. Saleh, Mohammad Saad, Abdullah Alrabiah, Saad Haj Bakry. 2007. “Using ISO 17799: 2005 information security ma-nagement: a STOPE view with six sigma approach”, International Journal of Network Management, Volume 17 , Issue 1

32. Schneier, Bruce, 2008, „Schneier on Security“, Wiley 2008, ISBN-10: 0470395354. Section available online at

http://www.schneier.com/blog/archives/2008/09/security_roi_1.html , visited October 21st, 2008 33. Shuping, Wan, 2007, “Optimal Security Investment Under Tax and Transaction Cost”, Chinese Control Conference 07(CCC)

34. Telang, R. & Wattal, S. 2007, “An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price”. IEEE Transactions on Software Engineering.

35. U.S. National Institute of Standards and Technology: National Vulnerability Database (NVD). Available online at http://nvd.nist.gov/ , visited Oct. 21st, 2008.

36. Westland, JC 2003 “The Cost Behavior of Software Defects”, Decision Sciences, 37, 229-238

References

1. ↑ Larsen, A. 1999. Global security survey: Virus attack. http://Informationweek.com/743/security.htm
2. ↑ Larsen, A. 1999. Global security survey: Virus attack. http://Informationweek.com/743/security.htm
3. ↑ Insert Schneier
4. ↑ Larsen, A. 1999. Global security survey: Virus attack. http://Informationweek.com/743/security.htm
5. ↑ Anderson, R. 2001, Why information security is hard - an economic perspective.
6. ↑ Telang, Impact of Vuln. Announctments
7. ↑ Telang, Impact of Vuln. Announctments
8. ↑ the economics of information security investmen, 2002, ACM Transaction on Information and System security
9. ↑ Cite Schneier - Introduction to computer sec.
10. ↑ Cusumano, MA(2004), “Who is liable for bugs and security flaws in software?” Communications of the ACM, 47(3), 25-27
11. ↑ Andersson and Moore 2006, The Economics of Information Security, “Science 314 (5799), pp.610-610)
12. ↑ The market of lemons, quality uncertainty and the market mechanism. Quaterly Journal of Economics, 84, 488; 1970
13. ↑ Arora A., Caulkons, J.P., R. Telang: Provisions of Software Quality in the presence of Patching technology, Carnegie Mellon University, working paper, 2004

References

Citation

Link

• Service Engineering and Management summer school 2008 - SEM2008