According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.

Alarge amount of effort is expended every year on finding and patching security holes. The underlying rationale for this activity is that it increases welfare by decreasing the number of vulnerabilities available for discovery and exploitation by bad guys, thus reducing the total cost of intrusions. Given the amount of effort expended, we would expect to see noticeable results in terms of improved software quality. However, our investigation provides a mixed answer: the data does not allow us to exclude the possibility that the rate of vulnerability finding in any given piece of software is constant over long periods of time. Ifthere islittle or no quality improvement, then we have no reason to believe that that the disclosure of vulnerabilities reduces the overall cost of intrusions. 1

Measuring software security is difficult and inexact; as a result, the market for secure software has been compared to a ‘market of lemons.’ Schechter has proposed a vulnerability market in which software producers offer a time-variable reward to free-market testers who identify vulnerabilities. This vulnerability market can be used to improve testing and to create a relative metric of product security. This paper argues that such a market can best be considered as an auction; auction theory is then used to tune the structure of this ‘bug auction ’ for efficiency and to better defend against attacks. The incentives for the software producer are also considered, and some fundamental problems with the concept are articulated.

Internet-based distribution of mass-market content provides great opportunities for producers, distributors, and consumers, but it may seriously threaten users’ privacy. Some of the paths to loss of privacy are quite familiar (e.g., mining of credit-card data), but some are new or much more serious than they were in

Some members of the open-source and free software community argue that their code is more secure, because vulnerabilities are easier for users to find and fix. Meanwhile the proprietary vendor community maintains that access to source code rather makes things easier for the attackers. In this paper, I argue that this is the wrong way to approach the interaction between security and the openness of design. I show first that under quite reasonable assumptions the security assurance problem scales in such a way that making it either easier, or harder, to find attacks, will help attackers and defendants equally. This model may help us focus on and understand those cases where some asymmetry is introduced. However, there...

Without good testing, systems cannot be made secure or robust. Without metrics for the quality...

The updated analysis shows that the depletion of vulnerabilities starts later in the lifecycle of OpenBSD and is less rapid than predicted in section 4. The updated analysis should thus be used in place of the results in section 4. Nonetheless, the overall conclusion, that the rate of vulnerability reporting in the legacy code base of OpenBSD is declining over time, remains the same. The data on vulnerability rediscovery presented in section 5 remains pertinent and is unique to this paper. This data is used to refute the assertion, made elsewhere, that vulnerability hunters are unlikely to discover the same vulnerability. Initial attempts to apply software reliability growth models to the process of vulnerability finding relied upon noisy data. Here, a more appropriate data collection process is discussed and employed to identify the age of vulnerabilities in OpenBSD 2.2. A number of models are tested against the data and two are found to have acceptable goodness-of-fit. These models indicate that the pool of vulnerabilities in the system is

Introduction The conventional wisdom is that "the Internet is very insecure." The subtitle of this workshop, namely "deployment obstacles," implies that network owners, operators, and users could have solved pervasive security problems if they had deployed existing security technology. Is there solid evidence that either of these statements is true? Clearly, there have been some well publicized Internet security problems (e.g., viruses and distributed denial-of-service attacks) during the past five years, and some loss by individuals and businesses is attributable to them. Does this mean that Internet insecurity is really a significant problem? Is it a more serious problem than it was, say, ten years ago, or is there simply more awareness of it now than there was then? What fraction of Internet activity or potential activity is disrupted or prevented because of actual or perceived insecurity? Is this fraction higher or lower than it was ten years ago? It is our thesis that better mo

Abstract not found

This paper gives a partial answer to that question. In a perfect world, and for systems large and complex enough for statistical methods to apply, the attack and the defence are helped equally. Whether systems are open or closed makes no di#erence in the long run