Musings on Information Security

This Month

Month Archive

March 2007
February 2007
January 2007
December 2006
November 2006

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

« January 19 | February 17 »

Sunday, January 21

Economics of secure software

by RaviC on Sun 21 Jan 2007 10:13 AM PST

Schneier has a very interesting post on Information Security and Externalities. Below is the highlight of the article:

"The software vendors have little economic incentive in churning out a secure product in the current marketplace. Holding a software liable (to an extent) for not making a secure product can not only force the software vendor to fix the problem but also provide economic incentive for the software vendor to make secure product."

I agree with Schneier's view of holding vendor liable for insecure software, but I believe that enacting such laws will be a pipedream. The big software vendors' lobby will always prevail. Moreover, such laws can can tilt the software playing field in favor of big software companies.

One of the ways is for the customers to start demanding secure product which may be a possibility, but customers may have been locked into certain vendors for multitude of other reasons which Schneier addresses. The bottomline is customers are not in a position of power to make such demands.

"Any fractional incremental effort by software vendor to make the product secure is worth an effort since it can make a signficant reduction in cost of ownership for the customer."

Below is a mathematical representation (not the basis!) for the above statement for the curious:

Price = Initial Purchase Price of the Product $

Life = Life Cycle Cost of the Product $ = Y*Price (expressed in terms of multiple of Price)

TCO = Total Cost of Ownership

TCO= Price + Life=Price + Y* Price ---> Equation 1

Assume if the vendor develops secure product, if the vendor has to spend twice as much to develop the secure product (that's probably the worst case impact on the cost structure and let's assume that the vendor passes all the cost to the customers by doubling the price).

TCO (secure)= 2*Price + x * (Y*Price) ---> Equation 2

Where is "x" is the cost reduction factor due to security.

If the TCO (secure) should be less than TCO, Equation 2 <= Equation 2

Y(1-x)>=1

Y>=1/(1-x) [ x=0, => Y >=1, TCO >=2*Price ]

[x=0.9 => Y>=10, TCO >= 11*Price ]

A change of variable x from 0 to 9 0.9 results in corresponding change in TCO from 2*Price to 11*Price.

Leave Comment | Permanent Link | Cosmos

Like what I do?
I practice in the domain of Information Security, Application Security, ISO 27001 Compliance, Security Policies.

Introduce me @ nTroduction