Information Technology Reference
In-Depth Information
∑
[
]
∑
[
]
C
=
t
=
PxDx
()()
+
C
+
Ci
()
(4)
T
Tot
ai
ai
v
u
i
i
The first order conditions are:
Px Dx
'(
)
(
)
+=
1
0
ai
ai
(5)
+=
(6)
That is, the user should increase the expenditure on precaution (preventing a
breach) until the last dollar spent on precaution by the user reduces the expected dam-
age by $1. And the producer should increase the expenditure on reducing the possible
damage in case of a breach until the last dollar spent on precaution by the producer
reduces the expected damages by $1.
Clearly, the greater the likelihood of the user experiencing a breach, or the larger
P(x
ai
) is for the user, the greater the precaution that they should undertake. In the case
of a producer who is a software vendor, they will (generally) sell their products to a
wide range of users with varying levels of likelihood that each will experience a
breach. That is, the software vendor is acting with imperfect information.
The optimal amount of precaution is the solutions to Equations (2) and (3) and is
denoted by the expressions
Dx Px
'(
)
(
)
1
0
ai
ai
Ω
C
Ω
,
u
Ci
()
and where the total costs for all users is opti-
Ω
⎡
⎣
∑
.
The marginal utility expenditure of security means that the value of security de-
creases the more we add. There is reason for this. If we spend more than the value of
the organisations capital, it is simple to see that the producer will not survive long. It
is more than this, we only need to reduce profitability for a producer to fail, not the
capital.
The level of damages suffered by a user depends on both the pre-breach behaviour
of the user and the vendor. The vendor is in a position where reputation impacts sales
(demand) and hence the willingness to add layers of testing and additional controls
(all of which increase the cost of the software). As the market for software varies in
its elasticity [9] from the highly inelastic in small markets with few competitors (e.g.
Electricity markets) to highly elastic (e.g. Operating Systems), the user has the ability
to best determine their needs. The user may select customised software with warran-
ties designed to reduce the levels of breach that can occur. This comes with an in-
creased cost.
Software vendors normally do not face strict liability for the damage associated
with a breach due to a software vulnerability [4, 7]. Although negligence rules for
software vendors have been called for [7], this creates a sub-optimal outcome. The
user can: (1) select different products with an expectation of increased security [2],
(2) add external controls (through the introduction of external devices, create addi-
tional controls or use other software that enhances the ability of the primary product),
and (3) increase monitoring for attacks that may be associated with the potentially
vulnerable services such as by the use of IDS (Intrusion Detection System).
Ci
()
mised at
u
i
Search WWH ::
Custom Search