Information Technology Reference
In-Depth Information
By limiting the scope of the user's responsibility, the user's incentive to protect their
systems is also limited [4]. That is the user does not have the requisite incentive to
take the optimal level of precautions. Most breaches are not related to zero day attacks
[3]. Where patches have been created for known vulnerabilities that could lead to a
breach, users will act in a manner (rational behaviour) that they expect to minimise
their costs [10]. Whether risk seeking or risk adverse, the user aims to minimise the
costs that they will experience. This leads to a wide range of behaviour with risk ad-
verse users taking additional precautions and risk neutral users can accept their risk by
minimising their upfront costs, which may lead to an increase in loss later.
In any event, the software vendor as the cause of a breach is not liable for any con-
sequential damages. This places the appropriate incentives on the user to mitigate the
risk. At the same time, the vendor has a reputational incentive to minimise the risk to
their reputation. This was seen a number of years ago where the costs of bugs to the
consumer from Microsoft was deemed as being exceedingly high. The vendor re-
sponse was to change their coding practices and to significantly reduce the number of
vulnerabilities in their released code.
A better game model for the software industry is the “Stag Hunt”. This was based
on Jean Jacques Rousseau's postulations of a co-operation strategy between two hunt-
ers [8]. These individuals can either jointly hunt a stag or individually hunt a rabbit.
The largest payoff is assigned against the capture of a stag which provides a larger
return than the hare. The hunting of a stag is more demanding and requires mutual
cooperation. If either player hunts a stag alone, the chance of success is negligible and
sub-optimal. Hunting stags is most beneficial for society in that this activity creates
the optimal returns. The problem with this game is that it requires a lot of trust among
the players.
Software User
Create
Secure
Software
Add
Features
Create Secure
Software
10, 10
A, W
1, 7
B, X
Software
Vendor
Add
Features
7, 1
C, Y
5, 5
D, Z
Fig. 1.
Software Markets as a “Stag Hunt”
This game has two pure strategy equilibria in which both of the players prefer the
lower risk equilibrium to the higher payoff equilibrium. The game is both Pareto
optimal and Hicks optimal, but the sub-optimal and hence inefficient equilibrium
poses a lower risk to either player. As the payoff variance over the other player's
strategies is less than that of the optimal solution, it is more likely that this option will
be selected. Another way of stating this is that the equilibrium is payoff-dominant
while the other strategy is risk-dominant.
Search WWH ::
Custom Search