Information Technology Reference
In-Depth Information
The strategy between the Software Vendor and the Software User is displayed in
Fig 1. In this, the numerical representations represent the payoff figures for the spe-
cific case (the software market) and the generalized relations take the form:
AC D B
WXZY
>≥ >
>≥>
(7)
The outcomes are not definitive statements of what will be produced. In this game,
the “Stag” is a desire to “Create Secure Software” and the “Hare” the fallback to add-
ing more features. A desire is not a case of creating fewer bugs by itself, but rather a
combination of adding controls and testing to software. Such an example would be
the addition of the XP to Windows XP SP2 by Microsoft. Additional testing is effec-
tive to a point and more can be done than is occurring at present.
The payoffs for creating more secure software are great for both the vendor and the
user, but the risk of a misaligned strategy leads to the sub-optimal equilibria. What is
needed is a signaling process. A signal will allow the players to align to the more
optimal strategy. It is not only in the user's interest to have more secure software, but
also is in the interest of the vendor. Patching is expensive and the vendor can rea-
sonably charge more for secure software.
As the ratio between the payoff for stag hunting and the payoff for hare hunting is
reduced, the incentives to move towards stag hunting decreases. As a result, it be-
comes less likely that software security will be made into a primary goal of either
party. As such, where the introduction of features and the “
new killer app
” occur
more frequently, software security lags and it becomes more likely that a change from
a stag hunting equilibrium to a hare hunting equilibrium will occur. It is hence less
probable that an alteration of the players strategy from hare to stag.
Since neither player has an incentive to deviate, this probability distribution over
the strategies is known as a correlated equilibrium of the game. Notably, the expected
payoff for this equilibrium is 7(1/3) + 2(1/3) + 6(1/3) = 5 which is higher than the
expected payoff of the mixed strategy Nash equilibrium.
3 Assessing Economic Value of Security
Being a relative function, not only does the profitability of an individual class (be that
organization, group or nation) factor into the calculation of security risk, but the rela-
tion to a classes neighbors also needs to be measured.
The cost function is in the criminals favor without additional input from the con-
sumer. There is no impetuous for the bank to move to a more secure (and also more
costly) means of protecting consumers when the criminal can still gain to the consum-
ers system. One part of the problem is the regulations that plague banking. The re-
quirement to authenticate customers when calling for their privacy makes it simple for
a criminal to pose as the bank and obtain the information. So even if a more secure
means is selected, it is trivial to bypass many controls using social engineering and
other less technical methods.
Search WWH ::
Custom Search