This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
To Strengthen Security, Change Developers' Incentives
March/April 2010 (vol. 8 no. 2)
pp. 79-82
J. Alex Halderman, University of Michigan
Many common software vulnerabilities are avoidable if software makers apply appropriate care, yet developers' incentives often lead them to underinvest in security. Profit-maximizing developers invest to the extent that strengthening security increases sales or reduces their liability, yet these incentives are undermined by the software market's structure. By understanding and reshaping such incentives, we can greatly improve security at comparably low cost. The author argues for requiring increased transparency about security problems and development practices, which will help software buyers make better-informed purchases, and for holding developers liable for the costs of security failures caused by their products.

1. M. Howard and S. Lipner, "Inside the Windows Security Push," IEEE Security & Privacy, vol. 1, no. 1, 2003, pp. 57–61.
2. G.A. Akerlof, "The Market for 'Lemons': Quality Uncertainty and the Market Mechanism," Quarterly J. Economics, vol. 84, no. 3, 1970, pp. 488–500.
3. R. Anderson, "Why Information Security is Hard—An Economic Perspective," Proc. 17th Ann. Computer Security Applications Conf., 2001, pp. 358–365.
4. B. Schneier, "How Security Companies Sucker Us with Lemons," Wired,19 Apr. 2007; www.wired.com/politics/security/commentary/ securitymatters/2007/04securitymatters_0419 .
5. M.D. Scott, "Tort Liability for Vendors of Insecure Software: Has the Time Finally Come?" Maryland Law Rev., vol. 62, no. 2, 2008, pp. 425–484.

Index Terms:
security economics, developers' incentives, transparency, liability, security and privacy
Citation:
J. Alex Halderman, "To Strengthen Security, Change Developers' Incentives," IEEE Security & Privacy, vol. 8, no. 2, pp. 79-82, March-April 2010, doi:10.1109/MSP.2010.85
Usage of this product signifies your acceptance of the Terms of Use.