Software security investment modelling for decision-support

While it is widely agreed that contemporary computer security is insufficient to meet the challenges faced, the remedies for its failures are far less obvious. Vast resources have been placed into technical solutions to little effect, prompting some to employ the constructs of economics to frame this problem as one to be 'managed', rather than 'solved'. However, to date economically-inspired decision support approaches have focused disproportionately on post-deployment security investment. With the preponderance of security issues stemming from the introduction of vulnerabilities during design and development, models that span the system development lifecycle are essential to efficiently address the root of many security issues. In addition, the need to impact system security at a fundamental level requires integration with existing security-development processes and standards. This dissertation presents an approach to secure software development that is derived from an economically-inspired understanding of security. After demonstrating how existing security guidance can give rise to inefficient decisions, models for security investment are developed that incorporate investments made in software security during system inception and development relative to those made during deployment and operations. By employing these models, conditions are identified whereby software security improves the return on (security) investment, and provide theoretical and empirical evidence to support the adoption of software security. This is followed by an exploration of how economic considerations can drive existing secure software engineering processes, culminating in a case study that illustrates the application of these principles to an ongoing system development effort.