I have long been interested in the interaction between computer science and public policy. As a result of this interest, I used my Marshall Scholarship to take a one year sabbatical from computer science to earn an M.Sc. in international relations. Returning to computer security, I decided that my area of research should be both technical and policy driven. I came to the Computer Laboratory because my supervisor, Professor Ross Anderson, is renowned for both his traditional computer security research and for examining the interaction between economics and security. The focus of my current work is to improve the techniques available for measuring the security of software. This goal is tightly linked to the economic forces that shape the software industry; improved software security metrics could potentially revolutionize the market for commercial software by motivating vendors to increase the quality and security of their products.
The single most significant problem in computer security is the poor quality of commercial software: many simple programming errors result in security vulnerabilities. The effect of the resulting poor security is that home users must constantly patch their operating systems, businesses have their digital information stolen, and viruses wreak havoc among Internet users. The poor quality of software can be traced to two primary causes. The first is that software is constantly stretching the bounds of complexity. Humans struggle to ensure that a ten thousand word paper has no mistakes or awkward sentences; we are essentially incapable of ensuring that software composed of fifty million lines of programming language has no mistakes or design flaws.
However, even taking this inherent difficulty into account, most software contains security flaws that its creators were readily capable of preventing. The second cause of software insecurity is motivation: although vendors are capable of creating more secure software, the economics of the software industry provide them with little incentive. Consumers generally reward vendors for adding features and for being first to market. These two motivations are in direct tension with the goal of writing more secure software, which requires time consuming testing and a focus on simplicity. Nonetheless, the problems of software insecurity, viruses, and worms are frequently in the headlines; why does the potential damage to vendors’ reputations not motivate them to invest in more secure software?
However, vendors’ lack of motivation is readily explained: the software market is a `market for lemons’ (Anderson 2001). In a Nobel prize-winning work, economist George Akerlof employed the used car market as a metaphor for a market with asymmetric information (Akerlof 1970). In his model, buyers cannot ascertain the quality of the used cars on the market, and as a result they are unwilling to pay a premium to obtain a higher quality car. After all, why pay more for quality when you are uncertain of obtaining it? Owners of high quality cars thus become unwilling to sell them, because they cannot obtain a reasonable premium.
The software market suffers from the same asymmetry of information. Vendors may have some intuition as to the security of their products, but buyers have no reason to trust the vendors’ assertions. Worse, even the vendor is unlikely to have a truly accurate picture of its software’s security. As a result, buyers have no reason to pay the premium required to obtain more secure software, and vendors are disinclined to invest in securing their products.
The goal of my research is to reduce the information asymmetry by improving the techniques available to measure the security of software. In my first six months of research, I utilized auction theory to explore market-based models. A vendor offers rewards for the discovery of vulnerabilities; it is thus able to establish a market price for vulnerabilities in both its own product and those of its competitors. This metric is useful because it quantifies the cost to an attacker of breaching an entity’s computer defenses.
I am currently trying to use engineering research on software quality to examine measures of software security and better understand software vulnerabilities. Software engineering has a long tradition of statistically modeling the quality of software as both a metric and a predictive tool. However, in software engineering the practitioners can usually collect data during the software development and testing process. Unfortunately, software security data is generally unavailable at that stage: instead, most software vulnerabilities are identified by users after the software is released. One of the primary challenges in my research has thus been to secure high quality data.
As a result, I am investing a significant amount of time in examining, one-by-one, the security vulnerabilities that have been found in OpenBSD. I have created a large database of vulnerability information and am now employing statistical modeling methods to calculate the estimated total number of vulnerabilities in the product. The models also provide interesting insight into other factors: the mean time until the next vulnerability is expected to be found, whether the number of vulnerabilities in the program is significantly decreasing, etc. I hope that the result will shed light on vulnerabilities in software and how software changes over time.
Measuring the security of software is a fascinating–and important–challenge. Improving the measurement of software security can reduce the asymmetry of information in the software market and counter the lemon effect. It is an important tool in the effort to increase the security of the systems upon which modern economies rely, and I hope that my contributions in this area will be of significant use to the field of computer security.
References
Ross Anderson. 2001. “Why Information Security is Hard – an Economics Perspective.” 17th Annual Computer Security Applications Conference. New Orleans, LA, USA. [pdf]
G. A. Akerlof. 1970. “The Market for ‘Lemons:’ Quality Uncertainty and the Market Mechanism.” The Quarterly Journal of Economics. 84:488-500. [80e86912 {at} cam.ac(.)uk/01cc993341005019b124d&dpi=3&config=jstor">pdf]