CAREER: Control of Information Security Risk Using Economic Incentives

Grant
NSF CAREER Award CNS-0954234

Principal Investigator
Terrence August
Assistant Professor
Rady School of Management, University of California, San Diego

Security risks associated with software that communicates over networks have become an increasingly costly problem for consumers, firms, and governments. A key characteristic of any interconnected system (e.g., network software such as Apache HTTP server, the smart grid, and airline baggage operations) is that choices made in the design, deployment, and usage of these systems can have significant implications for security risk. Because these choices are often driven by economic tradeoffs, both firm and consumer incentives can be designed to encourage the development of systems that are less vulnerable. Further, due to the fact that seemingly disparate systems are connected through the network, security weaknesses in one system can rapidly cause major problems for another. Because of these negative externalities, governments may need to intervene through regulation or legislation to ensure the security of critical components of the public infrastructure (e.g., the Internet).

This project develops an understanding of the relationship between government policy, economic incentives of firms and consumers, and software security risks of networks by studying three important aspects: software liability, the impact of software deployment models, and open source software incentives for security. To clarify the interplay between public and private forces on security, we rigorously study the role of government in setting policy on software liability, security investment, and technology-specific subsidization to help control software security risks. Also, since design choices by software firms partially determine a given product's risk exposure to both directed and undirected security attacks, we build a framework to examine how each type of attack distinctly influences software security in consideration of user behavior; the results have important implications for optimal software design. Finally, we investigate whether open source software can lower security risks and lead to socially preferable outcomes.