Responsibility for the Harm and Risk of Software Security Flaws

Responsibility for the Harm and Risk of Software Security Flaws

Cassio Goldschmidt (Symantec, Corp., USA), Melissa Dark (Purdue University, USA) and Hina Chaudhry (Purdue University, USA)
DOI: 10.4018/978-1-61692-245-0.ch006
OnDemand PDF Download:
List Price: $37.50


Software vulnerabilities are a vexing problem for the state of information assurance and security. Who is responsible for the risk and harm of software security is controversial. Deliberation of the responsibility for harm and risk due to software security flaws requires considering how incentives (and disincentives) and network effects shape the practices of vendors and adopters, and the consequent effects on the state of software security. This chapter looks at these factors in more detail in the context of private markets and public welfare.
Chapter Preview


One of the challenges in understanding who should ultimately be responsible for the harm and risk caused by security flaws is our lack of a full understanding of the nature of information technology risk. “As systems become more complex and interconnected, emergent behavior (i.e., unanticipated, complex behavior caused by unpredictable interactions between systems) of global systems exposes emergent vulnerabilities” (Computing Research Association, 2003, pg. 21). This complexity and emergence make risk assessment hard. Our existing mathematical/statistical risk models are based on independent failures, where “a component failure in one part of the system does not affect the failure of another similar component in another part of the system. This leads to especially beautiful and useful models of system failure that are effectively applied thousands of times a day by working engineers” (Computing Research Association, 2003, pg. 21). Unfortunately, these models are not transferrable to networked systems where failures are interdependent, not independent.

We need models that can account for dependencies between system components in a manner that sheds light on how the behaviors of system components interact to lead to system failure. Progress in interdependent risk measurement will enhance the effective management of investment. “Without an effective model, decision-makers will either over-invest in security measures that do not pay off or will under-invest and risk devastating consequences” (Computing Research Association, 2003, pg. 21). Interdependencies also pose considerable challenges when it comes to assigning liability, and formulating reasonable policy and associated compliance.

Complete Chapter List

Search this Book: