|
Security risks associated with software that communicates over networks have become an increasingly costly problem for consumers, firms, and governments. A key characteristic of any interconnected system (e.g., network software such as Apache HTTP server, the smart grid, and airline baggage operations) is that choices made in the design, deployment, and usage of these systems can have significant implications for security risk. Because these choices are often driven by economic tradeoffs, both firm and consumer incentives can be designed to encourage the development of systems that are less vulnerable. Further, due to the fact that seemingly disparate systems are connected through the network, security weaknesses in one system can rapidly cause major problems for another. Because of these negative externalities, governments may need to intervene through regulation or legislation to ensure the security of critical components of the public infrastructure (e.g., the Internet). This project develops a research framework to analyze the relationship between government policy, economic incentives of firms and consumers, and software security risks of networks. The goal of the project is to gain new insights into how the efforts of firms, consumers, and government can be coordinated to improve software security. To better understand this socio-technical problem, the research will generate formal economic theory to analyze the complex interactions between these entities, each of whom has varying economic incentives. Three important aspects of the software security landscape are studied: software liability, the impact of software deployment models, and open source software incentives for security. To clarify the interplay between public and private forces on security, this research program rigorously studies the role of government in setting policy on software liability, security investment, and technology-specific subsidization to help control software security risks. It will provide guidelines on how software liability should be employed in a context with security interdependence. Also, since design choices by software firms partially determine a given product?s risk exposure to both directed and undirected security attacks, a modeling framework is built to examine how each type of attack distinctly influences software security in consideration of user behavior; the results have important implications for optimal software design. An important outcome of the work is to combine for the first time research on the economics of open source software with that on security risk, two significant streams of research in the literature. In this dimension, the project investigates whether open source software can lower security risks and lead to socially preferable outcomes.
By advancing one?s understanding of how to manage software security risk, this project will have wideranging impacts. First, the results will provide guidance to policy makers on how to craft policies which account for firm and user behavior while mitigating the enormous social and economic losses from security attacks on software. Since software security is critical to national defense, one priority is to keep an open dialogue with appropriate government agencies on the project?s outcomes. Second, this work can advise software firms on improved software design and using source code strategy to achieve greater security. Third, society can benefit substantially from improved software and reduced economic losses. By involving undergraduate and graduate students in the research process, the project will provide mentorship on economic modeling and quantitative analysis. As part of the educational activities, a case study that focuses on the interaction between open source incentives and security risk will be generated.
By integrating the research findings and the case study with IT curricula, the project will educate future business leaders on IT strategy and security.
August's research broadly spans information systems and operations management with current interests in the economics of network software, production and service management, pricing and policy associated with network goods, and the interaction of digital piracy and security risk. Currently, he is investigating the control of information security risk using economic incentives.
August has co-founded two information technology start-up companies and worked in research and development and operations for the Clorox Company. He has consulted for Honeywell, GlaxoSmithKline, Herbalife and Time Warner Cable.
He received a 2010 National Science Foundation CAREER award. It will provide $530,000 in research funding and was granted by the National Science Foundation (NSF) Directorate for Computer and Information Science and Engineering, under the Trustworthy Computing program.
August received his Ph.D. in the field of operations, information & technology from the Graduate School of Business at Stanford University in 2007.
|
CAREER: Control of Information Security Risk Using Economic Incentives