Securing cyberspace and national infrastructure has become a key priority for policy makers. Recognizing the fact that the software vendors are key to building and developing secure products, this CAREER project examines and quantifies vendors incentives to provide secure products. The PI is analyzing three major vendor incentives incentives to provide timely and reliable patches; cost of insecure products to vendors and hence their incentives to provide secure software and, incentives to adopt voluntary security assurance standards. The project is also exploring how market structure, the nature of competition and policy interventions affect these incentives. Vendors incentives to provide reliable patches provide key insights into how disclosure policies work and help industry and lawmakers develop optimal policies regarding vulnerability disclosure. By quantifying the cost of insecure products and value of security certification, this project provides insights to both vendors and policymakers in understanding whether voluntary certification works and how to speed up its diffusion. The PI is developing novel data sets, new empirical methodologies, and modeling techniques to provide actionable recommendations. The project will also have direct impact on the education of social science, economics and engineering students through course development at CMU. The PI has developed the course on Information Security and Risk Management and developing a new course on Economics of Information Security. This CAREER project is providing material for teaching modules, case studies and useful statistical exercises and illustrations on various policy and managerial aspects of Information security.
CAREER: Securing Cyberspace: The Role of Markets and Policy