The Law and Economics of Software Security
Hahn, Robert W., Layne-Farrar, Anne, Harvard Journal of Law & Public Policy
INTRODUCTION I AN OVERVIEW OF SOFTWARE SECURITY A. What is Software System Security? 1. Types and Methods of Attack 2. Types of Damage B. Identifying Cyber-Criminals and Their Motivations II. THE ECONOMICS OF SOFTWARE SYSTEM SECURITY A. A Framework for Evaluating Software System Security B. The Economic Costs and Damages Involved 1. Measuring the Loss 2. Measuring Prevention Efforts C. The Underlying Market Failures 1. Key Market Failures 2. Are the Market Failures Significant? III. THE LAW OF SOFTWARE SYSTEM SECURITY A. Assigning Liability B. Recent Software System Security Legislation IV. THE FUTURE OF SOFTWARE SYSTEM SECURITY A. Regulating Software Developers B. Regulating Software Users C. Regulating Cyber Weapons D. Government Leading by Example E. Voluntary Corporate Actions F. Cyber Insurance V. CONCLUSION
Security in software networks relies on a complex mixture of technology, law, and economics. The considerable press surrounding security issues, the spread of worms and viruses on the internet, the possible link between identity theft and terrorism, and the penetration of online financial databases, attests to the subject's growing significance.
As the costs of software security breaches become more apparent, there has been a greater interest in developing and implementing solutions for different aspects of the problem. For example, the information technology community is prodigiously developing new fixes, ranging from gate-keeper protections to procedures for constructing more secure software. Increasingly, the federal government is paying more attention to this issue, particularly in the realm of online terrorism. (1) Additionally, there are numerous pending bills that would increase penalties for different kinds of cyber crime. (2)
Scholars address the software security problem from several different angles. (3) Most research in this area, however, focuses on discrete elements of the problem. Some scholars selectively focus on technical fixes that could help alleviate the problem, (4) whereas others examine the underlying institutions and incentives that shape consumer, business, and government responses. For example, Professor Randal Picker considers the issue from a structural point of view, asking whether a technological "monoculture" really weakens security. (5) He concludes that the security offered by having different technological platforms is not necessarily greater; indeed, sometimes the a diversity of platforms can create serious problems of its own. (6) In contrast, Douglas Barnes examines how policymakers could reduce the prevalence of viruses and worms by "deworming" the internet. (7) He suggests assigning some liability to both software developers and software users. (8) Finally, Kevin Pinkney analyzes how to overcome what he views as software developers' failure to provide secure code. (9) He too would assign some liability to developers but would allow ex post corrections to mitigate that liability. (10)
Although most research in this area is focused on discretely embedded elements, the security problems dealt with are not precisely defined, and researchers assume the problems are already well understood. (11) Similarly, many articles presume the particular issue they address is a serious problem in economic terms without specifically considering the total quantitative losses in more than a few incidents.
This Article seeks to address these gaps by presenting a comprehensive assessment of the software security issue using a law and economics framework. We begin by providing a definition of software security that illustrates the complexity of the problem. We then review and critique the literature that assesses the costs of software security. Finally, we evaluate a number of possible approaches for addressing security problems using a law and economics framework. …