Vulnerability dynamics. A Model-Based Case Study about the Interactions between Pressure in Agile Secure Software Development, Software Vulnerabilities, Adversarial Behaviour, and Attack Response: 
 Trading Off Software Functionality and Software Security

Thumbnail Image
Journal Title
Journal ISSN
Volume Title
To improve performance, organisations inside and outside the ICT sector buy, rent, borrow, and particularly develop own software solutions. At the same time, growing numbers of software vulnerabilities make software being the prime vector for malicious cyber attacks which disrupt business, cause disproportionate costs, and threaten the survival of organisations. Resources in software development are limited and organisations have to trade off between software functionality to cope with “time to market” pressure and software security to potentially fend off cyber attacks. Although it is known that trade-offs and subsequent stress cause defects which lead to vulnerabilities, no research has been conducted on the interaction between pressure, software vulnerabilities, external cyber attacks, and organisational attack mitigation. Hence, having been conducted as a model-based case study in a financial organisation in Europe, this research aimed to close this gap by investigating and explaining the influence of the interaction between pressure in software development, software vulnerabilities, external cyber attacks, and organisational attack response on the trade-off between software functionality and software security. In the end, this research led to the following seven contributions. First, the study shed light on the interaction between pressure, software vulnerabilities, cyber attacks, and attack mitigation. Second, by explicitly connecting pressure, defects, and vulnerabilities this study showed a potential pathway to successful cyber attacks. Third, this study explained the dilemma between fixing vulnerabilities fast to avoid successful exploitation and potential problems arising from firefighting due to fast problem solving. Fourth, the study described cyber adversaries as competitors which causes the need to integrate business, ICT, and cyber security strategies. Fifth, addressing both vulnerabilities and attacks leads to the potential of a dual firefighting mechanism with two apparent performance optima and one actual but lower one. Sixth, investigating the interactions described above enhanced understanding about the trade-off between software functionality and software security, and showed that initial short-term gains may be lost due to long-term insecurity. Finally, having generalised the outcomes of the research, this study provided testable propositions to take a first step in building an explicit theory of the dynamics of vulnerabilities, going beyond the case of secure software development and cyber security.
Faculteit der Managementwetenschappen