Vulnerability dynamics. A Model-Based Case Study about the Interactions between Pressure in Agile Secure Software Development, Software Vulnerabilities, Adversarial Behaviour, and Attack Response: Trading Off Software Functionality and Software Security
Keywords
Loading...
Authors
Issue Date
2017-08-30
Language
en
Document type
Journal Title
Journal ISSN
Volume Title
Publisher
Title
ISSN
Volume
Issue
Startpage
Endpage
DOI
Abstract
To improve performance, organisations inside and outside the ICT sector
buy, rent, borrow, and particularly develop own software solutions. At the
same time, growing numbers of software vulnerabilities make software
being the prime vector for malicious cyber attacks which disrupt business,
cause disproportionate costs, and threaten the survival of organisations. Resources
in software development are limited and organisations have to trade
off between software functionality to cope with “time to market” pressure and
software security to potentially fend off cyber attacks. Although it is known
that trade-offs and subsequent stress cause defects which lead to vulnerabilities,
no research has been conducted on the interaction between pressure,
software vulnerabilities, external cyber attacks, and organisational attack
mitigation. Hence, having been conducted as a model-based case study in
a financial organisation in Europe, this research aimed to close this gap by
investigating and explaining the influence of the interaction between pressure
in software development, software vulnerabilities, external cyber attacks,
and organisational attack response on the trade-off between software functionality
and software security. In the end, this research led to the following seven
contributions. First, the study shed light on the interaction between pressure,
software vulnerabilities, cyber attacks, and attack mitigation. Second,
by explicitly connecting pressure, defects, and vulnerabilities this study
showed a potential pathway to successful cyber attacks. Third, this study
explained the dilemma between fixing vulnerabilities fast to avoid successful
exploitation and potential problems arising from firefighting due to fast problem
solving. Fourth, the study described cyber adversaries as competitors
which causes the need to integrate business, ICT, and cyber security strategies.
Fifth, addressing both vulnerabilities and attacks leads to the potential
of a dual firefighting mechanism with two apparent performance optima
and one actual but lower one. Sixth, investigating the interactions described
above enhanced understanding about the trade-off between software functionality
and software security, and showed that initial short-term gains may
be lost due to long-term insecurity. Finally, having generalised the outcomes
of the research, this study provided testable propositions to take a first
step in building an explicit theory of the dynamics of vulnerabilities, going
beyond the case of secure software development and cyber security.
Description
Citation
Supervisor
Faculty
Faculteit der Managementwetenschappen