Thursday, 7 January 2010

Software Security as a Stag Hunt

George Akerlof’s model, “A Market for Lemons[1] as was designed for modelling quality uncertainty has been proposed as a model for the software industry[2]. This model is based on information asymmetry and the presumption that the vendor has more knowledge of the product than the user. This is a fallacy in that the software vendor is incentivised to correct bugs as early in the process as is possible (the later a bug is discovered in the development process, the more it costs to fix). Hence, the vendor does not have more of an idea of the expectations of flaws than a knowledgeable user. Further, the user knows how they plan to deploy the software; the vendor does not have this information and may have little insight into what other interactions may occur.

The software game is also sequential with multiple iterations. The vendor wants to maintain a relationship with the user and as the software is used, it can be assessed against the assertions of the vendor. Further, the user can generally compare the past performance of the vendor.

A better model for the software industry is the “Stag Hunt”. This was based on Jean Jacques Rousseau’s postulations of a co-operation strategy between two hunters. These individuals can either jointly hunt a stag or individually hunt a rabbit. The largest payoff is assigned against the capture of a stag which provides a larger return than the hare. The hunting of a stag is more demanding and requires mutual cooperation. If either player hunts a stag alone, the chance of success is negligible and sub-optimal. Hunting stags is most beneficial for society in that this activity creates the optimal returns. The problem with this game is that it requires a lot of trust among the players.

This game has two pure strategy equilibria in which both of the players prefer the lower risk equilibrium to the higher payoff equilibrium. The game is both Pareto optimal and Hicks optimal, but the sub-optimal and hence inefficient equilibrium poses a lower risk to either player. As the payoff variance over the other player's strategies is less than that of the optimal solution, it is more likely that this option will be selected. Another way of stating this is that the equilibrium is payoff-dominant while the other strategy is risk-dominant.
Figure 1. Software Markets as a “Stag Hunt”

The strategy between the vendor and the Software User is displayed in Figure 1. In this, the numerical representations represent the payoff figures for the specific case (the software market) and the generalised relations take the form:
clip_image002clip_image004 ... (1.1)

The outcomes are not definitive statements of what will be produced. In this game, the “Stag” is a desire to “Create Secure Software” and the “Hare” the fallback to adding more features. A desire is not a case of creating fewer bugs by itself, but rather a combination of adding controls and testing to software. Such an example would be the addition of the XP to Windows XP SP2 by Microsoft. Additional testing is effective to a point and more can be done than is occurring at present[3].

The payoffs for creating more secure software are great for both the vendor and the user, but the risk of a misaligned strategy leads to the sub-optimal equilibria. What is needed is a signalling process. A signal will allow the players to align to the more optimal strategy. It is not only in the user’s interest to have more secure software, but also is in the interest of the vendor. Patching is expensive and the vendor can reasonably charge more for secure software.

A problem with a sub-optimal equilibrium is that “talk is cheap”. A player's strategy is not only whether to hunt stag or hare, but also what signal to send, and how to respond to signals he receives. In order to switch from the hare hunting equilibrium (more Features) to the other, over three quarters of the population must simultaneously switch strategy to require secure software. This is a simple situation when there are only 2 players, but becomes more complex in an n-player game.

As the ratio between the payoff for stag hunting and the payoff for hare hunting is reduced, the incentives to move towards stag hunting decreases. As a result, it becomes less likely that software security will be made into a primary goal of either party. As such, where the introduction of features and the “new killer app” occur more frequently, software security lags and it becomes more likely that a change from a stag hunting equilibrium to a hare hunting equilibrium will occur. It is hence less probable that an alteration of the players strategy from hare to stag.

This is where the development of a software risk derivative would be of service.
One possible solution to the limited and sub-optimal markets that currently exist would be the creation of Hedge funds for software security. Sales in software security based derivatives could be created on forward contracts. One such solution is the issuing of paired contracts (such as exist in short sales of stocks). The first contract would be taken by a user and would pay a fixed amount if the software has suffered from any vulnerabilities on the (forward) date specified in the contract. The paired contract would cover the vendor. If the vendor creates software without flaws (or at least mitigates all easily determinable flaws prior to the inception of the contract) the contract pays them the same amount as the first contract.

[1] Akerlof, George A. (1970). "The Market for 'Lemons': Quality Uncertainty and the Market Mechanism". Quarterly Journal of Economics 84 (3): 488–500. doi:10.2307/1879431
[2] See, Bruce Schneier (; &
Ross Anderson. 2001. “Why Information Security is Hard – an Economics Perspective.” 17th Annual Computer Security Applications Conference. New Orleans, LA, USA.
[3] Esp. With vendors such as Adobe who seem to not thin k of bugs as a problem.

No comments: