Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code

Activity: Talk or presentationContributed talkscience-to-science

Description

We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.
Period19 Oct 2023
Event title2023 Conference on Decision and Game Theory for Security
Event typeConference
LocationFranceShow on map

Fields of science

  • 102016 IT security
  • 102 Computer Sciences
  • 102022 Software development

JKU Focus areas

  • Digital Transformation
  • Sustainable Development: Responsible Technologies and Management