Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code

Stefan Rass; Martin Pinzger

Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code

Research output: Working paper and reports › Preprint

Abstract

We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.

Original language	English
Publisher	arxiv.org
Number of pages	11
Publication status	Published - Oct 2023

Publication series

Name	arXiv.org

Fields of science

101028 Mathematical modelling
102016 IT security
102017 Cryptology

JKU Focus areas

Sustainable Development: Responsible Technologies and Management

Cite this

@techreport{31d31f1eacb441829b725ac423080836,

title = "Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code",

abstract = "We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.",

author = "Stefan Rass and Martin Pinzger",

year = "2023",

month = oct,

language = "English",

series = "arXiv.org",

publisher = "arxiv.org",

type = "WorkingPaper",

institution = "arxiv.org",

}

TY - UNPB

T1 - Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code

AU - Rass, Stefan

AU - Pinzger, Martin

PY - 2023/10

Y1 - 2023/10

N2 - We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.

AB - We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.

UR - http://arxiv.org/abs/2309.05338

M3 - Preprint

T3 - arXiv.org

BT - Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code

PB - arxiv.org

ER -

Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code

Abstract

Publication series

Fields of science

JKU Focus areas

Other files and links

Cite this