Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code
Sprache des Vortragstitels:
Englisch
Original Tagungtitel:
2023 Conference on Decision and Game Theory for Security
Sprache des Tagungstitel:
Englisch
Original Kurzfassung:
We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.
Sprache der Kurzfassung:
Englisch
Englischer Vortragstitel:
Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code