Cybersecurity dynamics in software development environment. What system traps do exist?

Abstract

Increasing dependency on information technology and an increasing number of cyber-attacks give rise to concerns about secure software development methods. Building system dynamics models we research and compare the structure underlying the behaviour relevant to security software developments for both agile and traditional software delivery methods. The difference between these models is related to the key characteristics of these methods, but not to the security aspects itself. Both dynamic models show similar structures to developing software and cybersecurity dynamics. Our study shows that network externalities may evoke the acceptance trap. The acceptance trap begins when insecure software is brought into production and is actively used, because if software is available, it can generate income, while further security development will cost more money. Insecure software means the software still contains vulnerabilities that can be exploited by cybercriminals in near future. In order to exploit these vulnerabilities cybercriminals will launch cyber attackers. In such situation there may be a contamination effect caused by successful attacks may evoke more cybercriminal activities. These ongoing cyber-attacks will have such an impact that more and more security improvements and incident responses are needed, which result in increasingly higher costs. As a result, less capacity will be available for future software development. The model structures suggest that more time and money spent on security testing and resolving vulnerabilities helps to avoid the acceptance trap. Similar conclusions have been formulated in the field of Internet of Things adaptation research. Further model quantification, validation, and policy evaluation should provide further insights and recommendations to resolve the acceptance trap.