Software Security Investment: The Right Amount of a Good Thing

Despite an ever-increasing amount of money and attention devoted to cybersecurity, we continue to see wide-ranging cybersecurity failures. As security practitioners examine new approaches to combat this trend, a growing community has coalesced around secure software development, or 'SWSec', as a best practice. While this movement has highlighted the role engineering process plays in combating the underlying source of vulnerabilities, it has yet to enjoy wide adoption. Anecdotal evidence points to an inability to demonstrate the return on investment (ROI) as a rationale behind this reluctance, and current information security investment models have failed to account for such expenditures. We seek to build upon such models to reflect SWSec investments, with a view to demonstrating the ROI enjoyed by SWSec practice. We summarise our current research toward these ends and identify the research required to fully reflect SWSec alongside current security investments.