Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Crumbling bridges: The failed economics of software maintenance
Cyber Security: A Peer-Reviewed Journal,
8
(2),
150-159
(2024)
Abstract
This paper defines a microeconomic framework for understanding systemic failure in cyber security as market failure. In a marketplace with limited supply chain transparency on software quality in general and software maintenance in particular, rational actors — both software vendors and software buyers — will maximise economic returns by minimising software maintenance and security. As technical debt accrues, so does vulnerability and operational risk, as systems become more difficult to update. In this regard, the depreciation of resilience in software infrastructure is similar to the breakdown of physical infrastructure that is chronically undermaintained, but with the added element of adversarial profit. These problems cannot be solved at the computer science level that created them. They can only be solved as a business problem, as transparency requirements (eg software bill of materials [SBOMs]) and automation slash the cost of diligence, enable preferential selection of higher-quality software and continuous enforcement of terms and conditions for active maintenance.
Keywords: software supply chain; SCRM; C-SCRM; vulnerability management; end of life; compliance; procurement
The full article is available to subscribers to the journal.
Author's Biography
JC Herz is Senior Vice President of Cyber Supply Chain for Exiger, which delivers product-level risk and assurance of software and cyber-physical devices, including software bill of materials (SBOM) analysis and upstream operational and supplier risk in open-source and proprietary software components. JC was the Co-Founder and Chief Executive Officer (CEO) of Ion Channel, a software supply chain analytics platform Exiger acquired in 2023, and is a fellow at George Mason University’s National Security Institute. Prior to Ion Channel, JC worked at a predictive causal artificial intelligence (AI) company in healthcare, and on semi-autonomous defence systems. She has served on the Federal Advisory Board of the U.S. National Science Foundation and as a White House Special Consultant to the Office of the Secretary of Defense. She is a board director of QWERX, a quantum-resistant cryptography start-up.
