Go to page content

Information that makes security stakeholders better off

Article — by Alfonso De Gregorio, 07 December 2010

Software Security's Futures Plural

An update on BeeWise.

BeeWise Pictograms


I will be speaking at Mini Metricon 5.5 in San Francisco on 14th February about my project at the intersection of software security, economics and event futures. Here is the abstract.

Abstract. Security stakeholders face a challenging task in assessing the risks they are exposed to, as they have incomplete information about the number and the severity of vulnerabilities affecting their systems. As a matter of fact, current economic, regulatory and legal incentives are misaligned, distorted or ineffectual.

Exploit derivatives have the promise to provide a financial instrument useful in establishing information symmetry between buyers and sellers, providing software manufacturers incentives to build security in, and hedging against information security risks.

This work introduce BeeWise, a first testbed for a security-event futures exchange, where participants trade contracts whose payoffs are tied to future events in information security (eg., the discovery of a given software vulnerability). At the first stage, BeeWise will be based on play-money and be aimed to help in balancing the information between buyers and sellers, setting the road towards a full-fledged derivatives market.

The expectation is that in the presence of sufficient market liquidity and low transaction costs, the prices of the contracts will be an approximate measure of the probability of the underlying events at any time.