Software Engineering S oftware engineers and their customers continu- ously face a complex and frustrating decision: given a fixed budget, which combination of vulnerability mitigation actions produces opti- mal system security? In a world without budgetary or temporal constraints, engineers could invest in whatever tools or training they deemed necessary to safeguard ap- plications and networks. Or they could spend arbitrary amounts of time and money patching existing code and take painstaking precaution in writing new software to ensure its security. Of course, the economic reality is that software engineers are pushed to get their product to market as fast as possible, and security is often a distant priority in the face of budgetary constraints. However, fixing any remaining security vulnerabilities postproduc- tion can be both costly and wasteful. In this article, we describe a novel methodology for quantitatively optimizing the blend of architectural and policy recommendations that engineers can apply to their products to maximize security under a fixed bud- get. The results of our optimization are sometimes sur- prising and even counterintuitive: bigger budgets don’t always produce greater security, and the optimal combi- nation of corrective actions changes nonlinearly with in- creasing expenditures. These findings suggest that some form of formal decision support could augment tradi- tional methods. A nontrivial problem The problem we address here is nontrivial for several rea- sons. The first challenge is the ability to obtain plausible, reliable, and quantitative estimates of the cost of fixing se- curity vulnerabilities and the corresponding benefits from averting losses due to a breach. A large body of academic literature extracts such subjective judgments, particularly for risky outcomes, so we used this knowledge base to inform our study. 1–3 The innovation here isn’t how to elicit parameter values, but rather what methods move us from those judgments to an action plan. The second challenge in prioritizing such correc- tive actions is their many-to-many relationships with the security problems they solve. If there were a one- to-one relationship between action and vulnerability, we would implement the mitigation action that solved the most threatening problem first and take the re- maining actions in a decreasing cost-effectiveness order until either time or resource limitations prohibited fur- ther steps. However, such a simple ordering isn’t possible with a many-to-many relationship. In fact, the decision of which blend of mitigation steps to pursue is combinator- ial, with the number of combinations growing exponen- tially with the number of potential actions. This means that considering every possible combination is prohibi- tively time-consuming. Fortunately, we can couch the problem as a mathematical optimization problem (specif- ically, an integer program, or IP 4 ) and solve at least to a very good optimality approximation with a range of soft- ware packages, including spreadsheet programs such as Microsoft Excel. 5,6 The details of this formulation appear in a separate technical report. 7 At Carnegie Mellon University’s Software Engineer- ing Institute (SEI), we’ve been able to experiment with this new methodology in a case study of the Security Quality Requirements Engineering (Square) methodol- JONATHAN CAULKINS Carnegie Mellon University ERIC D. HOUGH Space and Naval Warfare Systems Center San Diego NANCY R. MEAD Software Engineering Institute HASSAN OSMAN Ernst & Young PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/07/$25.00 © 2007 IEEE ■ IEEE SECURITY & PRIVACY 57 As a software engineer or client, how much of your budget should you spend on software security mitigation for the applications and networks on which you depend? The authors introduce a novel way to optimize a combination of security countermeasures under fixed resources. Optimizing Investments in Security Countermeasures A Practical Tool for Fixed Budgets