Incentive-Based Software Security: Fair Micro-Payments for Writing Secure Code

TL;DR

This paper introduces a fair, explainable incentive mechanism for software developers to enhance security, using cooperative game theory and micro-payments based on performance, with practical implementation and real-life validation.

Contribution

It presents a novel micro-payment mechanism for security contributions using Shapley-value, grounded in cooperative game theory, and demonstrates its practical applicability with real data.

Findings

Mechanism is straightforward to implement using standard tools.

Micro-payments are deterministic and based on performance, not uncertain external factors.

Model is validated with a real-life data example.

Abstract

We describe a mechanism to create fair and explainable incentives for software developers to reward contributions to security of a product. We use cooperative game theory to model the actions of the developer team inside a risk management workflow, considering the team to actively work against known threats, and thereby receive micro-payments based on their performance. The use of the Shapley-value provides natural explanations here directly through (new) interpretations of the axiomatic grounding of the imputation. The resulting mechanism is straightforward to implement, and relies on standard tools from collaborative software development, such as are available for git repositories and mining thereof. The micropayment model itself is deterministic and does not rely on uncertain information outside the scope of the developer team or the enterprise, hence is void of assumptions about adversarial incentives, or user behavior, up to their role in the risk management process that the mechanism is part of. We corroborate our model with a worked example based on real-life data.