In Depth

Broken Windows Revisited: Why Insecure Software and Security Products Hurt the Global Economy

Geekonomics author David Rice on what a tailor can teach us about software security

By David Rice

May 29, 2008 — Insecure software—and indeed the security products we use to protect software from exploitation—hurt our economic progress. This is true not only for the U.S. economy but for the rest of the world's, as well. This might sound nonsensical and hyperbolic at first. It is not. It is simple economics.

In my book, Geekonomics: The Real Cost of Insecure Software (Addison-Wesley Professional, 2007), I argue that software vulnerabilities are the broken windows of cyberspace. [See a CSOonline excerpt from Geekonomics: The Perversity of Patching.] Broken windows are significant in the eyes of criminologists. A broken window, if left unrepaired, sends a message of disorder into the community. This message of disorder invites greater elements of disorder and can, in the end, invite more serious forms of crime. As such, it can be argued that neighborhood decline is less a function of financial misfortune or poverty and more a function of inattention and sloppiness. Even poor neighborhoods, if the community is attentive, can experience a lower incidence of crime than neighborhoods that are less attentive.

Because software creates the environment of cyberspace, small elements of disorder in software (like software bugs), may lead to greater elements of disorder (like exploitation of vulnerabilities), which ultimately lead to more serious forms of crime (like cyber crime and cyber espionage). Historically, software manufacturers have not been liable for broken windows (software defects), even though software applications have been—and continue to be—shipped with an unknown number of latent and preventable weaknesses. Software does not "break" in use, as do physical products. Software is shipped by the manufacturer already broken (with the extent of the "brokenness" discovered at some later, unknown time).

In other words, software buyers—far from purchasing the equivalent of a shiny new home—are in fact purchasing a fixer-upper, where the number of broken windows in the new home is unknown both to the buyer and the manufacturer. In the story of software, our computers are broken even before we purchase them. We are buying into disorder and thus creating more of it. Aggressively patching software weaknesses does not inhibit the message of disorder in any meaningful way because software manufacturers release a continuous new stream of preventable software defects into the global stream of commerce almost on a daily basis. This is a shame. It is also far from the entire story.

Broken windows are also significant in the eyes of economists, if not more so. By way of explanation, let me start with a short story.