Value of open source projects:
A case for open source cybersecurity 2015 ICE Conference, Belfast June 22-24, 2014
www.timprogram.ca www.carleton.ca
Michael Weiss, Tony Bailetti Carleton University, Ottawa
[email protected]
1
Licensed under a CC BY-SA license
Objective • Companies understand they need to engage with open source projects as part of their business strategy • No good framework for assessing the (ex-ante) value stakeholders assign to an open source project
Goal • Develop tool to assess value of open source projects based on recent advances in resource-based theory • Apply framework to argue that cybersecurity threats are better addressed through open source projects
[email protected]
2
Licensed under a CC BY-SA license
Ex-ante value of resources • Schmidt & Keil (2013) identify the ex-ante conditions under which firms attribute value to a resource:
1. Firm’s ex-ante market position 2. Its ex-ante resource base, which allows for complementarities 3. Its position in inter-organizational networks 4. Prior knowledge and experience of its managers
[email protected]
3
Licensed under a CC BY-SA license
Open source value drivers Spread
How much engaging in an open source project helps (1a) reduce the cost of product development
Demand
How many units of a stakeholder's product are sold as (1b) a result of engaging in the open source project
Complementarity (2) Privileged information (3) Judgement (4)
Number of units sold due to the company's product complementing other products Volume, variety, velocity, and veracity of privileged information that is accessible Number of individuals with requisite experience and knowledge to create value attracted
[email protected]
4
Licensed under a CC BY-SA license
Open source engagement levels
[email protected]
5
Licensed under a CC BY-SA license
Method • We examined six open source projects that we had studied in detail in our previous research, and drew on open source literature to complement findings • For each project, we inferred the actions that were taken to create value from the open source project and classified them by engagement level and value driver • Collapsed classifications for the projects into a single classification to produce the assessment tool • Examined cybersecurity literature and case studies through the lens of the value assessment tool
[email protected]
6
Licensed under a CC BY-SA license
Open source value assessment tool Level of
engagement
Use
Contribute
Champion
Collaborate
Value driver Increase spread
Increase demand
Develop new features quickly to attract customers Reduce cost of Make company's providing product more standard features attractive by including standardcost features Attract Reduce of community acquisition for contributions to customers project Trial products Reduce cost of Create a creating shared common assets platform for products
Increase complementarity
Reduce cost of development
[email protected]
Increase privileged information
Increase judgement
Monitor technological trends Create plug-ins into other products
Allocate developers to subprojects
Attract third party features Define ownership contributions Jointly create new markets
Nurture the community Attract third party features and Learnservices from one another
7
Access to a pool of talented developers Access to a diversity of skills
Licensed under a CC BY-SA license
Open source value assessment tool Level of
engagement
Use
Contribute
Champion
Collaborate
Value driver Increase spread
Increase demand
Develop new features quickly to attract customers Reduce cost of Make company's providing product more standard features attractive by including standardcost features Attract Reduce of community acquisition for contributions to customers project Trial products Reduce cost of Create a creating shared common assets platform for products
Increase complementarity
Reduce cost of development
[email protected]
Create plug-ins into other products Attract third party features Define ownership contributions Jointly create new markets
8
Increase privileged information
Increase judgement
Monitor Monitor technological technological trends trends Allocate developers to subprojects
Nurture the community Attract third party features and Learnservices from one another
Access to a pool of talented developers Access to a diversity of skills
Licensed under a CC BY-SA license
Open source value assessment tool Level of
engagement
Use
Contribute
Champion
Collaborate
Value driver Increase spread
Increase demand
Increase complementarity
Reduce cost of development
Develop new features quickly to attract customers Reduce cost of Make company's providing product more standard features attractive by including standardcost features Attract Reduce of community acquisition for contributions to customers project Trial products Reduce cost of Create a creating shared common assets platform for products
Increase privileged information Monitor technological trends
Create plug-ins Create plug- Allocate into other developers to insproducts into othersubprojects products Attract third Nurture the
[email protected]
Increase judgement
party features Define ownership contributions Jointly create new markets
9
community Attract third party features and Learnservices from one another
Access to a pool of talented developers Access to a diversity of skills
Licensed under a CC BY-SA license
Open source value assessment tool Level of
engagement
Use
Contribute
Champion
Collaborate
Value driver Increase spread
Increase demand
Develop new features quickly to attract customers Reduce cost of Make company's providing product more standard features attractive by including standardcost features Attract Reduce of community acquisition for contributions to customers project Trial products Reduce cost of Create a creating shared common assets platform for products
Increase complementarity
Reduce cost of development
[email protected]
Increase privileged information
Increase judgement
Monitor technological trends Create plug-ins into other products
Allocate developers to subprojects
Attract third party features Define ownership contributions Jointly create new markets
Nurture the community Attract third party features and Learnservices from one another
10
Access Accessto to aapool talented poolofdevelopers of talented developers Access to a diversity of skills
Licensed under a CC BY-SA license
Open source value assessment tool Level of
engagement
Use
Contribute
Champion
Collaborate
Value driver Increase spread
Increase demand
Develop new features quickly to attract customers Reduce cost of Make company's providing product more standard features attractive by including standardcost features Attract Reduce of community acquisition for contributions to customers project Trial products Reduce cost of Create a creating shared common assets platform for products
Increase complementarity
Reduce cost of development
Reduce cost of creating shared assets
[email protected]
Increase privileged information
Increase judgement
Monitor technological trends Create plug-ins into other products
Allocate developers to subprojects
Attract third party features Define ownership contributions Jointly create new markets
Nurture the community Attract third party features and Learnservices from one another
11
Access to a pool of talented developers Access to a diversity of skills
Licensed under a CC BY-SA license
Application to Eclipse project Level of
engagement
Value driver Increase spread
Increase demand
Increase complementarity
Increase privileged information
Increase judgement
Use
Contribute
Champion
Collaborate
Reduce cost of Make company's providing product more standard features attractive by including standardcost features Attract Reduce of community acquisition for contributions to customers project Trial products Reduce cost of Create a creating shared common assets platform for products
[email protected]
Allocate developers to subprojects Define ownership Donate initial project code Jointly create new markets
12
Nurture the community
Access to a pool of talented developers
Learn from one another
Access to a diversity of skills
Licensed under a CC BY-SA license
Cybersecurity and open source • Open source approaches have not yet been widely applied in cybersecurity — mantra of “security through obscurity” leads to a siloed approach to security • However, there have been calls for more transparency and collaboration such as the “collaborative approach” (Ackerman), “cyber commons” (Schiffman & Gupta), “open security” (Schmidt), and “disclosure” (Swire) • BTW — attackers already know about the benefits of collaboration, so here our focus is on defenders • Example of collaboration in averting cybersecurity threats: Conficker Working Group
[email protected]
13
Licensed under a CC BY-SA license
Tool applied to cybersecurity Level of
engagement
Use
Value driver Increase spread
Reduce cost of development
Increase demand
Increase complementarity
Increase security for their products and services Share security expertise
Champion
Create a platform for sharing intelligence security
Reduce cost of creating shared assets
[email protected]
14
Increase judgement
Monitor technological trends
Contribute
Collaborate
Increase privileged information
Nurture the community Attract third party features and Shareservices threat intelligence
Licensed under a CC BY-SA license
Access to a pool of talented developers Access to a diversity of security expertise
Tool applied to cybersecurity Level of
engagement
Use
Value driver Increase spread
Reduce cost of development
Increase demand
Increase complementarity
Increase security for their products and services
Contribute
Increase judgement
Monitor technological trends Share security expertise
Champion
Collaborate
Increase privileged information
Reduce cost of creating shared assets
[email protected]
Createaa plat- Nurture the Create platform for community formsharing for sharing Attract third intelligence party features intelligence security and Shareservices threat intelligence
15
Licensed under a CC BY-SA license
Access to a pool of talented developers Access to a diversity of security expertise
Tool applied to cybersecurity Level of
engagement
Use
Value driver Increase spread
Reduce cost of development
Increase demand
Increase complementarity
Increase security for their products and services Share security expertise
Champion
Create a platform for sharing intelligence security
Reduce cost Reduce cost of shared of creating creating assets shared assets
[email protected]
16
Increase judgement
Monitor technological trends
Contribute
Collaborate
Increase privileged information
Nurture the community Attract third party features and Shareservices threat intelligence
Licensed under a CC BY-SA license
Access to a pool of talented developers Access to a diversity of security expertise
Tool applied to cybersecurity Level of
engagement
Use
Value driver Increase spread
Reduce cost of development
Increase demand
Increase complementarity
Increase security for their products and services Share security expertise
Champion
Create a platform for sharing intelligence security
Reduce cost of creating shared assets
[email protected]
17
Increase judgement
Monitor technological trends
Contribute
Collaborate
Increase privileged information
Nurture the community Attract third party features and Shareservices threat intelligence
Access to a pool of talented developers
Access to a Access to aof diversity diversity of security security expertise expertise
Licensed under a CC BY-SA license
Conclusion • Purpose of tool: help companies increase value they gain from engaging with open source projects • Foundation for the tool was provided by a recent theoretical advance in resource-based theory • Tool helps describe actions to be taken at a given level of engagement to drive value in specific ways • Applied tool to argue for an open source approach to cybersecurity: more transparent & collaborative • Future work is to examine current projects in the still nascent field of open source cybersecurity
[email protected]
18
Licensed under a CC BY-SA license
