Regulating secure software development : analysing the potential regulatory solutions for the lack of security in software

(1)

Jari Råman

Regulating Secure Software Development

Analysing the potential regulatory solutions for the lack of security in software

Acta Electronica Universitatis Lapponiensis 1 Academic Dissertation to be presented,

with the permission of the Faculty of Law of the University of Lapland, for public discussion in Auditorium 2, Yliopistonkatu 8, Rovaniemi,

on May 26th, 2006, at 12 o´clock.

(2)

University of Lapland Faculty of Law

Copyright: Jari Råman Distributor: Lapland University Press

P.O. Box 8123 FI-96101 Rovaniemi

tel. + 358 16 341 2924, fax + 358 16 341 2933 julkaisu@ulapland.fi

www.ulapland.fi/publications Paperback

ISBN 952-484-034-0 ISSN 0788-7604

PDF ISBN 952-484-053-7

ISSN 1796-6310 www.ulapland.fi/unipub

(3)

Preface V

”…if a person can’t feel safe, he can never be free…”

(ADA Richard Bay in the drama series “The Practice”, Season 4: Episode 14 – “Checkmates”)

Preface

This is what an assistant district attorney (ADA) told to a colleague about the role of prosecutors in order to cheer her up after losing another case to a devious defence counsel. Who said that watching courtroom drama, especially American series, is a waste of time; that they do not teach anything about lawyers’

work in continental law countries? Well... Maybe they do not, but this prosecutor certainly understood a part of the essence of freedom and safety and I got to spend amusing moments in front of a TV.

This ADA was talking about personal safety, but the same statement is true also for security in general. In the era of Internet and the discussion of its inherent freedom, this really is a crucial statement. If we want to preserve at least some of the former imagined liberty of the Internet its time to take its security seriously.

But it is also said that they that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.

At first look these arguments seem contradictory. In fact, they are not. It is true that if you live in constant fear, you will not be able to enjoy the freedom you have. Likewise, if you give a way part of your liberty to obtain safety, you will end up with neither of them.

The issue is about balance. These arguments are certainly true in the tangible world where we live in, but they are true also for the networked society and the virtual worlds.

This is a legal scientist journey into security in the networked world. This really is a journey. One which I originally took with another destination in mind. To be honest, this is not the thesis I intended to make. It started out as a study of the role of information security in the central tenets of the constitutional state and the system of basic rights together with the place of information

(4)

VI Regulating Secure Software Development

security among central legal principles. If anything, in western constitutional democracies we build liberty by setting society upon a certain constitution to deal with the balancing. As I proceeded, I started doubting the usefulness of such an approach to other than lawyers in constitutional states like the Finnish; to also whom it is only of limited theoretical interest.

While trying to understand to role of the constitutional rights arguments I faced the role of the coherence argument of law and noticed the line between the internal and external perspectives on law. Then something peculiar occurred; the law seemed to hamper the information security research and practice on many occasions, the one it was supposed to be enhancing.

At the same time another interesting problem occurred. The

‘law’ and the legislator seemed to assume that the underlaying infrastructure and the components used therein are secure. Many of the legal provisions on transactions, contracting and on the use of constitutional rights in the networks in general seemed to build on this assumption. At the same time the infrastructure of the network society was widely recognised to be insecure by the information security community.

This puzzled me so much that I had to go deeper. I wanted to understand why. Being a young and inexperienced researcher I threw myself headlong on the issue. What started out as a research at the very core of legal scholarship, legal and especially constitutional theory, turned out to study the fringes of the law.

This is the outcome of that journey; an odyssey one might say.

So much for my discipline... (Un)fortunately, this still is somewhat visible in the text.

Before I can rejoin the original path with the wisdom, especially of the law, gathered during the many encounters on my journey of exploration, or make another one, the time has come to give thanks.

My supervisor, Professor Ahti Saarenpää, deserves my gratitude above all for the academic freedom and encouragement. The high scholarly example you set forced me to do my best.

Dissertation examiners Professor Kauko Wikström from the

(5)

Preface VII

University of Turku and Professor Gerald Quirchmayr from the University of Vienna made valuable comments to draft versions.

I have taken most of them into account. Professor Quirchmayr kindly agreed to act as the academic opponent at the public defence.

The odyssey would not have been the same if I had not come in contact with information security researchers from the Department of Information Processing Science at the University of Oulu and from the Oulu University Secure Programming Group. The former gave me an understanding of what information security is really all about. The latter not only acquainted me with the life of a bug, but also gave me a glimpse of what academic group work can be at its best.

The research could not have been possible without financial support. The project Scarcity of Justice funded by the Academy of Finland gave me the original possibility to learn to know myself as a researcher and to make the initial wonderings in the dark. I am obliged to the Institute for Law and Informatics at the Faculty of Law. A thankyou goes also to the Rector of the University of Lapland and the Finnish Lawyers’ Association. At the final stages the Faculty of Law gave me a position as an assistant in legal informatics. I was able to finalise my thesis without overly burdensome administrative tasks largely due to the understanding of the acting professor Rauno Korhonen.

Friends have really made the journey. A warm thankyou goes to Annamari, Anu and Pekka for just being yourselves. Thanks also to my parents Tuula and Kyösti, to my siblings Hanna, Henri and Petri, and to friends, relatives and colleagues not especially mentioned.

Words are not enough for my nearest and dearest Mervi, Sofia and Selina.

Rovaniemi, May 2006 Jari Råman

(6)

VIII Regulating Secure Software Development

(7)

Contents IX Contents

Preface . . . V Contents . . . IX References . . . XII List of Abbreviations . . . LII

1 Introduction . . . 1

1.1 Seeing through a conceptual muddle . . . 6

1.2 Qualification of modes of software and information system . . . 9

1.3 Security and/or quality – or something in the between? . . . 19

1.4 What is regulation? . . . 25

1.5 Two combined perspectives into the study of regulation . . . 37

1.6 Research questions, purpose and contribution . . . 41

1.7 Of method and material . . . 47

2 Understanding secure software development . . . 67

2.1 The network economic environment . . . 72

2.2 Time-to-market and security . . . 76

2.3 Remarks on maintenance and testing . . . 82

2.4 Appeal to developers and security . . . 89

2.5 Security and lock-in . . . 90

2.6 Failure of private motivation? . . . 95

2.7 Information security as an externality . . . 103

2.8 Inadequacies in the distribution of security-related information . . . 115

2.9 Asymmetry of security related information . . . 124

(8)

X Regulating Secure Software Development

3 The way regulation affects behaviour. . . 139

3.1 By providing reasons for action . . . 140

3.2 As internal influence . . . 153

3.3 As external constraint . . . 163

3.3.1 Different classifications with a common background assumption . . . 167

3.3.2 Attaching specific external influence mechanisms to instrument types . . . 175

3.4 Packaging influence mechanisms - the interaction of instruments . . . 199

3.5 Classifications of regulators and their objects. . . 205

3.6 A methodological aside – on the role of law in regulation . . . 211

4 H arnessing social norms: disclosure of vulnerability information. . . 223

4.1 W ho regulates?. . . 232

4.2 Influence mechanism . . . 234

4.3 Factors shaping the influence . . . 243

4.3.1 Objectives . . . 243

4.3.2 Substance. . . 245

4.3.3 Implementation . . . 254

4.3.4 Reactions of objects . . . 283

5 Using prescriptive rules: software product liability. . . 291

5.1 W ho regulates ? . . . 303

5.2 Influence mechanism . . . 306

5.3 Factors shaping the influence . . . 326

5.3.1 Objectives . . . 326

5.3.2 Substance. . . 334

5.3.3 Implementation . . . 378

5.3.4 Reaction of objects. . . 398

(9)

Contents XI

6 Conclusions. . . 409 6.1 Improving the influencing capacity

of software product liability rules. . . 415 6.2 Improving the influencing capacity

of vulnerability reporting . . . 448 6.3 The way forward . . . 461

Epilogue: value protection

and decentred regulation. . . 471 Name Index. . . 483

(10)

XII Regulating Secure Software Development

Sources

Literature

Aarnio A (1989) Laintulkinnan teoria. Yleisen oikeustieteen oppikirja, Werner Söderström Oy, Juva

Aarnio A (1983) Some Conceptual Foundations of Legal Policy Research, in Philosophical Perspectives in Jurisprudence, Acta Philosophica Fennica Vol. 36, Philosophical Society of Finland, Helsinki, p. 222-238

Abrahamsson P (2002) The Role of Commitment in Software Process Improvement, Oulu University Press, Oulu

Abrahamsson P, Salo O, Ronkainen J and Warsta J (2002) Agile Software Development Methods: Review and Analysis, VTT Publications 478, Technical Research Centre of Finland, Espoo

http://www.inf.vtt.fi/pdf/publications/2002/P478.pdf [23.2.2006]

Acquisti A and Grossklags J (2003) Losses, Gains, and Hyperbolic Discounting: An Experimental Approach to Information Security Attitudes and Behaviors, paper presented at the Second Annual Workshop on Economics and Information Security, Robert H. Smith School of Business, University of Maryland, May 29-30, 2003, available at

http://www.heinz.cmu.edu/~acquisti/papers/acquisti_grossklags_eis_refs.pd f [21.2.2006] published in Camp J and Lewis S (eds., 2004) The Economics of Information Security (Advances in Information Security), Kluwer

Adler MD (2000) Beyond Efficiency and Procedure: A Welfarist Theory of Regulation, Florida State University Law Review, 28(1): 241-339

Adler MD (2000) Expressive Theories of Law: A Skeptical Overview, University of Pennsylvania Law Review, 148(5): 1363-1502

Adler MD (2000) Linguistic Meaning, Nonlinguistic ‘Expression’ and the Multiple Variants of Expressivism: A Reply to Professors Anderson and Pildes, University of Pennsylvania Law Review, 148(5): 1577-1595

Ahonen P, Eronen J, Holappa J, Kajava J, Kaksonen T, Karjalainen K, Karppinen K, Rapeli M, Röning J, Sademies A, Savola R, Uusitalo I and Wiander T (2005) Information Security Threats and Solutions in the Mobile World. The Service Developer’s Perspective, VTT Research Notes 2308, VTT Technical Research Centre of Finland, Espoo. Available also at the web pages of the Development Programme on Trust and Information Security in Electronic Services (LUOTI) of the Finnish Ministry of Transport and Communications, at http://www.luoti.fi/publish.html [22.12.2005]

(11)

Sources XIII

Akerlof GA (1970) The Market for “Lemons”: Quality Uncertainty and the Market Mechanism, Quarterly Journal of Economics, 84(3): 488-500 Anderson ES and Pildes RH (2000) Expressive Theories of Law: A General Restatement, University of Pennsylvania Law Review, 148(5): 1503-1576 Anderson R (2003) Cryptology and Competition Policy-Issues with 'Trusted Computing’, Paper presented at the 2nd Annual Workshop on Economics and Information Security, University of Maryland, May 29-30

Anderson R (2001) Why Information Security is Hard – An Economic Perspective, paper presented at 17th Annual Computer Security Applications Conference, December 10-14, New Orleans, Louisiana

Antunes G and Hunt AL (1980) The Impact of Certainty and Severity of Punishment, in Evan WM (ed.) The Sociology of Law. A Social-Structural Perspective, The Free Press, New York, p. 185-197. Excerpt from Antunes G and Hunt AL (1973) The Impact of Certainty and Severity of Punishment on Levels of Crime in American States: An Extended Analysis, Journal of Criminal Law and Criminology, 64: 486-493

Arbaugh B (2002) Security: Technical, Social, and Legal Challenges, IEEE Computer, 35(2): 109-111

Arbaugh WA, Fithen WL and McHugh J (2001) Windows of Vulnerability:

A Case Study Analysis, IEEE Computer, 33(12): 52-59, also available at http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf [23.2.2006]

Arhippainen L (2003) Use and integration of third-party components in software development, VTT Publications 489, Technical Research Centre of Finland, Espoo, http://www.vtt.fi/inf/pdf/publications/2003/P489.pdf [16.2.2006]

Arora A, Krishnan R, Nandkumar A, Telang R and Yang Y (2004) Impact of Vulnerability Disclosure and Patch Availability — An Empirical Analysis, paper presented at The Third Annual Workshop on Economics and Information Security (WEIS04), May 13-14, 2004, University of Minnesota, Minneapolis, USA,

http://www.dtc.umn.edu/weis2004/telang.pdf [23.2.2006]

Ashish A, Caulkins JP and Telang R (2003) Sell First Fix Later: Impact of Patching on Software Quality, Carnegie Mellon University Working Paper, January, http://www.heinz.cmu.edu/~rtelang/patchingF.pdf [23.2.2006]

Aubert V (1976) Rettens sosiale funksjon, Universitetsforlaget, Oslo

(12)

XIV Regulating Secure Software Development

Aubert V (1966) Some Social Functions of Legislation, in Aubert V (ed.

1969) Sociology of Law. Selected Readings, Penguin Books, Middlesex (abridged)

Ayres I and Braithwaite J (1992) Responsive Regulation: Transcending the Deregulation Debate, Oxford University Press, Oxford

Baldwin R (1997) Regulation: After Command and Control, in Hawkins K (ed.) The Human Face of Law,Oxford University Press, Oxford

Baldwin R (1995) Rules and Government, Clarendon Press, Oxford

Baldwin R and Cave M (1999) Understanding Regulation. Theory, Strategy, and Practice, Oxford University Press, New York

Baldwin R, Scott C and Hood C (eds., 1998) A Reader on Regulation, Oxford: Oxford University Press

von Bar C and Drobning U (2001) Study on Property Law and Non- contractual Liability Law as they relate to Contract Law, Submitted to the European Commission, Health and Consumer Protection DG, SANCO B5- 1000/02/000574,

http://europa.eu.int/comm/consumers/cons_int/safe_shop/fair_bus_pract/cont_l aw/study.pdf [23.2.2006]

Bar-Gill O and Fershtman C (2004) Law and Preferences, Journal of Law, Economics and Organisation, 20(2): 331-352

Baron DP (2001) Private Politics, Corporate Social Responsibility, and Integrated Strategy, Journal of Economics & Management Strategy, 10(1):

7-45

Baron DP (2003) Private Politics, Journal of Economics & Management Strategy, 12(1): 31-66

Baskerville R (1992) The Developmental Duality of Information Systems Security, Journal of Management Systems, 4(1): 1-12

Baskerville R (1993) Information Systems Security Design Methods:

Implications for Information Systems Development, ACM Computing Surveys, 25(4): 375-414

Baskerville R, Levine L, Pries-Heje J, Ramesh B and Slaughter S (2001) How Internet Software Companies Negotiate Quality, IEEE Computer, 34(5): 51-58

(13)

Sources XV

Baskerville R and Pries-Heje J (2001) Racing the e-bomb: How the Internet is Redifining Information Systems Development Methodology, in FitzGerald B, Russo N and DeGross J (eds.), Realigning Research and Practice in IS Development: The Social and Organisational Perspective, Kluwer, New York, p. 49-68

Beales H, Craswell R, and Salop SC (1981) The Efficient Regulation of Consumer Information, Journal of Law & Economics, XXIV(3): 491-539, reprinted in Ogus AI (ed., 2001) Regulation, Economics, and the Law, International Libraty of Critical Writings in Economics Series, No. 137, Edward Elgar Publishing, UK, p. 160-209

Bemelmans-Videc M-L (1998) Introduction: Policy Instruments Choice and Evaluation, in Bemelmans-Videc M-L, Rist RC and Vedung E (eds.) Carrots, Sticks & Sermons. Policy Instruments & Their Evaluation, Transaction Publishers, New Brunswick, p. 1-21

Bemelmans-Videc M-L and Vedung E (1998) Conclusions: Policy Instruments Types, Packages, Choices, and Evaluation, in Bemelmans- Videc M-L, Rist RC andVedung E (eds.) Carrots, Sticks & Sermons. Policy Instruments & Their Evaluation, Transaction Publishers, New Brunswick, p.

249-275

Bender D (1991) Computer Software Products Liability – The United States Perspective, in Meijboom AP and Prins C (eds.) The Law of Information Technology in Europe 1992, Kluwer, Deventer, p. 207-225

Berman PS (2000) Cyberspace and the State-Action Debate: The Cultural Value of Applying Constitutional Norms to 'Private' Regulation, University of Connecticut School of Law Working Paper Series, Working Paper 9 (June 1^st), available at http://lsr.nellco.org/uconn/ucwps/papers/9 [updated 5.12.2005, visited 23.2.2006]. Published also at University of Colorado Law Review, 71(4): 1263-1310

Better Regulation Task Force (2005) Routes to Better Regulation: A Guide to Alternatives to Classic Regulation, Better Regulation Commission, London, available at

http://www.brc.gov.uk/publications/routes.asp [9.3.2006]

Better Regulation Task Force (2005) Get Connected: Effective Engagement in the EU, Better Regulation Commission, London, available at

http://www.brc.gov.uk/publications/getconnectedentry.asp[9.3.2006]

Black HC (1998) Black’s Law Dictionary, 6^th edition, 13^th reprint, West Publishing Co., St. Paul

Black J (1996) Constitutionalising Self-Regulation, Modern Law Review, 59(1): 24-56

(14)

XVI Regulating Secure Software Development

Black J (2002) Critical Reflections on Regulation, CARR (Centre for Analysis of Risk and Regulation) Discussion Paper no: 4, January, London School of Economics and Political Science, London,

http://www.lse.ac.uk/collections/CARR/pdf/Disspaper4.pdf [16.2.2006]

Black J (2001) Decentring Regulation: Understanding the Role of Regulation and Self-Regulation in a ’Post-Regulatory’ World, Current Legal Problems, 54: 103-146

Black J (2003) Enrolling Actors in Regulatory Systems: Examples from UK Financial Services Regulation, Public Law, Spring, Sweet & Maxwell, London, p. 63-92

Black J (2004) Law and Regulation: The Case of Finance, in Parker C, Scott C, Lacey N and Braithwaite J (eds.) Regulating Law, Oxford University Press, Oxford, p. 33-60

Black J (2003) Mapping the Contours of Contemporary Financial Services Regulation, CARR (Centre for Analysis of Risk and Regulation) Discussion Paper No. 17, London School of Economics and Political Science, London, http://www.lse.ac.uk/collections/CARR/pdf/Disspaper17.pdf [16.2.2006]

Black J (2000) Proceduralising Regulation: Part I, Oxford Journal of Legal Studies, 20(4): 597-614

Black J (2001) Proceduralizing Regulation: Part II, Oxford Journal of Legal Studies, 21(1): 33-58

Blackburn JD, Scudder GD and Wassenhove LN (1996) Improving Speed and Productivity of Software Development: A Global Survey of Software Developers, IEEE Transactions on Software Engineering, 22(12): 875-886 Boehm BW (1981) Software Engineering Economics, Prentice-Hall, New Jersey

Boehm BW and Sullivan KJ (2000) Software Economics: A Roadmap, in Finkelstein A (ed.) The Future of Software Engineering, 22nd International Conference on Software Engineering, ACM, New York, June

Botting RJ (1997) On the Economics of Mass-Marketed Software, Proceedings of the 19th International Conference on Software Engineering (ICSE), May 17-23, Boston, Massachusetts, p. 465-471

Boyle J (1997) Foucault in Cyberspace: Surveillance, Sovereignty and Hard-Wired Censors, available at

http://www.law.duke.edu/boylesite/foucault.htm [10.19.2005], published also in University of Cincinnati Law Review, 66: 177-205

(15)

Sources XVII

Bradgate R (1999) Beyond the Millennium – The Legal Issues: Sale of Goods Issues and the Millennium Bug, Journal of Information, Law and Technology (JILT), 1999(2), available at

http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1999_2/bradgate/

[27.3.2006]

Brady RM, Anderson RJ, and Ball RC (1999) Murphy's law, the fitness of evolving species, and the limits of software reliability, University of Cambridge, Computer Laboratory, Technical report No. 471, September, available at http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-471.pdf [21.2.2006]

Breyer SG (1982) Regulation and its Reform, Harvard University Press, Cambridge

Brownlee N and Guttman E (1998) Expectations of Computer Security Incident Response, Internet Engineering Task Force (IETF), Request for Comment (RFC) 2350, http://www.ietf.org/rfc/rfc2350.txt [23.1.2006]

Brüggemeier G (1997) The Control of Corporate Conduct and Reduction of Uncertainty by Tort Law, in Baldwin R (ed.) Law and Uncertainty. Risks and Legal Processes, Kluwer Law International, The Hague, p. 57-75 Bryde Andersen M (1988) Edb og ansvar, Jurist- og Økonomforbundets forlag, København

Bryde Andersen M (2005) IT-retten, 2^nd ed., Gjellerup, København. The 1^st edition is also available at http://www.it-retten.dk [4.1.2006]

Burnett R (2005) Legal Risk Management for the IT Industry, Computer Law & Security Report, 21(1): 61-67

Burrel G and Morgan G (1979) Sociological Paradigms and Organisational Analysis. Elements of the Sociology of Corporate Life, Heinemann, London Burrows P (1994) Products Liability and the Control of Product Risk in the European Community, Oxford Review of Economic Policy, 10(1): 68-83 Calderini M, Cantamessa M and Palmigiano A (2003) Analysis of the Economic Impact of the Development Risk Clause as provided by Directive 85/374/EEC on Liability for Defective Products, Study for the European Commission, Contract No. ETD/2002/B5,

http://europa.eu.int/comm/enterprise/regulation/goods/docs/liability/2004- 06-dev-risk-clause-study_en.pdf [23.2.2006]

Callaghan D and O’Sullivan C (2005) Who Should Bear the Cost of Software Bugs? Computer Law & Security Report, 21(1): 56-60

(16)

XVIII Regulating Secure Software Development

Cambell K, Gordon LA, Loeb MP, and Zhou L (2003) The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence From the Stock Market, Journal of Computer Security, 11(3): 431-448 Camp JL and Wolfram C (2000) Pricing Security, Proceedings of the CERT Information Survivability Workshop, Boston, MA Oct. 24-26, 2000, p. 31- 39, http://www.ljean.com/files/isw.pdf [23.2.2006]

Carlshamre P (2001) A Usability Perspective on Requirements Engineering.

From Methodology to Product Development, Linköping Studies in Science and Technology nr 726, Linköping University, Linköping, available at http://www.diva-portal.org/liu/theses/abstract.xsql?dbid=4976 [16.2.2006]

Carlshamre P and Regnell B (2000) Requirements Lifecycle Management and Release Planning in Market-Driven Requirements Engineering Processes, in Tjoa AM, Wagner RR, and Al-Zobaidie A (eds.) Proceedings of the 11th International Workshop on Database and Expert Systems Applications Process, IEEE Computer Society Press, Los Alamitos, CA Carmel E and Sawyer S (1998) Packaged software development teams:

What makes them different?, Information Technology and People, 11(1):

7–19

Castrén M (1997) EU-Suomen markkinaoikeus, Kauppakaari, Helsinki Cavusoglu H, Cavusoglu H and Raghunathan S (2005) Emerging Issues in Responsible Vulnerability Disclosure, paper presented in the Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University, 2-3 June 2005, available at http://infosecon.net/workshop/pdf/cavusoglu.pdf [10.2.2006]

Chandler D (1995) Technological or Media Determinism, part

”Reification”, The Media and Communications Studies Site, hosted by the University of Wales, Aberystwyth,

http://www.aber.ac.uk/media/Documents/tecdet/tdet05.html (last modified 11.4.2000, visited 10.10.2005)

Chandler JA (2005) Improving Software Security: A Discussion of Liability for Unreasonably Insecure Software, Securing Privacy in the Internet Age, Stanford University Press, 2005, at http://ssrn.com/abstract=610041 [21.2.2006]

Chandler JA (2004) Security in Cyberspace: Combatting Distributed Denial of Service Attacks, University of Ottawa Law & Technology Journal, 1:

231-261, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=596667 [10.2.2006]

(17)

Sources XIX

Coleman JL (1988) Markets, Morals and the Law, Cambridge University Press, Cambridge

Coleman JL (1991) Rules and social facts, Harvard Journal of Law &

Public Policy, 14(3): 703- 726

Coleman JL and Leiter B (1996) Legal Positivism, in Patterson D (ed.) A Companion to Philosophy of Law and Legal Theory, Blackwell Publishers, Oxford, p. 241-261

Collins H (2004) Regulating Contract Law, in Parker C, Scott C, Lacey N and Braithwaite J (eds.) Regulating Law, Oxford University Press, Oxford, p. 13-33

Collins H (1999) Regulating Contracts, Oxford University Press, New York Connolly DR (1994) Insurance: The Liability Messenger, in Hunziker JR and Jones TO (eds.) Product Liability and Innovation: Managing Risk in an Uncertain Environment, Washington DC, National Academy Press, p. 131- 137 http://www.nap.edu/books/0309051304/html/ [23.2.2006]

Cooter R (2001) Do good laws make good citizens? An economic analysis of internalizing legal values, Independent Institute Working Paper No. 33, available at

http://www.independent.org/publications/working_papers/

article.asp?id=744 [updated and visited 23.2.2006]

Cooter R (1995) Law and Unified Social Theory, Journal of Law and Society, 22(1): 50-67

Cooter R and Ulen T (2000) Law and Economics, 3^rd ed., Addison-Wesley, Reading, Massachusett

Cusumano MA and Shelby R (1995) Microsoft Secrets, The Free Press, New York

Cusumano MA and Yoffie DB (1998) Competing on Internet Time: Lessons from Netscape and Its Battle with Microsoft, The Free Press, New York Dahlstedt ÅG, Karlsson L, Persson A, Natt och Dag J and Regnell B (2003) Market-Driven Requirements Engineering Processes for Software Products – a Report on Current Practices, paper presented in International Workshop on COTS and Product Software: Why Requirements Are So Important (RECOTS), 10 September 2003, held in conjunction with the 11th IEEE International Requirements Engineering Conference, September 8-12, 2003, Monterey Bay, California, USA, available at

http://www-lsi.upc.es/events/recots/papers/Dahlstedt.pdf [21.2.2006]

(18)

XX Regulating Secure Software Development

Daintith T (1987) Law as Policy Instrument: A Comparative Perspective, in Daintith T (ed.) Law as an Instrument of Economic Policy: Comparative and Critical Approaches, European University, Series A, No. 7, Walter de Gruyter, Berlin, p. 3-56

Daughety AF and Reinganum JF (1995) Product safety: liability, R&D and signaling, The American Economic Review, 85(5): 1187-1206

Daughety AF and Reinganum JF (2005) Secrecy and Safety, The American Economic Review, 95(4): 1074-1091. Also available at

http://www.vanderbilt.edu/Econ/faculty/Daughety/

DaughetyandReinganumSecrecyandSafetyJan2005.pdf [29.3.2006]

DeLeon P (1999) The Stages Approach to the Policy Process:What Has It Done? Where Is It Going?, in Sabatier PA (ed.) Theories of the Policy Process, Westview Press, Oxford, p. 19-35

DeLong B and Froomkin M (2000) Speculative Microeconomics for Tomorrow's Economy, First Monday, 5(2),

http://www.firstmonday.org/issues/issue5_2/delong/index.html [22.2.2006]

Devanbu P and Stubblebine S (2000) Software Engineering for Security: a Roadmap, in Finkelstein, A (ed.) The Future of Software Engineering, 22nd International Conference on Software Engineering, ACM, New York, June, p. 225-241

Dharmapala D and McAdams RH (2001) The Condorcet Jury Theorem and the Expressive Function of the Law: A Theory of Informative Law, University of Illinois College of Law, Law and Economics Working Paper Series, Working Paper No. 00-19, February, p. 1, available at

http://www.law.uiuc.edu/publications/ssrn/articles/00- 19%20McAdams%20Condorcet%20Jury.PDF [23.2.2006]

Dhillon G (1997) Managing Information System Security, MacMillan Press ltd, London

Drahos P with Braithwaite J (2003) Information Feudalism. Who Owns the Knowledge Economy?, The New Press, New York

Eckhoff T (1983) Statens Styrningsmuligheter. Særlig i Ressurs- og Miljøspørsmål, Tanum-Norli, Oslo

Egeskov C and Christensen JA (2003) Behovet for forsikring af software- producentens mulige erstatningansvar, Nordisk Försäkringstidskrift (Scandinavian Insurance Quarterly), 2003(1): 51-73

(19)

Sources XXI

Eijlander P (2005) Possibilities and Constraints in the Use of Self- Regulation and Co-Regulation in Legislative Policy: Experience in the Netherlands – Lessons to Be Learned for the EU? Electronic Journal of Comparative Law, Volume 9.1 (January 2005), available at

http://www.ejcl.org/91/art91-1.html [8.2.2006]

Eisenberg MA (2003) Mistake in Contract Law, California Law Review, 91(6): 1575-1644

Eisenberg MA (2003) Disclosure in Contract Law, California Law Review, 91(6): 1647-1692

EFF, Electronic Frontier Foundation (2003) Unintended Consequences: Five Years under the DMCA, v. 3, September 24, 2003, available at

http ://www.eff.o rg/IP /DMCA/? f=unintend ed _ co nseq uences.html [14.2.2006]

Ellickson R (2001) The Market for Social Norms, American Law and Economics Review, 3(1): 1-49

Ellmer E, Merkl D, Quirchmayr G and Min Tjoa A (1996) Process Model Reuse to Promote Organizational Learning in Software Development, in Proceedings of the 20^th Annual Int’l Computer Software and Applications Conference (COMPSAC’96), Seoul, Korea, August 19-20, IEEE Press, p.

21-26, available at

http://www.ifs.tuwien.ac.at/ifs/research/pub_ps/ell_compsac96.ps.gz

Ely JC and Välimaki J (2003) Bad reputation, The Quarterly Journal Of Economics, 118(3): 785-814

Ervasti K and Tala J (1996) Lainvalmistelu ja vaikutusten ennakointi, Edita, Helsinki

Etzioni A (2000) Social Norms: Internalization, Persuasion, and History, Law & Society Review, 34(1): 157-178

Evan WM (1980) Law as an Instrument of Social Change, in Evan WM (ed.) The Sociology of Law. A Social-Structural Perspective, The Free Press, New York, p. 554-563. Reprinted from Gouldner AW and Miller SM (eds., 1965) Applied Sociology: Opportunities and Problems, The Free Press, New York, p. 285-293

Feddersen TJ and Gilligan TW (2001) Saints and Markets: Activists and the Supply of Credence Goods, Journal of Economics & Management Strategy, 10(1): 149–171

(20)

XXII Regulating Secure Software Development

Fehr E and Falk A (2002) Psychological foundations of incentives, Schumpeter Lecture, Annual Conference of the European Economic Association 2001, European Economic Review, 46(4-5): 687-724Feld WJ and Jordan RS (1988) International Organizations. A Comparative Approach, Praeger, New York

Ferrejoli L (2001) Fundamental Rights, International Journal for the Semiotics of Law, 14(1): 1-33

Fine GA (2001) Enacting Norms: Mushrooming and the Culture of Expectations and Explanations, in Hechter M and Opp K-D (eds.) Social Norms, Russel Sage Foundation, New York, p. 139-165

Fischhoff B and Merz JF (1994) The Inconvenient Public: Behavioral Research Approaches to Reducing Product Liability Risks, in Hunziker JR and Jones TO (eds.) Product Liability and Innovation: Managing Risk in an Uncertain Environment, National Academy Press, Washington, DC, p. 159- 189 http://www.nap.edu/books/0309051304/html/ [23.2.2006]

Fisher D (2002) Contracts Getting Tough on Security, eWeek, April 15, 2002, available at http://www.eweek.com/article2/0,1895,1658531,00.asp [29.3.2006]

Froomkin AM (2003) Habermas@Discourse.net: Toward a Critical Theory of Cyberspace, Harvard Law Review, 116(3): 749-873, also available at http://osaka.law.miami.edu/~froomkin/discourse/ils.pdf [23.2.2006]

Fuggetta A (2000) Software Process: A Roadmap, in Finkelstein A (ed.) The Future of Software Engineering, 22nd International Conference on Software Engineering, ACM, New York, June

Gal-Or E and Ghose A (2003) The Economic Consequences of Sharing Security Information, paper presented at the Second Annual Workshop on Economics and Information Security, Robert H. Smith School of Business, University of Maryland, May 29-30, 2003,

http://www.cpppe.umd.edu/rhsmith3/papers/Final_session7_galor.ghose.pdf [21.2.2006]

Garland D (1990) Punishment and Modern Society: A Study in Social Theory, University of Chicago Press, Chicago

Gavison R (1991) Comment: Legal Theory and the Role of Rules, Harvard Journal of Law & Public Policy, 14(3): 727-771

(21)

XXIII Sources

Gehring RA (2002) Software development, Intellectual Property Rights, and IT Security, paper presented at the First Workshop on Economics and Information Security, University of California, Berkley, May 16-17, 2002, available at

http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/e conws/44.pdf [16.2.2006]

Gehring RA (2001) “Software Patents” — IT–Security at Stake?, Paper presented at the international conference “Innovations for an e–Society.

Challenges for Technology Assessment”, 17–19 October, Berlin, Germany, available at http://ig.cs.tu-berlin.de/oldstatic/ap/rg/2000-05/2001-10/

Gehring2001Full-SWPatITSec.pdf [21.2.2006]

Geistfeld M (1999) Products Liability, in Bouckaert B and De Geest G (eds., 2000) Encyclopedia of Law and Economics, Volume III. The Regulation of Contracts, Edward Elgar, Cheltenham, also available at http://allserv.rug.ac.be/~gdegeest/5140book.pdf [21.2.2006]

Gomulkiewicz RW and Williamson ML (1996) A Brief Defense of Mass Market Software License Agreements, Rutgers Computer & Technology Law Journal, 12(2):335-369

Gordon LA, Loeb MP, Lucyshyn W and Richardson R (2005) 2005 CSI/FBI Computer Crime and Security Survey, Computer Security Institute (CSI) publications, available at http://www.gocsi.com/ [23.2.2006]

Graff MG and van Wyk KR (2003) Secure Coding. Principles & Practice, O’Reilly & Associates, Sebastopol, USA

Granick JS (2004) The Price of Restricting Vulnerability Publications, International Journal of Communications Law and Policy (IJCLP), Issue 9, part 2, http://www.digital-law.net/IJCLP/Cy_2004/

ijclp_webdoc_10_Cy_2004.htm [23.2.2006]

Gunningham N and Grabovsky P (1998) Smart Regulation: Designing Environemental Policy, Oxford University Press, Oxford

Habermas J (1996) Between Facts and Norms: Contributions to a Discourse Theory of Law and Democracy, Polity Press, Cambridge (translated by William Rehg)

Harju H (2002) Kustannustehokas ohjelmiston luotettavuuden suunnittelu ja arviointi, Osa 1, [Costeffective design and assessment of dependable software, Part 1], VTT Tiedotteita – Research Notes 2151, Valtion teknillinen tutkimuskeskus, Espoo,

http://virtual.vtt.fi/inf/pdf/tiedotteet/2002/T2151.pdf [6.3.2006] (in Finnish)

(22)

XXIV Regulating Secure Software Development

Harju H and Koskela M (2003) Kustannustehokas ohjelmiston luotetta- vuuden suunnittelu ja arviointi, Osa 2 [Cost-effective reliability design and assessment of software, Part 2], VTT Tiedotteita – Research Notes 2193,Valtion teknillinen tutkimuskeskus, Espoo,

http://virtual.vtt.fi/inf/pdf/tiedotteet/2003/T2193.pdf [6.3.2006](in Finnish) Harmathy A (1987) The Influence of Legal Systems on Modes of Implementation of Economic Policy, in Daintith T (ed.) Law as an Instrument of Economic Policy: Comparative and Critical Approaches, European University, Series A, No. 7, Walter de Gruyter, Berlin, p. 245-267 Hart HLA (1994) The Concept of Law, 2^nd ed. (with a new Postscript), Clarendon Press, Oxford

Harrold MJ (2000) Testing: A Roadmap, in Finkelstein A (ed.) The Future of Software Engineering, 22nd International Conference on Software Engineering, ACM, New York, June, p. 61-73

Havana T (2003) Communication in the Software Vulnerability Reporting Process, M.A. thesis, University of Jyväskylä,

http://www.ee.oulu.fi/research/ouspg/protos/sota/reporting/gradu.pdf [23.2.2006]

Havana T and Röning J (2003) Communication in the Software Vulnerability Process, Proceedings of the 15th FIRST Conference on Computer Security Incident Handling, Ottawa, Canada, June 22-27, 2003, h t t p : / / www. e e . o u l u . fi / r e s e a r c h / o u s p g / p r o t o s / s o t a / F I R S T 2 0 0 3 - communication/paper.pdf [23.2.2006]

Hechter M and Opp K-D (2001) What Have We Learned about the Emergence of Social Norms, in in Hechter M and Opp K-D (eds.) Social Norms, Russel Sage Foundation, New York, p. 394-417

Helenius M (2005) Tietoturvallisuuden tutkimus ja opetus. Nykytilanne ja kehittämismahdollisuudet, Tietoyhteiskuntainstituutin raportteja 2/2005, Tampereen yliopisto, Tampere

Hellner J (1990) Lagstiftning inom förmögenhetsrätten. Praktik, teori och teknik, Juristförlaget, Stockholm

Hellner J (1985) Legislation and Sociology: The Law of Torts, in Kivivuori A (ed.) Law Drafting and Sociology, Ministry of Justice, Law Drafting Department, Publication Series No. 2/1985, Helsinki, p. 45-67

Hemmo M (1992) Kuluttajamainonnan informatiivisuusvaatimuksista, Lakimies, the Journal of the Finnish Lawyers’ Association, 90(3): 368-371

(23)

Sources XXV

Hemmo M (2005) Oikeudellisen riskienhallinnan perusteita, Helsingin yliopiston oikeustieteellisen tiedekunnan julkaisut, Forum Iuris, Helsinki Hemmo M (2004a) Sopimuksiin liittyvät vastuuriskit, in Aalto-Setälä I, Amper M, Haussila P, Hemmo M, Lintumaa S, Saloheimo J, Salomaa P, Soikkeli L, Strömberg H, Tuomainen J, and Virtanen P (2004) Yrityksen ja yhteisön vastuuriskit. Oikeudellisen riskienhallinnan perusteet, 2nd ed., Tietosanoma Oy, Helsinki, p. 13-31

Hemmo M (1998) Sopimus ja delikti. Tutkimus vahingonkorvausoikeuden vastuumuodoista, Kauppakaari, Lakimiesliiton Kustannus, Helsinki

Hemmo M (2003a) Sopimusoikeus I, 2nd ed., Talentum, Helsinki Hemmo M (2003b) Sopimusoikeus II, 2nd ed., Talentum, Helsinki Hemmo M (2005) Sopimusoikeus III, Talentum, Helsinki

Hemmo M (2004b) Tuotevastuuriskit, in Aalto-Setälä I, Amper M, Haussila P, Hemmo M, Lintumaa S, Saloheimo J, Salomaa P, Soikkeli L, Strömberg H, Tuomainen J, and Virtanen P (2004) Yrityksen ja yhteisön vastuuriskit.

Oikeudellisen riskienhallinnan perusteet, 2nd ed., Tietosanoma Oy, Helsinki, p. 31-49

Hemmo M (2002) Vahingonkorvausoikeuden oppikirja, WSOY Lakitieto, Helsinki

Hemmo M (1996) Vahingonkorvauksen sovittelu ja moderni korvausoikeus, [The Reduction of Damages and Modern Compensation Law] Suomalaisen lakimiesyhdistyksen julkaisuja, A-sarja, No. 209, Suomalainen lakimiesyhdistys, Helsinki, with an English summary

Hemmo M (1999) Vuoden 2000 ongelma ja siviilioikeus [The year 2000 problem and civil law], Oikeustiede – Jurisprudentia XXXII, Suomalaisen lakimiesyhdistyksen vuosikirja, Gummerus Kirjapaino Oy, Jyväskylä, p. 5- 80, with an English summary

den Hertog JA (2000) General Theories of Regulation, in Bouckaert B and De Geest G (eds., 2000) Encyclopedia of Law and Economics, Volume III.

The Regulation of Contracts, Edward Elgar, Cheltenham, p. 223-270, http://allserv.rug.ac.be/~gdegeest/5000book.pdf [22.2.2006]

van Hoecke M (2002) Law as Communication, Hart Publishing, Oxford and Portland, Oregon

Hood C (1986) The Tools of Government, Chatham House, Chatham, New Jersey

(24)

XXVI Regulating Secure Software Development

Hood C and Scott C (2000) Regulating Government in a 'Managerial' Age:

towards a cross-national perspective, CARR Discussion Paper, no. 1, October, http://www.lse.ac.uk/collections/CARR/pdf/Disspaper1.pdf [16.2.2006]

Hood C, Rothstein H and Baldwin R (2001) The Government of Risk.

Understanding Risk Regulation Regimes, Oxford University Press, Oxford Horne C (2001) Sociological Perspectives on the Emergence of Norms, in Hechter M and Opp K-D (eds.) Social Norms, Russel Sage Foundation, New York, p. 3-35

Hosein IR (2003) Regulating the Technological Actor: How Governments Tried to Transform the Technology and the Market for Cryptography and the Implications for the Regulation of Information and Communications Technologies, London School of Economics, Department of Information Systems, submitted for a PhD in Information Systems,

http://www.lse.ac.uk/collections/informationSystems/pdf/theses/hosein2.pdf [23.2.2006]

Hovav A and D'Arcy J (2005) Capital market reaction to defective IT products: The case of computer viruses, Computers & Security 24(5): 409- 424

Howells G (2001) The Millennium But and Product Liability, in Wilhelmsson T, Tuominen S and Tuomola H (eds.) Consumer Law in the Information Society, Kluwer Law International, The Hague, p. 295-307.

Originally published in the Journal of Information, Law and Technology (JILT) 1999(2), available at

http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1999_2/howells/ [27.3.2006]

Howells G and Wilhelmsson T (1997) EC and US Approaches to Consumer Protection – Should the Gap be Bridged?, Yearbook of European Law, 17:

207-268

Hugenholtz B (2000) Why the Copyright Directive is Unimportant, and Possibly Invalid, European Intellectual Property Review (EIPR) 11: 501- 502, available also at

http://www.ivir.nl/publications/hugenholtz/opinion-EIPR.html [published 11.10.2000, accessed 14.2.2006]

Hunt A (1997) The Politics of Law and the Law of Politics, in Tuori K, Bankowski Z and Uusitalo J (eds.) Law and Power. Critical and Socio- Legal Essays, Deborah Charles Publications, Liverpool, p. 51-83

Hunziker JR and Jones TO (eds., 1994) Product Liability and Innovation:

Managing Risk in an Uncertain Environment, Washington DC, National Academy Press, http://www.nap.edu/books/0309051304/html/ [14.2.2006]

(25)

XXVII Sources

Hydén H (2001) Rättsregler. En introduktion till juridiken, Studentlitteratur, Lund

Häyhä J (1999) Ankara vastuu ja vahingonkorvausoikeuden järjestelmä, Oikeustiede – Jurisprudentia XXXII, Suomalaisen lakimiesyhdistyksen vuosikirja, Gummerus Kirjapaino Oy, Jyväskylä, p. 81-150, with an English summary

Irlenbusch B (2004) Relying on a man’s word? An experimental study on non-binding contracts, International Review of Law and Economics, 24(3):

299–332

Jarass HD (1988) Regulation as an Instrument of Economic Policy, in Daintith T (ed.) Law as an Instrument of Economic Policy: Comparative and Critical Approach, Walter de Gruyter, Berlin, p. 75-97

Joerges C, Falke J, Miclitz HW and Brüggemeier G (1991) European Product Safety, Internal Market Policy and the New Approach to Technical Harmonisation and Standards, EUI Working Paper LAW, Nos. 91/10-14, European University Institute, Florence, available at

http://www.iue.it/LAW/WP-Texts/Joerges91/ [13.2.2006]. Original German version: Die Sicherheit von Kosnumgütern und die Entwicklung der Gemeinschaft, Nomos, 1988

Joerges C, Schepel H and Vos E (1999) The Law’s Problems with the Involvement on Non-Governmental Actors in Europe’s Legislative Process:

The Case of Standardisation under the ‘New Approach’, EUI Working Paper Law, No. 99/9, European University Institute, San Domenico, available at http://cadmus.iue.it/dspace/retrieve/948/law99_9.pdf [14.2.2006]

Jolls C, Sunstein CR and Thaler RH (1998) A Behavioral Approach to Law and Economics, Stanford Law Review 50(5): 1471-1551, available also at http://www.law.harvard.edu/programs/olin_center/papers/pdf/236.pdf [14.2.2006]

Kaisanlahti T (1999) Riskin pulverointi vahingonkorvausoikeuden tehtä- vänä, in Kanniainen V and Määttä K (eds.) Näkökulmia oikeustalous- tieteeseen 3, Kauppakaari OYJ, Lakimiesliiton Kustannus, Helsinki 1999, p.

85-105

Kaner C (1997) The Impossibility of Complete Testing, at http://www.kaner.com/pdfs/imposs.pdf [23.2.2006] published in Software QA, 4(4)

(26)

XXVIII Regulating Secure Software Development

Kaner C (2000) Software Engineering and UCITA, available at http://www.badsoftware.com/engr2000.htm, last modified September 16, 2000 [2.1.2006] initially published in John Marshall Journal of Computer and Information Law, 18(2): 435-546, Winter 2000.

Kaner C and Pels D (1997) Software Customer Dissatisfaction, at http://www.kaner.com/pdfs/sqastat2.pdf [23.2.2006] published at Software QA, 4(3)

Kannan K and Telang R (2004) An Economic Analysis of Market for Software Vulnerabilities, paper presented at The Third Annual Workshop on Economics and Information Security (WEIS04), May 13-14, 2004, University of Minnesota, Minneapolis, USA

http://www.dtc.umn.edu/weis2004/kannan-telang.pdf [23.2.2006]

Karlsson J and Ryan K (1997) A Cost-Value Approach for Prioritizing Requirements, IEEE Software, 14(5): 67-75

Kaspersen HW (1994) Foreword, in Sizer R, Yngström L, Kaspersen H, Fischer-Hübner S (eds.) Security and Control of Information Technology in Society, Proceedings of the IFIP TC9/WG9.6 Working Conference on Security and Control of Information Technology in Society on Board M/S Illich and ashore at St. Petersburg, Russia, 12-17 August, 1993, IFIP Transaction, A-43, North-Holland, p. 7-10

Kaspersen HW (1992) How to Advance Computer Security by Legal Instruments?, in Kilian W and Wiebe A (eds.) Data Security in Computer Networks and Legal Problems, S. Toeche-Mittler Verlag, Darmstadt, Proceedings of a Working Conference in Hannover/Germany on September 23-24, 1991, p. 85-95

Klami HT (1977) Oikeudellisen sääntelyn yleinen teoria, Turun yliopiston yksityisoikeuden laitoksen julkaisuja 12/1977, Turku

Keil M and Carmel E (1995) Customer-developer links in software development, Communications of the ACM, 38(5): 33–44

Kesan JP, Majuca RP and Yurcik WJ (2005) The Economic Case for Cyberinsurance, University of Illinois Law & Economics Research Paper No. LE04-004, paper presented at a Stanford Law School Symposium:

Securing Privacy in the Internet Age, March 13-14 2004, Stanford Law School, CA, USA, http://ssrn.com/abstract=577862 [23.2.2006]

Keskitalo P (2000) From Assumptions to Risk Management. An Analysis of Risk Management for Changing Circumstances in Commercial Contracts, Especially in the Nordic Countries, Kauppakaari Oyj, Lakimiesliiton Kustannus, Helsinki

(27)

Sources XXIX

Kilian W (1992) Data Security in Computer Networks and Legal Problems, in Kilian W and Wiebe A (eds.) Data Security in Computer Networks and Legal Problems, S. Toeche-Mittler Verlag, Darmstadt, Proceedings of a Working Conference in Hannover/Germany on September 23-24, 1991 Kivivuori A (2005) Vahingonkorvausvastuun tarkoitusperät, in Halila H, Hemmo M and Sisula-Tulokas L (eds. 2005) Juhlajulkaisu Esko Hoppu 1935 –15/1 – 2005, Suomalainen Lakimiesyhdistys, Helsinki, p. 163-173 Kunreuther H. and Heal G (2003) Interdependent Security, Journal of Risk and Uncertainty, 26(2-3): 231-249, also available at

http://opim.wharton.upenn.edu/risk/downloads/02-06-HK.pdf [21.2.2006]

Kunreuther H, Heal G and Orszag PR (2002) Interdependent Security:

Implications for Homeland Security Policy and Other Areas, The Brookings Institution Policy Brief, number108, October,

http://www.brookings.org/dybdocroot/comm/policybriefs/pb108.pdf [23.2.2006]

Kuvaja P, Maansaari J, Seppänen V and Taramaa J (1999) Specific Requirements for Assessing Embedded Product Development, in Oivo M and Kuvaja P (eds.) Proceedings of the International Conference on Product Focused Software Process Improvement, Oulu, Finland, June 22- 24, 1999, Technical Research Center of Finland, Espoo

Laakso M, Takanen A and Röning J (2001) Introducing Constructive Vulnerability Disclosures, Proceedings of the 13^th FIRST Conference on Computer Security Incident Handling, Toulouse, June 17-22, 2001, http://www.ee.oulu.fi/research/ouspg/protos/sota/FIRST2001-disclosures/

[updated 26.7.2001, visited 23.2.2006]

Landwehr C (2002) Improving Information Flow in the Information Security Market, paper presented at the Workshop on Economics and Information Security, University of California, Berkley, May 16-17, 2002,

http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/

econws/11.doc [21.2.2006]

Latour B (2000) When Things Strike Back: A Possible Contribution of Science Studies to the Social Sciences, British Journal of Sociology, 51(1):

107-124

Lemley MA and McGowan D (1998) Legal Implications of Network Economic Effects, http://papers.ssrn.com/paper.taf?ABSTRACT_ID=32212 [21.2.2006] published in Cal. L. Rev. 86: 479

Lessig L (1999) Code and Other Laws of Cyberspace, Basic Books, New York

(28)

XXX Regulating Secure Software Development

Lessig L (1999) The Law of the Horse. What Cyberlaw Might Teach, Harvard Law Review, 113(2): 501-550

Lessig L (1998) The New Chicago School, Journal of Legal Studies, 27(2):

661-691, also available at

http://lessig.org/content/articles/wo rks/LessigNewchicschool.pdf [23.2.2006]

Lessig L (1995) The Regulation of Social Meaning, University of Chicago Law Review, 62(3): 944-1045, also available at

http://www.lessig.org/content/articles/works/regulation-socialmeaning.pdf [23.2.2006]

Levin DB (2002) Student Note: Building social norms on the Internet, Yale Journal of Law & Technology, 4(2001-2002): 97-138

Lewis JA (2005) Aux Armes, Citoyens: Cyber Security and Regulation in the United States, Telecommunications Policy, 29(11): 821-830

Liebowitz SJ and Margolis SE (1994) Network Externality: An Uncommon Tragedy, Journal of Economic Perspectives, 8(2), also available at http://wwwpub.utdallas.edu/~liebowit/jep.html [21.2.2006]

Lindberg A and Westman D (1999) Praktisk IT-rätt, 2^nd ed., Norstedts Juridik AB, Stockholm

Liska AE (1997) Modelling the Relationships Between Macro Forms of Social Control, Annual Review of Sociology, 23(1): 39-61

Lloyd IJ (2005) Information Technology Law, 4^th ed., Oxford University Press, Oxford

Lookabaugh T and Sicker DC (2003) Security and Lock-In: The Case of the U.S. Cable Industry, paper presented at Economics and Information Security Workshop, University of Maryland, May 29-30,

http://www.cpppe.umd.edu/rhsmith3/papers/Final_session8_lookabaugh.sic ker.pdf [21.2.2006]

Lundvall BÅ (2000) Understanding the Role of Education in the Learning Economy. The Contribution of Economics, in OECD-CERI, Knowledge Management in the Learning Society, pp. 11-35, Paris, OECD, pp. 18-21 MacCormack A (2001) Product Development Practices that Work: How Internet Companies Build Software, Sloan Management Review, 42(2): 75- 84

MacCormack A, Verganti R and Iansiti M (2001) Developing Products on

“Internet Time”: The Anatomy of a Flexible Development Process, Management Science, 47(1): 133-150.

(29)

Sources XXXI

McCormick N (1981) H.L.A. Hart, Jurists: Profiles in Legal Theory, Stanford University Press, Stanford

MacCormick N (1983) On Legal Decisions and their Consequences: from Dewey to Dworkin, New York University Law Review, 58(2): 239-258, republished in Aarnio A and MacCormick N (eds., 1992) Legal Reasoning.

Volume II, The International Library of Essays in Law and Legal Theory, Dartmouth, Aldershot, p. 83-102

MacDonald (1999) Y2K and Contractual Exemption Clauses, Journal of Information, Law and Technology (JILT), 1999(2), available at

http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1999_2/macdonald/

[27.3.2006]

Mackaay E (1982) Economics of Information and Law, Kluwer, Nijhoff Publishing, Dordrecht

Mackaay E (1992) The Public’s Right to Information, in Korthals Altes WF, Dommering EJ, Hugenholtz PB, and Kabel JJC (eds.) Information Law Towards the 21^st Century, Kluwer, Deventer

Mackaay E and Leblanc V (2003) The Law and Economics of Good Faith in the Civil Law of Contract, paper prepared for the 2003 Conference of the European Association of Law and Economics, at Nancy, France, 18-20 September 2003,

http://www.cd aci.umo ntreal.ca/p d f/mackaay_ law_ eco no mics.p d f [23.2.2006]

MacKenzie D and Wajcman J (1987) Introductory Essay: The Social Shaping of Technology, in MacKenzie D and Wajcman J (ed.) The Social Shaping of Technology. How the Refrigerator got its Hum, Milton Keynes Open University Press, Philadelphia, p. 3-28

Mathiesen T (2005) Rätten i samhället. En introduktion till rättssociologin, femte upplagan, Studentlitteratur, Lund

Matthews S and Postlewaite A (1985) Quality Testing and Disclosure, Rand Journal of Economics, 16(3): 328-340

Mayntz R (1983) The Conditions of Effective Public Policy – A New Challenge for Policy Analysis, Policy and Politics, 11(2): 123-145

Mayntz R (1988) Political Intentions and Legal Measures: The Determinants of Policy Decisions, in Daintith T (ed.) Law as an Instrument of Economic Policy: Comparative and Critical Approach, Walter de Gruyter, Berlin

(30)

XXXII Regulating Secure Software Development

Mazmanian DA and Sabatier PA (1989) Implementation and Public Policy, University Press of America, Lanham

Mattei U (1998) Comparative Law and Economics, The University of Michigan Press, Ann Arbor

McAdams RH (1997) The Origin, Development, and Regulation of Norms, Michigan Law Review, 96(2): 338-434

McAdams RH and Nadler J (2004) A Third Model of Legal Compliance:

Testing for Expressive Effects in a Hawk/Dove Game, International Association for Conflict Management (IACM) 17th Annual Conference Paper No. P-107, available at

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=573582 [23.2.2006]

McNutt P (2000) Public Goods and Club Goods, in Bouckaert B and De Geest G (eds.) Encyclopedia of Law and Economics, Volume I. The History and Methodology of Law and Economics, Edward Elgar, Cheltenham, p.

927-951, http://allserv.rug.ac.be/~gdegeest/0750book.pdf [21.2.2006]

Meijboom AP (1989) Legal Rights to Source Code, in Vandenberghe GPV (ed.) Advanced Topics of Law and Information Technology, Kluwer Law and Taxation Publishers, Boston, p. 105-127

Meltzer J, Freeman R and Thomson S (2003) Product Liability in the European Union. A Report for the European Commission, MARKT/2001/11/D, available at the web pages of the European Commission at

http://europa.eu.int/comm/enterprise/regulation/goods/liability_en.htm [22.2.2006]

Mercuro N and Medema SG (1997) Economics and the Law. From Posner to Post-Modernism, Princeton University Press, Princeton, New Jersey Miettinen T (2001) Tieteen vapaus: Julkisoikeudellinen tutkimus tieteenhar- joittajan itsemääräämisoikeudesta, tieteen itsekontrollista ja yliopiston itse- hallinnosta, Kauppakaari, Helsinki

Migdal A (1999) Shrinkwrap Licenses Abroad, Journal of Internet Law, Vol. 2, partly reprinted in Lemley MA, Menell PS, Merges RP, and Samuelson P (2000) Software and Internet Law, Aspen Law & Business, New York, p. 751-753

Mononen M (2004) Yritysten välinen tuotevastuu, Talentum Media Oy, Helsinki

Moore MS (1989) Authority, Law, and Razian Reasons, Southern California Law Review, 62: 827-897