The dynamics of ( in ) security

Global Internet penetration and e-commerce have grown explosively over the past years. Today, information technology has become a backbone of our industry and everyday life. We would intuitively expect such an important technology to be wellmonitored and protected. However, no one would dispute that the constant discovery of new vulnerabilities drives the security risks we are constantly exposed to. As risk awareness is an essential factor in human decision making, we are in need of metrics to measure and monitor the risk exposure of our networked economy and society. Research on the economic consequences of cyber attacks has dealt primarily with microanalysis of specific events, technologies or targeted organizations. The measurement of the cumulated number of disclosed vulnerabilities over time is an interesting and often cited indicator of the increasing risk exposure. However, this measure alone is not sufficient for an analysis or understanding of the processes driving risk exposure. Accurate knowledge of the vulnerability discovery-, exploit-, disclosure-, and patch-time (the lifecycle of a vulnerability) allows one to identify different types of risk and to quantify the risk exposure and evolution thereof at global scale. A metric based on the vulnerability lifecycle is vital to better understand the security ecosystem. We build a comprehensive dataset of 30,000 vulnerabilities publicly disclosed since 1996 to reconstruct the

[1]  Gunter Ollmann The evolution of commercial malware development kits and colour-by-numbers custom malware , 2008 .

[2]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[3]  S. Franz,et al.  Critical Phenomena in Natural Sciences: Chaos, Fractals, Selforganization and Disorder: Concepts and Tools , 2004 .

[4]  Bernhard Plattner,et al.  Firefox (In) security update dynamics exposed , 2008, CCRV.

[5]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[6]  N. Johnson The MITRE corporation , 1961, ACM National Meeting.

[7]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[8]  Carl A. Gunter,et al.  Computer Security is Not a Science ( but it should be ) , 2003 .

[9]  S. Radack The Common Vulnerability Scoring System (CVSS) , 2007 .

[10]  Lawrence A. Gordon,et al.  Using information security as a response to competitor analysis systems , 2001, CACM.

[11]  Rainer Böhme,et al.  Vulnerability Markets What is the economic value of a zero-day exploit ? , 2005 .

[12]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[13]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[14]  Indrajit Ray,et al.  Security Vulnerabilities in Software Systems: A Quantitative Perspective , 2005, DBSec.

[15]  Stefan Frei,et al.  Understanding the web browser threat: examination of vulnerable online web browser populations and the "insecurity iceberg" , 2008 .

[16]  David McKinney Vulnerability Bazaar , 2007, IEEE Security & Privacy.

[17]  Yacov Y. Haimes,et al.  Are we forgetting the risks of information technology? , 2000, Computer.

[18]  W. Heath The Difference: How the Power of Diversity Creates Better Groups, Firms, Schools, and Societies , 2008 .

[19]  Reidar Conradi,et al.  An empirical study of software reuse vs. defect-density and stability , 2004, Proceedings. 26th International Conference on Software Engineering.

[20]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[21]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patching Behavior: Impact of Vulnerability Disclosure , 2006, ICIS.

[22]  Jeff Bollinger Economies of disclosure , 2004, CSOC.

[23]  Bruce Schneier Locks and full disclosure , 2003, IEEE Security & Privacy Magazine.

[24]  Ramayya Krishnan,et al.  An Empirical Analysis of Vendor Response to Disclosure Policy , 2005, WEIS.

[25]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[26]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[27]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[28]  Bruce Schneier The nonsecurity of secrecy , 2004, CACM.

[29]  Corrado Leita SGNET: a distributed infrastructure to handle zero-day exploits , 2007 .

[30]  Bruce Schneier The speed of security , 2003, IEEE Security & Privacy Magazine.

[31]  Elias Levy,et al.  Approaching Zero , 2004, IEEE Secur. Priv..

[32]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[33]  James M. Utterback,et al.  Mastering the Dynamics of Innovation , 1996 .

[34]  Devendra Sahal,et al.  Foundations of technometrics , 1985 .

[35]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[36]  Jeff Moss Off at a Tangent — A discussion with Jeff Moss , 2008 .

[37]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[38]  Felix FX Lindner Software security is software reliability , 2006, Commun. ACM.

[39]  Yashwant K. Malaiya,et al.  Module size distribution and defect density , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[40]  Chris Wysopal,et al.  Responsible Vulnerability Disclosure Process , 2002 .

[41]  N. Carr IT doesn't matter , 2003, IEEE Engineering Management Review.

[42]  Charles Miller,et al.  The Legitimate vulnerability market: the secretive world of 0-day exploit sales , 2007, WEIS.

[43]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[44]  B Thomas,et al.  A COMPARISON OF CONVENTIONAL AND ONLINE FRAUD , 2004 .

[45]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[46]  Stefan Frei,et al.  Why Silent Updates Boost Security , 2009 .

[47]  Jose J. Gonzalez,et al.  Understanding Hidden Information Security Threats: The Vulnerability Black Market , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[48]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[49]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[50]  R. A. Martin Integrating your information security vulnerability management capabilities through industry standards (CVE&OVAL) , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[51]  Anique Hommels,et al.  Software vulnerability due to practical drift , 2007, Ethics and Information Technology.

[52]  Martin May,et al.  Putting private and government CERT’s to the test , 2008 .

[53]  J. Herbsleb,et al.  Two case studies of open source software development: Apache and Mozilla , 2002, TSEM.

[54]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[55]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[56]  EschelbeckGerhard The Laws of Vulnerabilities , 2005 .

[57]  Karthik N. Kannan,et al.  An Economic Analysis of Market for Software Vulnerabilities , 2004 .

[58]  Bernhard Plattner,et al.  An economic damage model for large-scale Internet attacks , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[59]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.