Trading exploits online: A preliminary case study

A software defect that exposes a software system to a cyber security attack is known as a software vulnerability. A software security exploit is an engineered software solution that successfully exploits the vulnerability. Exploits are used to break into computer systems, but exploits are currently used also for security testing, security analytics, intrusion detection, consultation, and other legitimate and legal purposes. A well-established market emerged in the 2000s for software vulnerabilities. The current market segments populated by small and medium-sized companies exhibit signals that may eventually lead to a similar industrialization of software exploits. To these ends and against these industry trends, this paper observes the first online market place for trading exploits between buyers and sellers. The paper adopts three different perspectives to study the case. The paper (a) portrays the studied exploit market place against the historical background in the software security industry. A qualitative assessment is made to (b) evaluate the case against the common characteristics of traditional online market places. The qualitative observations are used in the quantitative part (c) for predicting the price of exploits with partial least squares regression. The results show that (i) the case is unique from a historical perspective, although (ii) the online market place characteristics are familiar. The regression estimates also indicate that (iii) the pricing of exploits is only partially dependent on such factors as the targeted platform, the date of disclosure of the exploited vulnerability, and the quality assurance service provided by the market place provider. The results allow to contemplate (iv) practical means for enhancing the market place.

[1]  Gary Hardy,et al.  The relevance of penetration testing to corporate network security , 1997, Information Security Technical Report.

[2]  José M. Vidal,et al.  Agents on the Web: Online Auctions , 1999, IEEE Internet Comput..

[3]  Axel Ockenfels,et al.  Online Auctions , 2006 .

[4]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[5]  Anol Bhattacherjee,et al.  Beginning SAP R/3 Implementation at Geneva Pharmaceuticals , 2000, Commun. Assoc. Inf. Syst..

[6]  Robert J. Kauffman,et al.  Economics and Electronic Commerce: Survey and Directions for Research , 2001, Int. J. Electron. Commer..

[7]  Michael L. Kasavana,et al.  Agents on the Web: Online Auctions , 1999, IEEE Internet Comput..

[8]  Torsten Eymann,et al.  A Prototype for an Agent-Based Secure Electronic Marketplace Including Reputation-Tracking Mechanisms , 2002, Int. J. Electron. Commer..

[9]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[10]  Juha Röning,et al.  Agents of responsibility in software vulnerability processes , 2004, Ethics and Information Technology.

[11]  Tim Keanini Proactive Network Security: Making Your Network Unassailable , 2005, Inf. Secur. J. A Glob. Perspect..

[12]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[13]  Pu Li,et al.  An examination of private intermediaries’ roles in software vulnerabilities disclosure , 2007, Inf. Syst. Frontiers.

[14]  Ron Wehrens,et al.  The pls Package: Principal Component and Partial Least Squares Regression in R , 2007 .

[15]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[16]  David McKinney Vulnerability Bazaar , 2007, IEEE Security & Privacy.

[17]  R. O’Brien,et al.  A Caution Regarding Rules of Thumb for Variance Inflation Factors , 2007 .

[18]  Tridas Mukhopadhyay,et al.  An Economic Analysis of the Software Market with a Risk-Sharing Mechanism , 2009, Int. J. Electron. Commer..

[19]  Frank F. Land,et al.  The use of history in IS research: an opportunity missed? , 2010, J. Inf. Technol..

[20]  Chu-Fen Li Understanding effects of seller's and bidder's characteristics on Internet auction applications , 2010, Expert Syst. Appl..

[21]  Thong Ngee Goh,et al.  Adaptive ridge regression system for software cost estimating on multi-collinear datasets , 2010, J. Syst. Softw..

[22]  Detmar W. Straub,et al.  Moving toward black hat research in information systems security: an editorial introduction to the special issue , 2010 .

[23]  Wang Tao,et al.  An empirical study of customers' perceptions of security and trust in e-payment systems , 2010, Electron. Commer. Res. Appl..

[24]  R. Sickles,et al.  eBay in the Economic Literature: Analysis of an Auction Marketplace , 2010 .

[25]  Tim Scully The cyber threat, trophy information and the fortress mentality. , 2011, Journal of business continuity & emergency planning.

[26]  Lee Allen Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide , 2012 .

[27]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[28]  Leif D. Nelson,et al.  Pay-what-you-want, identity, and self-signaling in markets , 2012, Proceedings of the National Academy of Sciences.

[29]  Yuan Zhang,et al.  Malware characteristics and threats on the internet ecosystem , 2012, J. Syst. Softw..

[30]  T. Scully The cyber security threat stops in the boardroom. , 2013, Journal of business continuity & emergency planning.

[31]  Alistair Black,et al.  Information Systems history: What is history? What is IS history? What IS history? … and why even bother with history? , 2013, J. Inf. Technol..

[32]  Yu Zhang,et al.  Trust fraud: A crucial challenge for China's e-commerce market , 2013, Electron. Commer. Res. Appl..

[33]  Managing online sales with posted price and open-bid auctions , 2013, Decis. Support Syst..

[34]  John Yeo,et al.  Using penetration testing to enhance your company's security , 2013 .

[35]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2013, TSEC.

[36]  Fabio Massacci,et al.  Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[37]  Peter Filzmoser,et al.  Multivariate linear QSPR/QSAR models: Rigorous evaluation of variable selection for PLS , 2013, Computational and structural biotechnology journal.

[38]  Feriha Zingal,et al.  Drivers of optimal prices in two-sided markets: the state of the art , 2013 .

[39]  J. Malbon Taking Fake Online Consumer Reviews Seriously , 2013 .

[40]  Tong Bao,et al.  Why Amazon Uses Both the New York Times Best Seller List and Customer Reviews: An Empirical Study of Multiplier Effects on Product Sales from Multiple Earned Media , 2014, Decis. Support Syst..

[41]  Kai H. Lim,et al.  Trust, Satisfaction, and Online Repurchase Intention: The Moderating Role of Perceived Effectiveness of E-Commerce Institutional Mechanisms , 2014, MIS Q..

[42]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[43]  V. E. Vinzi,et al.  An Empirical Operationalization of Countries’ Destination Competitiveness Using Partial Least Squares Modeling , 2014 .

[44]  Ju-Young Kim,et al.  The impact of buyer–seller relationships and reference prices on the effectiveness of the pay what you want pricing mechanism , 2014 .

[45]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2014, TSEC.

[46]  Marko Seppänen,et al.  Sources of value in application ecosystems , 2014, J. Syst. Softw..

[47]  Ming Fang,et al.  Game of detections: how are security vulnerabilities discovered in the wild? , 2015, Empirical Software Engineering.

[48]  Jonna Järveläinen,et al.  Busting Myths of Electronic Word of Mouth: The Relationship between Customer Ratings and the Sales of Mobile Applications , 2015, J. Theor. Appl. Electron. Commer. Res..

[49]  Mathias Ekstedt,et al.  A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits , 2015, Inf. Softw. Technol..

[50]  Mikko Rönkkö,et al.  On the adoption of partial least squares in psychological research: Caveat emptor , 2015 .

[51]  Gary McGraw Silver Bullet Talks with Katie Moussouris , 2015, IEEE Secur. Priv..

[52]  Hein S. Venter,et al.  Necessity for ethics in social engineering research , 2015, Comput. Secur..

[53]  Dorothy E. Denning Toward more secure software , 2015, Commun. ACM.

[54]  Mingyu Wang,et al.  Kernel PLS based prediction model construction and simulation on theoretical cases , 2015, Neurocomputing.