Security econometrics: The dynamics of (in)security

The security of information technology is effected by a wide variety of actors and processes which together make up a security ecosystem. We examine this ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. We analyze the roles of the major actors and processes they participate in, the paths vulnerability data take through the ecosystem, and the impact of each of these on security risk. Based on a quantitative analysis of 27,000 vulnerabilities disclosed over the past decade we quantify the systematic gap between exploit and patch availability. We provide the first examination of the impact and the risks associated with this gap on the ecosystem as a whole. Our analysis provides a metric for the success of the "responsible disclosure" process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the "free press" of the ecosystem.

[1]  J. Herbsleb,et al.  Two case studies of open source software development: Apache and Mozilla , 2002, TSEM.

[2]  Bernhard Plattner,et al.  An economic damage model for large-scale Internet attacks , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[3]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[4]  James M. Utterback,et al.  Mastering the Dynamics of Innovation , 1996 .

[5]  Yashwant K. Malaiya,et al.  Module size distribution and defect density , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[6]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patching Behavior: Impact of Vulnerability Disclosure , 2006, ICIS.

[7]  Lawrence A. Gordon,et al.  Using information security as a response to competitor analysis systems , 2001, CACM.

[8]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Jeff Bollinger Economies of disclosure , 2004, CSOC.

[10]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[11]  Jeff Moss Off at a Tangent — A discussion with Jeff Moss , 2008 .

[12]  Yacov Y. Haimes,et al.  Are we forgetting the risks of information technology? , 2000, Computer.

[13]  S. Page Prologue to The Difference: How the Power of Diversity Creates Better Groups, Firms, Schools, and Societies , 2007 .

[14]  Gunter Ollmann The evolution of commercial malware development kits and colour-by-numbers custom malware , 2008 .

[15]  Reidar Conradi,et al.  An empirical study of software reuse vs. defect-density and stability , 2004, Proceedings. 26th International Conference on Software Engineering.

[16]  Corrado Leita SGNET: a distributed infrastructure to handle zero-day exploits , 2007 .

[17]  Bernhard Plattner,et al.  Firefox (In) security update dynamics exposed , 2008, CCRV.

[18]  Elias Levy,et al.  Approaching Zero , 2004, IEEE Secur. Priv..

[19]  Karthik N. Kannan,et al.  An Economic Analysis of Market for Software Vulnerabilities , 2004 .

[20]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[21]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[22]  Chris Wysopal,et al.  Responsible Vulnerability Disclosure Process , 2002 .

[23]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[24]  Stefan Frei,et al.  Why Silent Updates Boost Security , 2009 .

[25]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[26]  Bruce Schneier Locks and full disclosure , 2003, IEEE Security & Privacy Magazine.

[27]  Stefan Frei,et al.  Understanding the web browser threat: examination of vulnerable online web browser populations and the "insecurity iceberg" , 2008 .

[28]  R. A. Martin Integrating your information security vulnerability management capabilities through industry standards (CVE&OVAL) , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[29]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[30]  Ramayya Krishnan,et al.  An Empirical Analysis of Vendor Response to Disclosure Policy , 2005, WEIS.

[31]  D. Sornette Critical Phenomena in Natural Sciences: Chaos, Fractals, Selforganization and Disorder: Concepts and Tools , 2000 .

[32]  Jose J. Gonzalez,et al.  Understanding Hidden Information Security Threats: The Vulnerability Black Market , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[33]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[34]  Devendra Sahal,et al.  Foundations of technometrics , 1985 .

[35]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[36]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[37]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[38]  Anique Hommels,et al.  Software vulnerability due to practical drift , 2007, Ethics and Information Technology.

[39]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[40]  B Thomas,et al.  A COMPARISON OF CONVENTIONAL AND ONLINE FRAUD , 2004 .

[41]  A. C. Hobbs,et al.  Locks and safes : the construction of locks , 1853 .

[42]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[43]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[44]  N. Carr IT doesn't matter , 2003, IEEE Engineering Management Review.

[45]  David McKinney Vulnerability Bazaar , 2007, IEEE Security & Privacy.

[46]  Park Foreman Vulnerability Management , 2009 .

[47]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[48]  Bruce Schneier The nonsecurity of secrecy , 2004, CACM.

[49]  Ross J. Anderson Information Security Economics - and Beyond , 2008, DEON.

[50]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[51]  Felix FX Lindner Software security is software reliability , 2006, Commun. ACM.

[52]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.