An analysis of security incidents on the Internet 1989-1995
An analysis of security incidents on the Internet 1989-1995
The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Market for Software Vulnerabilities? Think Again
Management Science
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Economic aspects of information security: An emerging field of research
Information Systems Frontiers
The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence
Journal of Management Information Systems
An empirical study of security problem reports in Linux distributions
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Information Systems Research
Towards a unifying approach in understanding security problems
ISSRE'09 Proceedings of the 20th IEEE international conference on software reliability engineering
Beyond heuristics: learning to classify vulnerabilities and predict exploits
Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining
ACM Transactions on Management Information Systems (TMIS)
Theorizing Information Security Success: Towards Secure E-Government
International Journal of Electronic Government Research
Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis
Journal of Management Information Systems
Hi-index | 0.00 |
Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities. Disclosure of software vulnerability has been controversial. On one hand are those who propose full and instant disclosure whether the patch is available or not and on the other hand are those who argue for limited or no disclosure. Which of the two policies is socially optimal depends critically on how attack frequency changes with disclosure and patching. In this paper, we empirically explore the impact of vulnerability information disclosure and availability of patches on attacks targeting the vulnerability. Our results suggest that on an average both secret (non-published) and published (published and not patched) vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. When we control for time since publication and patches, we find that patching an already known vulnerability decreases the number of attacks, although attacks gradually increase with time after patch release. Patching an unknown vulnerability, however, causes a spike in attacks, which then gradually decline after patch release. Attacks on secret vulnerabilities slowly increase with time until the vulnerability is published and then attacks rapidly decrease with time after publication.