2012
DOI: 10.2307/41410405
|View full text |Cite
|
Sign up to set email alerts
|

Are Markets for Vulnerabilities Effective?

Abstract: Current reward structures in security vulnerability disclosure may be skewed toward benefitting nefarious usage of vulnerability information rather than responsible disclosure. Recently suggested market-based mechanisms offer incentives to responsible security researchers for discovering and reporting vulnerabilities. However, concerns exist that any benefits gained through increased incentives for responsible discovery may be lost through information leakage. Using perspectives drawn from the diffusion of inn… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
48
0
2

Year Published

2012
2012
2021
2021

Publication Types

Select...
4
3
1

Relationship

0
8

Authors

Journals

citations
Cited by 83 publications
(50 citation statements)
references
References 58 publications
0
48
0
2
Order By: Relevance
“…Focusing on the organizational and behavioral aspect of information security, the extant literature has addressed security issues from various perspectives of software vendors, end computer users, organizations, and supply chains. From the vendor's perspective, studies have examined vendor strategies of vulnerability disclosure and patching (Arora et al 2005, August and Tunca 2008, Cavusoglu et al 2008, Kannan and Telang 2005, their impacts on the vendor's market value D'Arcy 2005, Telang andWattal 2007), attackers' reactions (Arora et al 2006, Mitra and Ransbotham 2015, Ransbotham et al 2012) and software quality (Rescorla 2004), and the effectiveness of vendor liability policies (August and Tunca 2011, August et al 2014, Rustad and Koening 2005. The literature from the home computer user's perspective has studied motivations for security behavior (Anderson and Agarwal 2010, LaRose et al 2008, Woon et al 2005, the perception of security risks (Furnell et al 2007), and security software adoption (Lee and Kozar 2005).…”
Section: Information Securitymentioning
confidence: 99%
See 1 more Smart Citation
“…Focusing on the organizational and behavioral aspect of information security, the extant literature has addressed security issues from various perspectives of software vendors, end computer users, organizations, and supply chains. From the vendor's perspective, studies have examined vendor strategies of vulnerability disclosure and patching (Arora et al 2005, August and Tunca 2008, Cavusoglu et al 2008, Kannan and Telang 2005, their impacts on the vendor's market value D'Arcy 2005, Telang andWattal 2007), attackers' reactions (Arora et al 2006, Mitra and Ransbotham 2015, Ransbotham et al 2012) and software quality (Rescorla 2004), and the effectiveness of vendor liability policies (August and Tunca 2011, August et al 2014, Rustad and Koening 2005. The literature from the home computer user's perspective has studied motivations for security behavior (Anderson and Agarwal 2010, LaRose et al 2008, Woon et al 2005, the perception of security risks (Furnell et al 2007), and security software adoption (Lee and Kozar 2005).…”
Section: Information Securitymentioning
confidence: 99%
“…At the user level, many studies have considered employee compliance with security policy (Bulgurcu et al 2010, Johnston and Warkentin 2010, Myyry et al 2009, Straub and Nance 1990, intrinsic and extrinsic motivators for security behavior (Herath and Rao 2009), security violations (D'Arcy et al 2009, Lee and Larsen 2009, Lee et al 2003, Siponen and Vance 2010, Willison 2006, and the mediating effects of mandatoriness (Boss et al 2009), cultural differences (Dinev et al 2008), and perceived severity (Workman et al 2008). Most of these empirical studies have collected data through surveys, interviews, experiments, or public announcements on security attacks or breaches, with the exception of the studies of Mitra and Ransbotham (2015) and Ransbotham et al (2012), which used actual security alert data from firms.…”
Section: Information Securitymentioning
confidence: 99%
“…The dependent variable in our model is the time duration from vulnerability discovery to exploit publication. Following related studies (Arora et al., ; Ransbotham et al., ; Temizkan et al., ), we use a survival model to accommodate that vulnerabilities are discovered at different times, and exploits may have yet to be published for some of the vulnerabilities (i.e., censored duration data). The coefficient estimates determine the hazard rate of exploit publication, which is the “conditional likelihood that the event of interest occurs at duration time t, given that it has not occurred in the duration interval (0, t )” (Helsen & Schmittlein, ).…”
Section: Empirical Modelmentioning
confidence: 99%
“…The life cycle of enterprise system risks derived from vulnerabilities, exploits, and patching follows a distinguishable pattern (August & Tunca, 2011;Ransbotham, Mitra, & Ramsey, 2012). To summarize prior literature and position our contribution, Figure 1 presents a process model of technology vulnerabilities and their patching and exploit events.…”
Section: Life Cycle Of Technology Vulnerabilities Exploits and Patcmentioning
confidence: 99%
“…With the current increase in collaboration between firms and in the number of electronic transactions between firms and clients, information systems are becoming increasingly dynamic, distributed, and complex. Internet developments facilitate the continuous time diffusion of computer viruses (Piqueira et al 2008, Han andTan 2010) and cyber attacks (Ransbotham et al 2012). Dynamic optimization and particularly differential game approaches that consider time dimension are necessary to address these problems that firms are confronting.…”
Section: Introductionmentioning
confidence: 99%