Abstract
A significant debate in the security industry revolves around the vulnerability disclosure policy. We investigate the effects of immediate disclosure through an empirical study that analyzes security alerts for 960 clients of an US based security service provider. We find that immediate disclosure of vulnerabilities reduces delay in the attack diffusion process and slightly increases penetration of attacks in the population of target systems but slightly decreases the overall the volume of attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Arora A, Caulkins JP, Telang R (2006) Sell first, fix later: impact of patching on software quality. Manag Sci 52(3):465–471
Arora A, Telang R, Hao X (2008) Optimal policy for software vulnerability disclosure. Manag Sci 54(4):642–656
August T, Tunca TI (2006) Network software security and user incentives. Manag Sci 52(11):1703–1720
August T, Tunca TI (2008) Let the pirates patch? an economic analysis of software security patch restrictions. Inform Syst Res 19(1):48–70
Cavusoglu H, Cavusoglu H, Raghunathan S (2007) Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans Software Eng 33(3):171–185
Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: share the burden or share the damage? Manag Sci 54(4):657–670
Denicolo V (2000) Two-stage patent races and patent policy. RAND J Econ 31(3):488–501
National Vulnerability Database (2008) http://nvd.nist.gov/ Accessed 23 Apr 2008
Park I, Sharman R, Rao HR, Upadhyaya S (2007) Short term and total life impact analysis of email worms in computer systems. Decis Support Syst 43:827–841
Ransbotham S, Mitra S (2009) Choice and chance: a conceptual model of paths to information security compromise. Inform Syst Res 20(1):121–139
Ransbotham S, Mitra S, Ramsey J (2011) Are Markets for Vulnerabilities Effective? MIS Quarterly forthcoming
Rogers EM (2003) Diffusion of innovations, 5th edn. The Free Press, New York, NY
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Ransbotham, S., Mitra, S. (2013). The Impact of Immediate Disclosure on Attack Diffusion and Volume. In: Schneier, B. (eds) Economics of Information Security and Privacy III. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1981-5_1
Download citation
DOI: https://doi.org/10.1007/978-1-4614-1981-5_1
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-1980-8
Online ISBN: 978-1-4614-1981-5
eBook Packages: Computer ScienceComputer Science (R0)