Does information security attack frequency increase with vulnerability disclosure? An empirical analysis
作者: Ashish Arora , Anand Nandkumar , Rahul Telang
DOI: 10.1007/S10796-006-9012-5
关键词:
摘要: Research in information security, risk management and investment has grown importance over the last few years. However, without reliable estimates on attack probabilities, is difficult to do practice. Using a novel data set, we provide propensity how it changes with disclosure patching of vulnerabilities. Disclosure software vulnerability been controversial. On one hand are those who propose full instant whether patch available or not other argue for limited no disclosure. Which two policies socially optimal depends critically frequency patching. In this paper, empirically explore impact availability patches attacks targeting vulnerability. Our results suggest that an average both secret (non-published) published (published patched) vulnerabilities attract fewer than patched When control time since publication patches, find already known decreases number attacks, although gradually increase after release. Patching unknown vulnerability, however, causes spike which then decline Attacks slowly until rapidly decrease publication.
springer.com
acm.org
sci-hub.se 参考文章(14)
Stuart E. Schechter, Michael D. Smith, How Much Security Is Enough to Stop a Thief financial cryptography. pp. 122- 137 ,(2003) , 10.1007/978-3-540-45126-6_9
Stuart E. Schechter, Michael D. Smith, How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks. financial cryptography. pp. 122- 137 ,(2003)
Sarah Gordon, When Worlds Collide: Information Sharing for the Security and Anti-virus Communities ,(1999)
John Douglas Howard, An analysis of security incidents on the Internet 1989-1995 Carnegie Mellon University. ,(1998)
J. McHugh, W.L. Fithen, W.A. Arbaugh, Windows of vulnerability: a case study analysis IEEE Computer. ,vol. 33, pp. 52- 59 ,(2000) , 10.1109/2.889093
Lawrence A. Gordon, Martin P. Loeb, The economics of information security investment ACM Transactions on Information and System Security. ,vol. 5, pp. 438- 457 ,(2002) , 10.1145/581271.581274
Rahul Telang, Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation SSRN Electronic Journal. ,(2005) , 10.2139/SSRN.677427
Eric Rescorla, Security holes... who cares usenix security symposium. pp. 6- 6 ,(2003)
E. Rescorla, Is finding security holes a good idea ieee symposium on security and privacy. ,vol. 3, pp. 14- 19 ,(2005) , 10.1109/MSP.2005.17
Karthik Kannan, Rahul Telang, Market for Software Vulnerabilities? Think Again Management Science. ,vol. 51, pp. 726- 740 ,(2005) , 10.1287/MNSC.1040.0357