The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND-make a tax-deductible charitable contribution at www.rand.org/giving/contribute.html R ® is a registered trademark.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions.The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest.RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org For more information on this publication, visit www.rand.org/t/RR1751Library of Congress Cataloging-in-Publication Data is available for this publication.ISBN: 978-0-8330-9761-3 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2017 RAND CorporationR® is a registered trademark. Cover: Composite image by Eileen Delson La Russo. Adapted from images by Agil_Leonardo, Matejmo, and Byakkaya; courtesy of Getty Images.iii PrefaceThere is an ongoing policy debate over whether the U.S. government-or any government-should retain so-called zero-day software vulnerabilities or disclose them so they can be patched. 1 Those who have knowledge of a zero-day vulnerability may create "exploits"-code that takes advantage of the vulnerability-to access other parts of a system, execute their own code, act as an administrator, or perform some other action, but many worry that keeping these vulnerabilities secret can expose people who use the vulnerable software to malware attacks and other attempts to collect their private information. Furthermore, cybersecurity and the liability that might result from attacks, hacks, and data breaches using zero-day vulnerabilities have substantial implications for U.S. consumers, companies, and insurers, and for the civil justice system broadly.The debate of whether to retain or disclose these vulnerabilities is often fueled by how much overlap there might be between the zero-day vulnerabilities or exploits the U.S. government keeps and those its adversaries are stockpiling. If both sides have the same stockpiles, then some argue that there is little point to keeping them privatewhereas a smaller overlap might justify retention. But without information on the overlap, or concrete metrics based on actual data, it is challenging to make a well-informed decision about stockpiling.To address this question, RAND obtained rare access to a dataset of information about zero-day software vulnerabilities and exploits. In this report, we explore the dataset using novel applications ...
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions.html.The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest.RAND's publications do not necessarily reflect the opinions of its research clients and sponsors. For more information on this publication, visit www.rand.org/t/rr1187Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2016 RAND CorporationR® is a registered trademark. Cover: Image via pathdoc/Fotoliaiii Preface Data breaches continue to plague private-sector companies, nonprofit organizations, and government agencies. Although spending on cybersecurity continues to grow, companies are still being breached, and sensitive personal, financial, and health information is still being compromised. As of March 2016, 47 states and the District of Columbia have adopted laws that require companies to notify individuals in the event that their personal information is lost or stolen. This report sets out the results of a study of consumer attitudes toward data breaches, notifications that a breach has occurred, and company responses to such events.The report should provide valuable information that can be used by businesses and policymakers as they develop policies and best practices related to information security and data breach response. Moreover, it should be of interest to individuals who conduct business with any organization that holds their personal and confidential data. RAND Institute for Civil JusticeThe RAND Institute for Civil Justice (ICJ) is dedicated to improving the civil justice system by supplying policymakers and the public with rigorous and nonpartisan research. Its studies identify trends in litigation and inform policy choices about liability, compensation, regulation, risk management, and insurance. The institute builds on a long tradition of RAND Corporation research characterized by an interiv Consumer Attitudes Toward Data Breach Notifications disciplinary, empirical approach to public policy issues and rigorous standards of quality, objectivity, and independence.ICJ research is supported by pooled grants from a range of sources, including corporations, trade and professional associations, individuals, government agencies, and private foundations. All its reports are subject to peer review and disseminated widely to policymakers, practitioners in law and business, other r...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.