Are Markets for Vulnerabilities Effective?

Ransbotham, Sam; Mitra, Sabyaschi; Ramsey, Jon W.

doi:10.2307/41410405

Cited by 82 publications

(50 citation statements)

References 58 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Focusing on the organizational and behavioral aspect of information security, the extant literature has addressed security issues from various perspectives of software vendors, end computer users, organizations, and supply chains. From the vendor's perspective, studies have examined vendor strategies of vulnerability disclosure and patching (Arora et al 2005, August and Tunca 2008, Cavusoglu et al 2008, Kannan and Telang 2005, their impacts on the vendor's market value D'Arcy 2005, Telang andWattal 2007), attackers' reactions (Arora et al 2006, Mitra and Ransbotham 2015, Ransbotham et al 2012) and software quality (Rescorla 2004), and the effectiveness of vendor liability policies (August and Tunca 2011, August et al 2014, Rustad and Koening 2005. The literature from the home computer user's perspective has studied motivations for security behavior (Anderson and Agarwal 2010, LaRose et al 2008, Woon et al 2005, the perception of security risks (Furnell et al 2007), and security software adoption (Lee and Kozar 2005).…”

Section: Information Securitymentioning

confidence: 99%

“…At the user level, many studies have considered employee compliance with security policy (Bulgurcu et al 2010, Johnston and Warkentin 2010, Myyry et al 2009, Straub and Nance 1990, intrinsic and extrinsic motivators for security behavior (Herath and Rao 2009), security violations (D'Arcy et al 2009, Lee and Larsen 2009, Lee et al 2003, Siponen and Vance 2010, Willison 2006, and the mediating effects of mandatoriness (Boss et al 2009), cultural differences (Dinev et al 2008), and perceived severity (Workman et al 2008). Most of these empirical studies have collected data through surveys, interviews, experiments, or public announcements on security attacks or breaches, with the exception of the studies of Mitra and Ransbotham (2015) and Ransbotham et al (2012), which used actual security alert data from firms.…”

Section: Information Securitymentioning

confidence: 99%

See 1 more Smart Citation

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Tang

Whinston

2020

Production and Operations Management

View full text Add to dashboard Cite

Security negligence, a major cause of data breaches, occurs when an organization's information technology management fails to adequately address security vulnerabilities. By conducting a field quasi‐experiment using outgoing spam as a focal security issue, this study investigates the effectiveness of reputational sanctions in reducing security negligence in a global context. In the quasi‐experiment, a reputational sanction mechanism based on outgoing spam was established for four countries, and for each country, reputational sanctions were imposed on the 10 organizations with the largest outgoing spam volumes—that is, these organizations were listed publicly. We find that because of our reputational sanction mechanism, organizations in the four countries, including those that were not listed, reduced outgoing spam significantly compared to those in similar countries. Within each country, the listed organizations, whose reputations were actually sanctioned, reduced spam to a greater extent than those that were not listed. The spam reduction in the not‐listed organizations is mainly driven by increased security awareness, while the reduction in the listed organizations is primarily due to reputation effect. Among the listed organizations, those ranked lower were more responsive to the reputational sanctions. Moreover, we find that reputational sanctions have a stronger effect on large organizations and important organizations that provide network access and transit to others.

show abstract

Section: Information Securitymentioning

confidence: 99%

Section: Information Securitymentioning

confidence: 99%

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Tang

Whinston

2020

Production and Operations Management

View full text Add to dashboard Cite

show abstract

“…The dependent variable in our model is the time duration from vulnerability discovery to exploit publication. Following related studies (Arora et al., ; Ransbotham et al., ; Temizkan et al., ), we use a survival model to accommodate that vulnerabilities are discovered at different times, and exploits may have yet to be published for some of the vulnerabilities (i.e., censored duration data). The coefficient estimates determine the hazard rate of exploit publication, which is the “conditional likelihood that the event of interest occurs at duration time t, given that it has not occurred in the duration interval (0, t )” (Helsen & Schmittlein, ).…”

Section: Empirical Modelmentioning

confidence: 99%

“…The life cycle of enterprise system risks derived from vulnerabilities, exploits, and patching follows a distinguishable pattern (August & Tunca, 2011;Ransbotham, Mitra, & Ramsey, 2012). To summarize prior literature and position our contribution, Figure 1 presents a process model of technology vulnerabilities and their patching and exploit events.…”

Section: Life Cycle Of Technology Vulnerabilities Exploits and Patcmentioning

confidence: 99%

Managing Enterprise Risks of Technological Systems: An Exploratory Empirical Analysis of Vulnerability Characteristics as Drivers of Exploit Publication*

Sen

Heim

2016

Decision Sciences

View full text Add to dashboard Cite

Enterprises experience opportunistic exploits targeted at vulnerable technology. Vulnerabilities in software-based applications, service systems, enterprise platforms, and supply chains are discovered and disclosed on an alarmingly regular basis. A necessary enterprise risk management task concerns identifying and patching vulnerabilities. Yet it is a costly affair to develop and deploy patches to alleviate risk and prevent damage from exploit attacks. Given the limited resources available, technology producers and users must identify priorities for such tasks. When not overlooked, vulnerability-patching tasks often are prioritized based on vulnerability disclosure dates, thus vulnerabilities disclosed earlier usually have patches developed and deployed earlier. We suggest priorities also should focus on time-dependent likelihoods of exploits getting published. We analyze data on software exploits to identify factors associated with the duration between a vulnerability discovery date and the date when an exploit is publicly available, a time window for patching before exploit attack levels may escalate. Actively prioritizing vulnerability patching based on likelihoods of exploit publication may help lessen losses due to exploit attacks. Technology managers might apply the insights to better estimate relative risk levels, and better prioritize protection efforts toward vulnerabilities having higher risk of earlier exploitation.

show abstract

“…With the current increase in collaboration between firms and in the number of electronic transactions between firms and clients, information systems are becoming increasingly dynamic, distributed, and complex. Internet developments facilitate the continuous time diffusion of computer viruses (Piqueira et al 2008, Han andTan 2010) and cyber attacks (Ransbotham et al 2012). Dynamic optimization and particularly differential game approaches that consider time dimension are necessary to address these problems that firms are confronting.…”

Section: Introductionmentioning

confidence: 99%

Information Security Investment When Hackers Disseminate Knowledge

2013

View full text Add to dashboard Cite

A s an emerging and thriving research branch, information security economics has recently drawn significant attention from practitioners and academics. Traditionally, both decision and static game theoretical techniques are employed to characterize the strategies of firms and hackers. However, these techniques fail to capture the dynamic attribute of the risk environment, which is an increasingly important element, especially in modern distributed and complex computer and communication networks. Utilizing a differential game framework in which hackers disseminate security knowledge within a hacker population over time, this paper analyzes dynamic interactions between a firm endeavoring to protect its information assets and a hacker seeking to misappropriate them. In particular, we investigate three differential games in which the firm and the hacker move simultaneously and sequentially, respectively. We find that (a) the hacker invests the most in the simultaneous differential game, whereas the firm, as the leader, invests the most in the sequential differential game, and (b) both the firm and the hacker enjoy their highest payoffs in the sequential differential game with the hacker as the leader. Furthermore, it is numerically shown that in equilibrium, knowledge dissemination may not necessarily benefit the hacker and harm the firm. Some of our results are consistent with the findings of previous work, although the earlier results were obtained from a static game framework. Our main findings contrast with those of several previous studies that showed mixed results for comparisons between simultaneous and sequential games.

show abstract

Are Markets for Vulnerabilities Effective?

Cited by 82 publications

References 58 publications

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Managing Enterprise Risks of Technological Systems: An Exploratory Empirical Analysis of Vulnerability Characteristics as Drivers of Exploit Publication*

Information Security Investment When Hackers Disseminate Knowledge

Contact Info

Product

Resources

About