Exploring Interpersonal Relationships in Security Information Sharing

Information fraud is a significant problem for modern firms. Firms may share information about vulnerabilities, but prior research into sharing has delivered mixed results. Most prior research work has examined sharing at the organizational level and we know little of the role of interpersonal relationships in security information sharing. This paper uses a case study of a large Asia-Pacific telecommunications provider to develop theory about interpersonal security information sharing. The results suggest that sharing is promoted by trust, risk and uncertainty, knowledge management and relationship factors. Investigators shared information partly to overcome tensions with other business areas and to ameliorate operational risk perceptions. Interpersonal relationships allowed sharers to benefit from complementary and specialist knowledge in other firms, thereby translating the meaning of fraud information between business environments

Cybersecurity Information Sharing: Analysing an Email Corpus of Coordinated Vulnerability Disclosure

Cybersecurity Information Sharing: Analysing an Email Corpus of Coordinated Vulnerability Disclosure. K Sridhar, A Householder, JM Spring, DW Woods. The 20th Workshop on the Economics of Information Security (WEIS 2021

A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities

Bug bounties have become increasingly popular in recent years. This paper discusses bug bounties by framing these theoretically against so-called platform economy. Empirically the interest is on the disclosure of web vulnerabilities through the Open Bug Bounty (OBB) platform between 2015 and late 2017. According to the empirical results based on a dataset covering nearly 160 thousand web vulnerabilities, (i) OBB has been successful as a community-based platform for the dissemination of web vulnerabilities. The platform has also attracted many productive hackers, (ii) but there exists a large productivity gap, which likely relates to (iii) a knowledge gap and the use of automated tools for web vulnerability discovery. While the platform (iv) has been exceptionally fast to evaluate new vulnerability submissions, (v) the patching times of the web vulnerabilities disseminated have been long. With these empirical results and the accompanying theoretical discussion, the paper contributes to the small but rapidly growing amount of research on bug bounties. In addition, the paper makes a practical contribution by discussing the business models behind bug bounties from the viewpoints of platforms, ecosystems, and vulnerability markets.Comment: 17th Annual Workshop on the Economics of Information Security, Innsbruck, https://weis2018.econinfosec.org

Quantitative economics of security: software vulnerabilities and data breaches

Includes bibliographical references.2016 Summer.Security vulnerabilities can represent enormous risks to society and business organizations. A large percentage of vulnerabilities in software are discovered by individuals external to the developing organization. These vulnerabilities are often exchanged for monetary rewards or a negotiated selling price, giving rise to vulnerability markets. Some of these markets are regulated, while some are unregulated. Many buyers in the unregulated markets include individuals, groups, or government organizations who intend to use the vulnerabilities for potential attacks. Vulnerabilities traded through such markets can cause great economic, organizational, and national security risks. Vulnerability markets can reduce risks if the vulnerabilities are acquitted and remedied by the software developers. Studying vulnerability markets and their related issues will provide an insight into their underlying mechanisms, which can be used to assess the risks and develop approaches for reducing and mitigating the potential risks to enhance the security against the data breaches. Some of the aspects of vulnerability—discovery, dissemination, and disclosure—have received some recent attention. However, the role of interaction among the vulnerability discoverers and vulnerability acquirers has not yet been adequately addressed. This dissertation suggests that a major fraction of discoverers, a majority in some cases, are unaffiliated with the software developers and thus are free to disseminate the vulnerabilities they discover in any way they like. As a result, multiple vulnerability markets have emerged. In recent vulnerability discovery literature, the vulnerability discoverers have remained anonymous. Although there has been an attempt to model the level of their efforts, information regarding their identities, modes of operation, and what they are doing with the discovered vulnerabilities has not been explored. Reports of buying and selling the vulnerabilities are now appearing in the press; however, the nature of the actual vulnerability markets needs to be analyzed. We have attempted to collect detailed information. We have identified the most prolific vulnerability discoverers throughout the past decade and examined their motivation and methods. A large percentage of these discoverers are located outside of the US. We have contacted several of the most prolific discoverers in order to collect firsthand information regarding their techniques, motivations, and involvement in the vulnerability markets. We examine why many of the discoverers appear to retire after a highly successful vulnerability-finding career. We found that the discoverers had enough experience and good reputation to work officially with a good salary in some well- known software development companies. Many security breaches have been reported in the past few years, impacting both large and small organizations. Such breaches may occur through the exploitation of system vulnerabilities. There has been considerable disagreement about the overall cost and probability of such breaches. No significant formal studies have yet addressed this issue of risk assessment, though some proprietary approaches for evaluating partial data breach costs and probabilities have been implemented. These approaches have not been formally evaluated or compared and have not been systematically optimized. This study proposes a consolidated approach for identifying key factors contributing to the breach cost by minimizing redundancy among the factors. Existing approaches have been evaluated using the data from some of the well-documented breaches. It is noted that the existing models yield widely different estimates. The reasons for this variation are examined and the need for better models is identified. A complete computational model for estimating the costs and probabilities of data breaches for a given organization has been developed. We consider both the fixed and variable costs and the economy of scale. Assessing the impact of data breaches will allow organizations to assess the risks due to potential breaches and to determine the optimal level of resources and effort needed for achieving target levels of security

Toward Data-Driven Discovery of Software Vulnerabilities

Over the years, Software Engineering, as a discipline, has recognized the potential for engineers to make mistakes and has incorporated processes to prevent such mistakes from becoming exploitable vulnerabilities. These processes span the spectrum from using unit/integration/fuzz testing, static/dynamic/hybrid analysis, and (automatic) patching to discover instances of vulnerabilities to leveraging data mining and machine learning to collect metrics that characterize attributes indicative of vulnerabilities. Among these processes, metrics have the potential to uncover systemic problems in the product, process, or people that could lead to vulnerabilities being introduced, rather than identifying specific instances of vulnerabilities. The insights from metrics can be used to support developers and managers in making decisions to improve the product, process, and/or people with the goal of engineering secure software. Despite empirical evidence of metrics\u27 association with historical software vulnerabilities, their adoption in the software development industry has been limited. The level of granularity at which the metrics are defined, the high false positive rate from models that use the metrics as explanatory variables, and, more importantly, the difficulty in deriving actionable intelligence from the metrics are often cited as factors that inhibit metrics\u27 adoption in practice. Our research vision is to assist software engineers in building secure software by providing a technique that generates scientific, interpretable, and actionable feedback on security as the software evolves. In this dissertation, we present our approach toward achieving this vision through (1) systematization of vulnerability discovery metrics literature, (2) unsupervised generation of metrics-informed security feedback, and (3) continuous developer-in-the-loop improvement of the feedback. We systematically reviewed the literature to enumerate metrics that have been proposed and/or evaluated to be indicative of vulnerabilities in software and to identify the validation criteria used to assess the decision-informing ability of these metrics. In addition to enumerating the metrics, we implemented a subset of these metrics as containerized microservices. We collected the metric values from six large open-source projects and assessed metrics\u27 generalizability across projects, application domains, and programming languages. We then used an unsupervised approach from literature to compute threshold values for each metric and assessed the thresholds\u27 ability to classify risk from historical vulnerabilities. We used the metrics\u27 values, thresholds, and interpretation to provide developers natural language feedback on security as they contributed changes and used a survey to assess their perception of the feedback. We initiated an open dialogue to gain an insight into their expectations from such feedback. In response to developer comments, we assessed the effectiveness of an existing vulnerability discovery approach—static analysis—and that of vulnerability discovery metrics in identifying risk from vulnerability contributing commits

Supporting data-driven software development life-cycles with bug bounty programmes

A growing number of organisations are utilising the skills of a global base of white-hat hackers in order to identify pre- and post-deployment vulnerabilities. Despite the widespread adoption of bug bounty programmes, there remain many uncertainties regarding the efficacy of this relatively novel security activity, especially when considering their adoption alongside existing software development lifecycles. This dissertation explores how bug bounty programmes can be used to support data-driven software development lifecycles. To achieve this outcome, the dissertation presents four distinct contributions. The first contribution concerns the usage of Crowdsourced Vulnerability Discovery (CVD) (of which bug bounty programmes are a part) within organisations. This includes the presentation of expert opinion pertaining to the benefits and shortcomings of existing approaches, and identification of the extent to which CVD programmes are used in software development lifecycles. The second contribution explores the benefits and drawbacks of hosting a programme on a bug bounty platform (a centralised repository of programmes operated by a third party). Empirical analysis of operating characteristics helps address concerns around the long-term viability of programme operation, and allows for a comparison to be made between the cost of expanding a security team and the cost of running a programme. The third contribution examines the extent to which participating in the search for vulnerabilities is a viable long-term strategy for hackers based on bug bounty platforms. The results demonstrate that participation is infeasible, even on a short-term basis, for significant numbers of hackers, highlighting the shortcomings of the current approach used by platforms. Building on the first three, the fourth contribution explores CVD programme policies, and the extent to which pertinent information, particularly in reference to legal constraints, is communicated to hackers. A systematic review reveals the commonplace elements that form current policy documents, enabling organisations to identify gaps within their own programme policies and form policies that are consistent with peers

Proactive risk management in information systems

Managing security risks is one of the major challenges in modern information systems. Threats often come via the World Wide Web and are therefore difficult to predict. Thus, attackers can always be a step ahead of us and reactive approach based on known security incidents is not sufficient. A much higher security level can be achieved by active detection and neutralization of software vulnerabilities. When a large number of vulnerabilities are present in the system, they have to be prioritized for removal according to their severity. With a proactive approach, where we foresee which vulnerabilities will be more likely exploited in practice, the highest level of security can be assured. A widely used prioritization policy based upon a CVSS (Common Vulnerability Scoring System) score is frequently criticised for bad effectiveness. The main reason is that the CVSS score alone is not a good predictor of vulnerability exploitation in the wild. One of the key challenges in this area is therefore to identify the indicators of exploitation. Since the exploitation of vulnerability is basically a human threat, it is reasonable to take into account the characteristics of typical attackers. We propose several methods for setting priorities that take this into account. Methods have to be compared according to their effectiveness in risk mitigation. To this end, we have developed a valuation model that allows such comparisons. Proposed methods, which take into account human threats, were compared with the most popular existing methods. In the experiment we used vulnerability data from publicly available databases. Experimental results show that methods which take into account the characteristics of attackers are generally more effective than existing methods. The effectiveness was also confirmed in some real cases of information systems in practice

Proactive risk management in information systems

Managing security risks is one of the major challenges in modern information systems. Threats often come via the World Wide Web and are therefore difficult to predict. Thus, attackers can always be a step ahead of us and reactive approach based on known security incidents is not sufficient. A much higher security level can be achieved by active detection and neutralization of software vulnerabilities. When a large number of vulnerabilities are present in the system, they have to be prioritized for removal according to their severity. With a proactive approach, where we foresee which vulnerabilities will be more likely exploited in practice, the highest level of security can be assured. A widely used prioritization policy based upon a CVSS (Common Vulnerability Scoring System) score is frequently criticised for bad effectiveness. The main reason is that the CVSS score alone is not a good predictor of vulnerability exploitation in the wild. One of the key challenges in this area is therefore to identify the indicators of exploitation. Since the exploitation of vulnerability is basically a human threat, it is reasonable to take into account the characteristics of typical attackers. We propose several methods for setting priorities that take this into account. Methods have to be compared according to their effectiveness in risk mitigation. To this end, we have developed a valuation model that allows such comparisons. Proposed methods, which take into account human threats, were compared with the most popular existing methods. In the experiment we used vulnerability data from publicly available databases. Experimental results show that methods which take into account the characteristics of attackers are generally more effective than existing methods. The effectiveness was also confirmed in some real cases of information systems in practice