Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEIS 20051 Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of.

Published byAnna Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "WEIS 20051 Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of."— Presentation transcript:

1 WEIS 20051 Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of Technology

2 WEIS 20052 Full Public Disclosure:

3 WEIS 20053 Full Public Disclosure: Why the controversy?

4 WEIS 20054 Full Public Disclosure: Why the controversy? Why do benign discoverers disclose?

5 WEIS 20055 What is socially optimal? Full Public Disclosure: Why the controversy? Why do benign discoverers disclose?

6 WEIS 20056 What is socially optimal? Full Public Disclosure: How to get there? Why the controversy? Why do benign discoverers disclose?

7 WEIS 20057 The existing body of economic research on information security focuses on

8 WEIS 20058 The existing body of economic research on information security focuses on - decisions made by vendors

9 WEIS 20059 The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue)

10 WEIS 200510 The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs)

11 WEIS 200511 The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs) - users’ decision to patch

12 WEIS 200512 The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs) - users’ decision to patch - viability of a market for vulnerabilities…

13 WEIS 200513 The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs) - users’ decision to patch - viability of a market for vulnerabilities… …but not on individual decisions to disclose. Our research is an attempt to close this gap.

14 WEIS 200514 Commonly believed motives for full public disclosure:

15 WEIS 200515 Commonly believed motives for full public disclosure: Signaling one’s abilities; Commonly believed motives for full public disclosure: Signaling one’s abilities;

16 WEIS 200516 Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users;

17 WEIS 200517 Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor. Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor.

18 WEIS 200518 Benign users are minimizing their expected loss Benign users are minimizing their expected loss Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor. Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor. Our alternative explanation:

19 WEIS 200519 The Model

20 WEIS 200520 The Model Three types of “agents”:

21 WEIS 200521 Black Hats attack other users when they can The Model Three types of “agents”:

22 WEIS 200522 Black Hats attack other users when they can White Hats inform the vendor, decide whether and how to disclose The Model Three types of “agents”:

23 WEIS 200523 Black Hats attack other users when they can White Hats inform the vendor, decide whether and how to disclose Vendors issue a fix once attacks reach a certain intensity level The Model Three types of “agents”:

24 WEIS 200524 Black Hats attack other users when they can White Hats inform the vendor, decide whether and how to disclose Vendors issue a fix once attacks reach a certain intensity level The Model Three types of “agents”: Independent discoveries of the same bug are possible.

25 WEIS 200525 Disclose? Bug discovered by a benign user Massive attack No attack Next discoverer? Game ends NY Fix provided by vendor Game continues… BH WH Disclose? Single attack Y N

26 WEIS 200526 Loss Structure

27 WEIS 200527 Expected loss LN N1 N2 Proportion of white hats disclosing LN – expected loss of white hats who don’t disclose N1 – expected loss from a massive attack (result of FPD) N2 – exp. loss from ‘covert’ attacks (result of independent discoveries)

28 WEIS 200528 The ease of exploiting the published vulnerability, ε Exogenous parameters Users’ knowledge of software, κ (affects the probability of a fix developed by the user, ) Users’ knowledge of software, κ (affects the probability of a fix developed by the user, ) Population (B black hats + W white hats) Population (B black hats + W white hats) Potential damage from each attack, C Transparency of the bug, r (affects the chances of independent discoveries) The discoverer’s “impatience factor”, ρ

29 WEIS 200529 Expected Loss. Disclosing agent: Non-Disclosing agent: where is the probability that a white hat plays “disclose” and is the discounting factor.

30 The equilibrium proportion of white hats who choose full public disclosure (FPD):

31 WEIS 200531 Possible equilibria: 1. Pure no-disclosure (ND) equilibrium, α*<0 None of benign discoverers discloses Expected loss Proportion of white hats choosing FPD E(L N ) E(L D ) 01

32 WEIS 200532 Possible equilibria: 2. Pure full disclosure (FD) equilibrium, α*>1 All benign discoverers disclose Expected loss Proportion of white hats choosing FPD E(L N ) E(L D ) 01

33 WEIS 200533 Possible equilibria: Expected loss Proportion of white hats choosing FPD E(L N ) E(L D ) 3. Mixed strategy equilibrium, 0<α*<1 Some benign discoverers disclose, others don’t 01

34 WEIS 200534 FPD tends to occur more often as…

35 WEIS 200535 FPD tends to occur more often as… Bugs become easier to discover FPD tends to occur more often as… Bugs become easier to discover

36 WEIS 200536 FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic)

37 WEIS 200537 FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases

38 WEIS 200538 FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information

39 WEIS 200539 FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous

40 WEIS 200540 FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous If the social loss function equals the aggregate damage from attacks…

41 WEIS 200541 FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous If the social loss function equals the aggregate damage from attacks, then full public disclosure can be socially optimal

42 WEIS 200542 FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous If the social loss function equals the aggregate damage from attacks, then full public disclosure can be socially optimal Whenever that is the case, it is the equilibrium strategy of individual benign discoverers

43 WEIS 200543 Disclose? Bug discovered by a benign user Massive attack No attack Next discoverer? Game ends NY Fix provided by vendor Game continues… BH WH Disclose? Single attack Y N

44 WEIS 200544 Choice of effort, X N Choice of effort, X Y Disclose? Patch installed? Patch installed? Bug discovered by a benign user Massive attack No attack Next discoverer? Game ends Game ends (no loss) YY N N NY Fix provided by vendor Game continues… BH WH Disclose? Single attack Y N

45 WEIS 200545 More transparent code leads to more effort put into finding a fix and less FPD. Κ=0 Κ>0 So does a greater potential damage from an attack E(L WN )/E(L WD ) α

46 WEIS 200546 What happens to the aggregate damage from attacks? Does it change the incentive structure? Suppose we have a coalition of agents anyone can disclose information to. The composition of the coalition population is assumed the same as for the rest of the world.

47 WEIS 200547 Choice of effort Disclose? Patch installed? Patch installed? Patch installed? Bug discovered Moderate size attack Massive attack No attack Next discoverer? Game ends Game ends (no loss) XCXC XWXW XNXN YYY N N N NW C

48 WEIS 200548 Software is not too complex Such a coalition improves social welfare only if Coalition members are willing to work on a patch Otherwise, a coalition has no effect! AND

49 Punishing those who choose full public disclosure… …is not a good idea Old New Loss % FD Policy alternatives

50 Punishing those who choose full public disclosure… …is not a good idea Old New Loss % FD Policy alternatives Let them disclose!

51 Better security of existing systems (a decrease in C, the loss from an attack) Aggregate loss decreases More frequent disclosure along the way Old New Exp. Loss % FD Policy alternatives

52 Punishing black hats Aggregate loss decreases More FPD along the way Old New Exp. Loss % FD Policy alternatives Costly but not hopeless

53 Software quality improvement Fewer bugs discovered Old New Loss % FD Policy alternatives

54 Software quality improvement Fewer bugs discovered Weaker incentives to disclose Old New Loss % FD + Policy alternatives Both effects have to be taken into account when discussing the effects of software quality improvement!!!

55 Making vendors issue patches faster Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives

56 Making vendors issue patches faster (One of the roles for the coordinator?) Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives

57 Making the source code transparent Bugs are patched faster (not necessarily by vendors) Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives

58 Making the source code transparent Bugs are patched faster (not necessarily by vendors) Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives Would this be a threat to intellectual property rights?

59 WEIS 200559 Endogenizing vendors’ decisions and users’ decision to patch Role of the coordinator Testing the results empirically Endogenizing vendors’ decisions and users’ decision to patch Role of the coordinator Testing the results empirically Future modifications and extensions

Download ppt "WEIS 20051 Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of."

Similar presentations

The Quality of Law: Judicial Incentives, Legal Human Capital and the Evolution of Law Gillian Hadfield USC and Columbia University The Dynamics of Institutions.

The Quality of Law: Judicial Incentives, Legal Human Capital and the Evolution of Law Gillian Hadfield USC and Columbia University The Dynamics of Institutions.
Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.

Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.
ORGANISATION PATTERN IN MARKETING CHANNELS

ORGANISATION PATTERN IN MARKETING CHANNELS
A Comparative Theory of Legislation, Discretion, and Policy making Process (Huber&Shipan) Two crucial elements in the politicians- bureaucrats interaction.

A Comparative Theory of Legislation, Discretion, and Policy making Process (Huber&Shipan) Two crucial elements in the politicians- bureaucrats interaction.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Evolution and Repeated Games D. Fudenberg (Harvard) E. Maskin (IAS, Princeton)

Evolution and Repeated Games D. Fudenberg (Harvard) E. Maskin (IAS, Princeton)
Beyond the Solow Growth Model. Three Reasons to Go Beyond the Solow Growth Model (SGM) The SGM doesn’t fit facts too well Saving and Investment Don’t.

Beyond the Solow Growth Model. Three Reasons to Go Beyond the Solow Growth Model (SGM) The SGM doesn’t fit facts too well Saving and Investment Don’t.
Lecture 3 Outline: Thurs, Sept 11 Chapters 1.3-1.4 Probability model for 2-group randomized experiment Randomization test p-value Probability model for.

Lecture 3 Outline: Thurs, Sept 11 Chapters Probability model for 2-group randomized experiment Randomization test p-value Probability model for.
MIT and James Orlin © 2003 1 Game Theory 2-person 0-sum (or constant sum) game theory 2-person game theory (e.g., prisoner’s dilemma)

MIT and James Orlin © Game Theory 2-person 0-sum (or constant sum) game theory 2-person game theory (e.g., prisoner’s dilemma)
STRATEGIES FOR GROWTH Session 2 The entrepreneurial process Opportunity Entrepreneur Organisation Resources Leadership and direction Attraction and Management.

STRATEGIES FOR GROWTH Session 2 The entrepreneurial process Opportunity Entrepreneur Organisation Resources Leadership and direction Attraction and Management.
Short introduction to game theory 1. 2  Decision Theory = Probability theory + Utility Theory (deals with chance) (deals with outcomes)  Fundamental.

Short introduction to game theory 1. 2  Decision Theory = Probability theory + Utility Theory (deals with chance) (deals with outcomes)  Fundamental.
Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.

Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.
Network Security An Economics Perspective IS250 Spring 2010 John Chuang.

Network Security An Economics Perspective IS250 Spring 2010 John Chuang.
Adverse Selection Asymmetric information is feature of many markets

Adverse Selection Asymmetric information is feature of many markets
A camper awakens to the growl of a hungry bear and sees his friend putting on a pair of running shoes, “You can’t outrun a bear,” scoffs the camper. His.

A camper awakens to the growl of a hungry bear and sees his friend putting on a pair of running shoes, “You can’t outrun a bear,” scoffs the camper. His.
Managerial Economics and Organizational Architecture, 5e Chapter 9: Economics of Strategy: Game Theory McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill.

Managerial Economics and Organizational Architecture, 5e Chapter 9: Economics of Strategy: Game Theory McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill.
Job Market Signaling (Spence model)

Job Market Signaling (Spence model)
Query Incentive Networks Jon Kleinberg and Prabhakar Raghavan - Presented by: Nishith Pathak.

Query Incentive Networks Jon Kleinberg and Prabhakar Raghavan - Presented by: Nishith Pathak.
Dynamic Network Security Deployment under Partial Information George Theodorakopoulos (EPFL) John S. Baras (UMD) Jean-Yves Le Boudec (EPFL) September 24,

Dynamic Network Security Deployment under Partial Information George Theodorakopoulos (EPFL) John S. Baras (UMD) Jean-Yves Le Boudec (EPFL) September 24,
1 chapter: >> First Principles Krugman/Wells Economics

1 chapter: >> First Principles Krugman/Wells Economics

Similar presentations

Ads by Google