Information Disclosure and the Diffusion of Information Security Attacks Mitra & Ransbotham–Siddharth Bhattacharya
The paper talks about an ongoing debate in the research community about limited versus full disclosure about vulnerabilities that are often attacked on by third parties.Proponents of limited disclosure argue that it ensures that vendors and targets receive reasonable time to develop and deploy patches and countermeasures before systems are attacked,whereas the alternative full disclosure creates a window of opportunity for attackers before patches and countermeasures are deployed.On the other hand, full disclosure provides incentives to vendors to create better quality software and notifies security professionals so that they can install countermeasures immediately.Thus the paper wants to answer the questions:does full disclosure speed the diffusion of attacks corresponding to the vulnerability through the population of target systems?does full disclosure increase the risk that a firm is attacked for the first time on any specific day after the vulnerability is reported, given that it has not been attacked prior to that day?does full disclosure increase the number of target firms affected by attacks based on the vulnerability?does full disclosure increase the volume of attacks based on the vulnerability?.
The authors use measures developed in earlier literature to first form analytical estimates of various measures such as Na(t) cumulative number of attacked systems at time t,cumulative number of protected systems at time t ie Np(t) etc and then uses these for development of their hypothesis.Next,the authors augment this analytical analysis with two main data sources :a proprietary database of alerts generated from intrusion detection systems (IDSs) installed in client firms of an MSSP during 2006 and 2007 and second combine this panel data set with dates from the National Vulnerability Database (NVD) to obtain detailed characteristics of the vulnerabilities.
The authors use a series of models:a non-linear regression model,a cox model and finally a poisson model to corroborate all their hypotheses,all of which are supported.Results indicate that full disclosure accelerates the diffusion of attacks corresponding to a vulnerability. Full disclosure also increases the risk of first attack on any specific day after the vulnerability is reported.Full disclosure also increases the penetration of attacks within the population of target systems.Additionally, although the aggregate volume of attacks remains unaffected by full disclosure, attack activity shifts earlier in the life cycle of a vulnerability, thereby reducing its effective life span but intensifying activity while active.The paper makes several contributions.Practically, quantifying the net effect of information disclosure on the diffusion of attacks informs the continuing debate about the optimal disclosure of information security vulnerabilities.It also adds depth to the debate about limited versus full disclosure and uncover a potential negative effect of full disclosure.Finally it adds to the diffusion of innovation literature by focusing on the diffusion of a societally undesirable innovation versus positive innovations studied before.