Skip to main content
SpringerLink
Log in

Modeling the Security Ecosystem - The Dynamics of (In)Security

  • Conference paper
  • First Online:
Economics of Information Security and Privacy

Abstract

The security of information technology and computer networks is effected by a wide variety of actors and processes which together make up a security ecosystem; here we examine this ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. First, we analyze the roles of the major actors within this ecosystem and the processes they participate in, and the the paths vulnerability data take through the ecosystem and the impact of each of these on security risk. Then, based on a quantitative examination of 27,000 vulnerabilities disclosed over the past decade and taken from publicly available data sources, we quantify the systematic gap between exploit and patch availability. We provide the first examination of the impact and the risks associated with this gap on the ecosystem as a whole. Our analysis provides a metric for the success of the “responsible disclosure” process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the “free press” of the ecosystem.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Packetstorm Security. http://packetstormsecurity.org

    Google Scholar 

  2. Anderson, R., Moore, T.: The Economics of Information Security. Science 314(5799), 610– 613 (2006). http://dx.doi.org/10.1126/science.1130992

    Google Scholar 

  3. Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of vulnerability: A case study analysis. Computer 33(12), 52–59 (2000). DOI http://doi.ieeecomputersociety.org/10.1109/2.889093

    Google Scholar 

  4. Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of vulnerability disclosure and patch availability – an empirical analysis. In: R. Anderson (ed.) Workshop on the Economics of Information Security (WEIS). Cambridge, UK (2004)

    Google Scholar 

  5. Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. In: Workshop on the Economics of Information Security (WEIS) (2004)

    Google Scholar 

  6. Boehme, R.: Vulnerability markets. what is the economic value of a zero-day exploit? In: Private Investigations (Proc. of 22nd Chaos Communication Congress). CCC (2005). DOI http://doi.acm.org/10.1145/1162666.1162671

    Google Scholar 

  7. Chambers, J.T., Thompson, J.W.: Niac vulnerability disclosure framework. Department of Homeland Security DHS (2004)

    Google Scholar 

  8. Christey, S., Wysopal, C.: Responsible vulnerability disclosure process (2002). http:// tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00

    Google Scholar 

  9. David, B., Pongsin, P., Dawn, S., Jiang, Z.: Automatic patch-based exploit generation is possible. In: IEEE Security and Privacy, 2008, pp. 143–157 (2008)

    Google Scholar 

  10. Duebendorfer, T., Frei, S.: Why Silent Updates Boost Security. Tech. Rep. 302, TIK, ETH Zurich (2009). http://www.techzoom.net/silent-updates

    Google Scholar 

  11. Electronic Frontier Foundation EFF: Coders’ Rights Project Vulnerability Reporting FAQ

    Google Scholar 

  12. Frei, S., Dubendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Tech. Rep. 288, ETH Zurich (2008). http://www.techzoom.net/papers

    Google Scholar 

  13. Frei, S., Duebendorfer, T., Plattner, B.: Firefox (In)Security Update Dynamics Exposed. Computer Communication Review 39(1) (2009)

    Google Scholar 

  14. Frei, S., Tellenbach, B., Plattner, B.: 0-day patch - exposing vendors (in)security performance. BlackHat Europe (2008). http://www.techzoom.net/papers

    Google Scholar 

  15. FrSIRT: French Security Incident Response Team. http://www.frsirt.com

    Google Scholar 

  16. Hasan Cavusoglu, H.C., Raghunathan, S.: Emerging issues in responsible vulnerability disclosure. In: WITS (2004)

    Google Scholar 

  17. H.D. Moore: The Metasploit Project. http://www.metasploit.com

    Google Scholar 

  18. IBM Internet Security Systems: The Lifecycle of a Vulnerability. www.iss.net/ documents/whitepapers/ISS_Vulnerability_Lifecycle_Whitepaper. pdf (2005)

    Google Scholar 

  19. IBM Internet Security Systems - X-Force: X-Force Advisory. http://www.iss.net

    Google Scholar 

  20. IBM Internet Security Systems - X-Force: Responsible vulnerability disclosure process (2004). http://documents.iss.net/literature/vulnerability_ guidelines.pdf

    Google Scholar 

  21. iDefense: Vulnerability Contributor Program. Http://labs.idefense.com/vcp

    Google Scholar 

  22. Kannan, K., Telang, R.: An economic analysis of market for software vulnerabilities. In: Workshop on the Economics of Information Security (WEIS) (2004)

    Google Scholar 

  23. Kerckhoffs, A.: La cryptographie militaire. Journal des sciences militaires IX, 5–83 (1883)

    Google Scholar 

  24. Leita, C., Dacier, M., Wicherski, G.: SGNET: a distributed infrastructure to handle zero-day exploits. Tech. Rep. EURECOM+2164, Institut Eurecom, France (2007)

    Google Scholar 

  25. Levy, E.: Approaching zero. IEEE Security and Privacy 2(4), 65–66 (2004). DOI http://doi. ieeecomputersociety.org/10.1109/MSP.2004.33

    Google Scholar 

  26. Lindner, F.F.: Software security is software reliability. Commun. ACM 49(6), 57–61 (2006). DOI http://doi.acm.org/10.1145/1132469.1132502

    Google Scholar 

  27. Maillart, T., Sornette, D.: Heavy-tailed distribution of cyber-risks (2008). URL http:// www.citebase.org/abstract?id=oai:arXiv.org:0803.2256

    Google Scholar 

  28. McKinney, D.: Vulnerability bazaar. IEEE Security and Privacy 5(6), 69–73 (2007). DOI http://doi.ieeecomputersociety.org/10.1109/MSP.2007.180

    Google Scholar 

  29. Microsoft: Windows Error Reporting. Http://technet.microsoft.com/enus/ library/bb490841.aspx

    Google Scholar 

  30. Miller, C.: The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: Workshop on the Economics of Information Security (WEIS) (2007)

    Google Scholar 

  31. Milw0rm: Milw0rm Exploit Archive. http://www.milw0rm.com

    Google Scholar 

  32. MITRE : CVE Vulnerability Terminology 3. http://cve.mitre.org/about/ terminology.html

    Google Scholar 

  33. MITRE: Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org

    Google Scholar 

  34. Oborne, M.W.: The Security Economy. OECD, Paris : (2004). ISBN 92-64-10772-X

    Google Scholar 

  35. OISA Organization for Internet Safety: Guidelines for Security Vulnerability Reporting and Response. http://www.oisafety.org/guidelines/

    Google Scholar 

  36. Ollmann, G.: The evolution of commercial malware development kits and colour-by-numbers custom malware. Computer Fraud & Security 2008(9), 4 – 7 (2008). http://dx.doi. org/10.1016/S1361-3723(08)70135-0

    Google Scholar 

  37. OSVDB: Open Source Vulnerability Database. Http://www.osvdb.org

    Google Scholar 

  38. Ozment, A.: Improving vulnerability discovery models. In: QoP ’07: Proceedings of the 2007 ACM workshop on Quality of protection, pp. 6–11. ACM, New York, NY, USA (2007). DOI http://doi.acm.org/10.1145/1314257.1314261

    Google Scholar 

  39. Pfleeger, S.L., Rue, R., Horwitz, J., Balakrishnan, A.: Investing in cyber security: The path to good practice. The RAND Journal Vol 19, No. 1 (2006)

    Google Scholar 

  40. Radianti, J., Gonzalez, J.J.: Understanding hidden information security threats: The vulnerability black market. Hawaii International Conference on System Sciences 0, 156c (2007). DOI http://doi.ieeecomputersociety.org/10.1109/HICSS.2007.583

    Google Scholar 

  41. Schneier, B.: Locks and Full Disclosure. IEEE Security and Privacy 01(2), 88 (2003)

    Google Scholar 

  42. Schneier, B.: The nonsecurity of secrecy. Commun. ACM 47(10), 120 (2004)

    Google Scholar 

  43. Secunia: Vulnerability Intelligence Provider. http://www.secunia.com

    Google Scholar 

  44. SecurityTracker: SecurityTracker. http://www.SecurityTracker.com

    Google Scholar 

  45. Securityvulns: Computer Security Vulnerabilities. http://securityvulns.com/

    Google Scholar 

  46. Shepherd, S.A.: Vulnerability Disclosure. SANS InfoSec Reading Room (2003)

    Google Scholar 

  47. Shostack, A., Stewart, A.: The new school of information security. Addison-Wesley (2008)

    Google Scholar 

  48. Stefan Frei and Martin May: Putting private and government CERT’s to the test. In: 20th Annual FIRST Conference, June 22-27, 2008, Vancouver, Canada (2008)

    Google Scholar 

  49. Symantec: SecurityFocus. http://www.securityfocus.com/vulnerabilities

    Google Scholar 

  50. Symantec: Report on the Underground Economy (2008)

    Google Scholar 

  51. Thomas, B., Clergue, J., Schaad, A., Dacier, M.: A comparison of conventional and online fraud. In: CRIS’04, 2nd Int. Conf. on Critical Infrastructures, Oct 25-27, 2004 - Grenoble

    Google Scholar 

  52. TippingPoint: Zero day initiative (zdi). http://www.zerodayinitiative.com/

    Google Scholar 

  53. US-CERT: US-CERT. http://www.us-cert.gov/aboutus.html

    Google Scholar 

  54. Whipp, M.: Black market thrives on vulnerability trading. PCpro (2006). http://www. pcpro.co.uk/news/84523

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Communication Systems Group, ETH Zurich, Zurich, Switzerland

    Stefan Frei, Dominik Schatzmann & Bernhard Plattner

  2. ICTL Secure Systems Team, Hitachi Europe, Zurich, Switzerland

    Brian Trammell

Authors
  1. Stefan Frei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dominik Schatzmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bernhard Plattner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Brian Trammell
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefan Frei .

Editor information

Editors and Affiliations

  1. , Center for Research on Computation, Harvard University, Oxford St 33, Cambridge, 02138, USA

    Tyler Moore

  2. , King's College, University of Aberdeen, Aberdeen, Scotland, AB24 3UE, United Kingdom

    David Pym

  3. , Department of Economics, University of Bath, Claverton Down, Bath, BA2 7AY, United Kingdom

    Christos Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Science+Business Media, LLC

About this paper

Cite this paper

Frei, S., Schatzmann, D., Plattner, B., Trammell, B. (2010). Modeling the Security Ecosystem - The Dynamics of (In)Security. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-1-4419-6967-5_6

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4419-6966-8

  • Online ISBN: 978-1-4419-6967-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation