The Impact of Immediate Disclosure on Attack Diffusion and Volume

  • Sam RansbothamEmail author
  • Sabyasachi Mitra
Conference paper


A significant debate in the security industry revolves around the vulnerability disclosure policy. We investigate the effects of immediate disclosure through an empirical study that analyzes security alerts for 960 clients of an US based security service provider. We find that immediate disclosure of vulnerabilities reduces delay in the attack diffusion process and slightly increases penetration of attacks in the population of target systems but slightly decreases the overall the volume of attacks.


  1. 1.
    Arora A, Caulkins JP, Telang R (2006) Sell first, fix later: impact of patching on software quality. Manag Sci 52(3):465–471CrossRefGoogle Scholar
  2. 2.
    Arora A, Telang R, Hao X (2008) Optimal policy for software vulnerability disclosure. Manag Sci 54(4):642–656CrossRefGoogle Scholar
  3. 3.
    August T, Tunca TI (2006) Network software security and user incentives. Manag Sci 52(11):1703–1720CrossRefGoogle Scholar
  4. 4.
    August T, Tunca TI (2008) Let the pirates patch? an economic analysis of software security patch restrictions. Inform Syst Res 19(1):48–70CrossRefGoogle Scholar
  5. 5.
    Cavusoglu H, Cavusoglu H, Raghunathan S (2007) Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans Software Eng 33(3):171–185CrossRefGoogle Scholar
  6. 6.
    Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: share the burden or share the damage? Manag Sci 54(4):657–670CrossRefGoogle Scholar
  7. 7.
    Denicolo V (2000) Two-stage patent races and patent policy. RAND J Econ 31(3):488–501CrossRefGoogle Scholar
  8. 8.
    National Vulnerability Database (2008) Accessed 23 Apr 2008
  9. 9.
    Park I, Sharman R, Rao HR, Upadhyaya S (2007) Short term and total life impact analysis of email worms in computer systems. Decis Support Syst 43:827–841CrossRefGoogle Scholar
  10. 10.
    Ransbotham S, Mitra S (2009) Choice and chance: a conceptual model of paths to information security compromise. Inform Syst Res 20(1):121–139CrossRefGoogle Scholar
  11. 11.
    Ransbotham S, Mitra S, Ramsey J (2011) Are Markets for Vulnerabilities Effective? MIS Quarterly forthcomingGoogle Scholar
  12. 12.
    Rogers EM (2003) Diffusion of innovations, 5th edn. The Free Press, New York, NYGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Carroll School of ManagementBoston CollegeChestnut HillUSA
  2. 2.College of ManagementGeorgia Institute of TechnologyAtlantaUSA

Personalised recommendations