Modeling the Security Ecosystem - The Dynamics of (In)Security

  • Stefan Frei
  • Dominik Schatzmann
  • Bernhard Plattner
  • Brian Trammell
Conference paper


The security of information technology and computer networks is effected by a wide variety of actors and processes which together make up a security ecosystem; here we examine this ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. First, we analyze the roles of the major actors within this ecosystem and the processes they participate in, and the the paths vulnerability data take through the ecosystem and the impact of each of these on security risk. Then, based on a quantitative examination of 27,000 vulnerabilities disclosed over the past decade and taken from publicly available data sources, we quantify the systematic gap between exploit and patch availability. We provide the first examination of the impact and the risks associated with this gap on the ecosystem as a whole. Our analysis provides a metric for the success of the “responsible disclosure” process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the “free press” of the ecosystem.


Public Disclosure Security Vulnerability Responsible Disclosure Risk Vulnerability Vulnerability Information 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Packetstorm Security. http://packetstormsecurity.orgGoogle Scholar
  2. 2.
    Anderson, R., Moore, T.: The Economics of Information Security. Science 314(5799), 610– 613 (2006). Scholar
  3. 3.
    Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of vulnerability: A case study analysis. Computer 33(12), 52–59 (2000). DOI Scholar
  4. 4.
    Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of vulnerability disclosure and patch availability – an empirical analysis. In: R. Anderson (ed.) Workshop on the Economics of Information Security (WEIS). Cambridge, UK (2004)Google Scholar
  5. 5.
    Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. In: Workshop on the Economics of Information Security (WEIS) (2004)Google Scholar
  6. 6.
    Boehme, R.: Vulnerability markets. what is the economic value of a zero-day exploit? In: Private Investigations (Proc. of 22nd Chaos Communication Congress). CCC (2005). DOI Scholar
  7. 7.
    Chambers, J.T., Thompson, J.W.: Niac vulnerability disclosure framework. Department of Homeland Security DHS (2004)Google Scholar
  8. 8.
    Christey, S., Wysopal, C.: Responsible vulnerability disclosure process (2002). http:// Scholar
  9. 9.
    David, B., Pongsin, P., Dawn, S., Jiang, Z.: Automatic patch-based exploit generation is possible. In: IEEE Security and Privacy, 2008, pp. 143–157 (2008)Google Scholar
  10. 10.
    Duebendorfer, T., Frei, S.: Why Silent Updates Boost Security. Tech. Rep. 302, TIK, ETH Zurich (2009). Scholar
  11. 11.
    Electronic Frontier Foundation EFF: Coders’ Rights Project Vulnerability Reporting FAQGoogle Scholar
  12. 12.
    Frei, S., Dubendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Tech. Rep. 288, ETH Zurich (2008). Scholar
  13. 13.
    Frei, S., Duebendorfer, T., Plattner, B.: Firefox (In)Security Update Dynamics Exposed. Computer Communication Review 39(1) (2009)Google Scholar
  14. 14.
    Frei, S., Tellenbach, B., Plattner, B.: 0-day patch - exposing vendors (in)security performance. BlackHat Europe (2008). Scholar
  15. 15.
    FrSIRT: French Security Incident Response Team. http://www.frsirt.comGoogle Scholar
  16. 16.
    Hasan Cavusoglu, H.C., Raghunathan, S.: Emerging issues in responsible vulnerability disclosure. In: WITS (2004)Google Scholar
  17. 17.
    H.D. Moore: The Metasploit Project. http://www.metasploit.comGoogle Scholar
  18. 18.
    IBM Internet Security Systems: The Lifecycle of a Vulnerability. documents/whitepapers/ISS_Vulnerability_Lifecycle_Whitepaper. pdf (2005)Google Scholar
  19. 19.
    IBM Internet Security Systems - X-Force: X-Force Advisory. http://www.iss.netGoogle Scholar
  20. 20.
    IBM Internet Security Systems - X-Force: Responsible vulnerability disclosure process (2004). guidelines.pdfGoogle Scholar
  21. 21.
    iDefense: Vulnerability Contributor Program. Http:// Scholar
  22. 22.
    Kannan, K., Telang, R.: An economic analysis of market for software vulnerabilities. In: Workshop on the Economics of Information Security (WEIS) (2004)Google Scholar
  23. 23.
    Kerckhoffs, A.: La cryptographie militaire. Journal des sciences militaires IX, 5–83 (1883)Google Scholar
  24. 24.
    Leita, C., Dacier, M., Wicherski, G.: SGNET: a distributed infrastructure to handle zero-day exploits. Tech. Rep. EURECOM+2164, Institut Eurecom, France (2007)Google Scholar
  25. 25.
    Levy, E.: Approaching zero. IEEE Security and Privacy 2(4), 65–66 (2004). DOI http://doi. Scholar
  26. 26.
    Lindner, F.F.: Software security is software reliability. Commun. ACM 49(6), 57–61 (2006). DOI Scholar
  27. 27.
    Maillart, T., Sornette, D.: Heavy-tailed distribution of cyber-risks (2008). URL http:// Scholar
  28. 28.
    McKinney, D.: Vulnerability bazaar. IEEE Security and Privacy 5(6), 69–73 (2007). DOI Scholar
  29. 29.
    Microsoft: Windows Error Reporting. Http:// library/bb490841.aspxGoogle Scholar
  30. 30.
    Miller, C.: The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: Workshop on the Economics of Information Security (WEIS) (2007)Google Scholar
  31. 31.
    Milw0rm: Milw0rm Exploit Archive. http://www.milw0rm.comGoogle Scholar
  32. 32.
    MITRE : CVE Vulnerability Terminology 3. terminology.htmlGoogle Scholar
  33. 33.
    MITRE: Common Vulnerabilities and Exposures (CVE). http://cve.mitre.orgGoogle Scholar
  34. 34.
    Oborne, M.W.: The Security Economy. OECD, Paris : (2004). ISBN 92-64-10772-XGoogle Scholar
  35. 35.
    OISA Organization for Internet Safety: Guidelines for Security Vulnerability Reporting and Response. Scholar
  36. 36.
    Ollmann, G.: The evolution of commercial malware development kits and colour-by-numbers custom malware. Computer Fraud & Security 2008(9), 4 – 7 (2008). http://dx.doi. org/10.1016/S1361-3723(08)70135-0Google Scholar
  37. 37.
    OSVDB: Open Source Vulnerability Database. Http://www.osvdb.orgGoogle Scholar
  38. 38.
    Ozment, A.: Improving vulnerability discovery models. In: QoP ’07: Proceedings of the 2007 ACM workshop on Quality of protection, pp. 6–11. ACM, New York, NY, USA (2007). DOI Scholar
  39. 39.
    Pfleeger, S.L., Rue, R., Horwitz, J., Balakrishnan, A.: Investing in cyber security: The path to good practice. The RAND Journal Vol 19, No. 1 (2006)Google Scholar
  40. 40.
    Radianti, J., Gonzalez, J.J.: Understanding hidden information security threats: The vulnerability black market. Hawaii International Conference on System Sciences 0, 156c (2007). DOI Scholar
  41. 41.
    Schneier, B.: Locks and Full Disclosure. IEEE Security and Privacy 01(2), 88 (2003)Google Scholar
  42. 42.
    Schneier, B.: The nonsecurity of secrecy. Commun. ACM 47(10), 120 (2004)Google Scholar
  43. 43.
    Secunia: Vulnerability Intelligence Provider. http://www.secunia.comGoogle Scholar
  44. 44.
    SecurityTracker: SecurityTracker. http://www.SecurityTracker.comGoogle Scholar
  45. 45.
    Securityvulns: Computer Security Vulnerabilities. Scholar
  46. 46.
    Shepherd, S.A.: Vulnerability Disclosure. SANS InfoSec Reading Room (2003)Google Scholar
  47. 47.
    Shostack, A., Stewart, A.: The new school of information security. Addison-Wesley (2008)Google Scholar
  48. 48.
    Stefan Frei and Martin May: Putting private and government CERT’s to the test. In: 20th Annual FIRST Conference, June 22-27, 2008, Vancouver, Canada (2008)Google Scholar
  49. 49.
    Symantec: SecurityFocus. Scholar
  50. 50.
    Symantec: Report on the Underground Economy (2008)Google Scholar
  51. 51.
    Thomas, B., Clergue, J., Schaad, A., Dacier, M.: A comparison of conventional and online fraud. In: CRIS’04, 2nd Int. Conf. on Critical Infrastructures, Oct 25-27, 2004 - GrenobleGoogle Scholar
  52. 52.
    TippingPoint: Zero day initiative (zdi). Scholar
  53. 53.
    US-CERT: US-CERT. Scholar
  54. 54.
    Whipp, M.: Black market thrives on vulnerability trading. PCpro (2006). http://www. Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Stefan Frei
    • 1
  • Dominik Schatzmann
    • 1
  • Bernhard Plattner
    • 1
  • Brian Trammell
    • 2
  1. 1.Communication Systems GroupETH ZurichZurichSwitzerland
  2. 2.ICTL Secure Systems TeamHitachi EuropeZurichSwitzerland

Personalised recommendations