Information Disclosure and the Diffusion of Information Security Attacks
成果类型:
Article
署名作者:
Mitra, Sabyasachi; Ransbotham, Sam
署名单位:
University System of Georgia; Georgia Institute of Technology; Boston College
刊物名称:
INFORMATION SYSTEMS RESEARCH
ISSN/ISSBN:
1047-7047
DOI:
10.1287/isre.2015.0587
发表日期:
2015
页码:
565-584
关键词:
Product diffusion
vulnerability
TECHNOLOGY
MODEL
systems
patch
deterrence
INNOVATION
BEHAVIOR
MARKETS
摘要:
With the nearly instantaneous dissemination of information in the modern era, policies regarding the disclosure of sensitive information have become the focus of significant discussion in several contexts. The fundamental debate centers on trade-offs inherent in disclosing information that society needs, but that can also be used for nefarious purposes. Using information security as a research context, our empirical study examines the adoption of software vulnerabilities by a population of attackers. We compare attacks based on software vulnerabilities disclosed through full-disclosure and limited-disclosure mechanisms. We find that full disclosure accelerates the diffusion of attacks, increases the penetration of attacks within the target population, and increases the risk of first attack after the vulnerability is reported. Interestingly, the effect of full disclosure is greater during periods when there are more overall vulnerabilities reported, indicating that attackers may strategically focus on busy periods when the effort of security professionals is spread across many vulnerabilities. Although the aggregate volume of attacks remains unaffected by full disclosure, attacks occur earlier in the life cycle of the vulnerability. Building off our theoretical insights, we discuss the implications of our findings in more general contexts.
来源URL: