Abstract
Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities. Disclosure of software vulnerability has been controversial. On one hand are those who propose full and instant disclosure whether the patch is available or not and on the other hand are those who argue for limited or no disclosure. Which of the two policies is socially optimal depends critically on how attack frequency changes with disclosure and patching. In this paper, we empirically explore the impact of vulnerability information disclosure and availability of patches on attacks targeting the vulnerability. Our results suggest that on an average both secret (non-published) and published (published and not patched) vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. When we control for time since publication and patches, we find that patching an already known vulnerability decreases the number of attacks, although attacks gradually increase with time after patch release. Patching an unknown vulnerability, however, causes a spike in attacks, which then gradually decline after patch release. Attacks on secret vulnerabilities slowly increase with time until the vulnerability is published and then attacks rapidly decrease with time after publication.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
As of Jan. 2003, SecurityFocus discontinued listing of exploit code.
Each tcpdump data file consists of tcp logs accumulated from 12:01 a.m. of the start day till 12:00 a.m. of the end day during a period. Each period of observation typically contains about 5 days of observation.
Severity type consists of identifiers for how severe the vulnerability is based on the possible damage that could result on the attacked host. Severity type includes security protection, confidentiality, integrity and availability. Vulnerability type denotes the technical characteristics of the vulnerability such as input validation error, boundary condition error, buffer overflow, access validation error, exceptional condition, environmental error, configuration error, race condition and other vulnerability.
Exploit code also includes cases where no actual code is provided but where explanations on how to exploit the vulnerability are available.
Vulnerabilities that were never patched would take a value of zero for the elapsed patch days but the dummy variable that denotes “not patched” vulnerabilities would take on a value of 1.
Vulnerabilities that have been patched before they were published were deemed to have been patched and published on the same day.
There is no endogeneity in our definition of secret vulnerabilities.
Calculated as \( \Phi {\left( {\frac{{X\widehat{\delta }}} {\sigma }} \right)}\widehat{\delta } \)
Many vendors have now introduced automatic updates at regular time intervals.
References
Arbaugh, W. A., Browne, H. K., McHugh, J., & Fithen, W. (2000a). A trend analysis of exploitations. University of Maryland working paper UMIACS-TR-2000-76.
Arbaugh, W. A., Fithen, W. L., & McHugh, J. (2000b). Windows of vulnerability: A case study analysis. IEEE Computer, 33 (December), 52–59.
Arora, A., Krishnan, R., Telang, R., & Yang, Y. (2005). An empirical analysis of vendor response to disclosure policy. The 4th annual workshop on economics of information security (WEIS05). Harvard University.
Arora, A., Telang, R., & Xu, H. (2004). Optimal policy for software vulnerability disclosure. The 3rd annual workshop on economics and information security (WEIS04). University of Minnesota.
Elias, L. (2001). Full disclosure is a necessary evil. SecurityFocus.com. http://www.securityfocus.com/news/238.
Farrow, R. (2000). The pros and cons of posting vulnerability. The network magazine. http://www.networkmagazine.com/shared/article.
Gordon, S., & Ford, R. (1999). When worlds collide: Information sharing for the security and anti-virus communities. IBM research paper.
Gordon, L. A., & Loeb, M. P. (November 2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.
Howard, J. (1997). An analysis of security incidents on the internet 1989–1995. Dissertation, Carnegie Mellon University. http://www.cert.org/research/JHThesis/Start.htm.
Kannan, K., & Telang, R. (2005). Market for vulnerabilities? Think again. Management Science, 51(5), 726–740.
Krsul, I., Spafford, E., & Tripunitara, M. (1998). Computer vulnerability analysis. Technical report, Department of Computer Science, Purdue University, May 1998. http://www.citeseer.nj.nec.com/krsul98computer.html.
Leyden, J. (2002). Show us the bugs—users want full disclosure. The register. http://www.theregister.co.uk/2002/07/08/show_us_the_bugs_users/.
Rescorla, E. (2003). Security holes... Who cares? 12th Usenix security symposium, Washington, DC.
Rescorla, E. (2004). Is finding security holes a good idea? 3rd Annual workshop on economics of information security (WEIS04). University of Minnesota.
Schechter, S. E., & Smith, M. D. (2003). How much security is enough to stop a thief? The economics of outsider theft via computer systems and networks. The Seventh International Financial Cryptography Conference, Gosier, Guadeloupe College Park, MD. May, 2003.
Schneier, B. (2000). Full disclosure and the window of exposure. In CRYPTO-GRAM.
Seltzer, L. (2004). How should researchers handle exploit code? eWeek. http://www.eweek.com/article2/0,1759,1580077,00.asp.
Spitzner, L. (2001). Know your enemy: Revealing the security tools, tactics, and motives of the blackhat community. Addison-Wesley.
Telang, R., & Wattal, S. (2005). Impact of software vulnerability announcements on the market value of software vendors—an empirical investigation. The 4th Annual Workshop on Economics of Information Security (WEIS05). Harvard University.
Acknowledgment
We thank the members of honeynet project for providing us with data for this study. Rahul Telang acknowledges generous support of National Science Foundation (NSF) through CAREER award CNS-0546009.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Arora, A., Nandkumar, A. & Telang, R. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Inf Syst Front 8, 350–362 (2006). https://doi.org/10.1007/s10796-006-9012-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-006-9012-5