WEIS Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of Technology
WEIS Full Public Disclosure:
WEIS Full Public Disclosure: Why the controversy?
WEIS Full Public Disclosure: Why the controversy? Why do benign discoverers disclose?
WEIS What is socially optimal? Full Public Disclosure: Why the controversy? Why do benign discoverers disclose?
WEIS What is socially optimal? Full Public Disclosure: How to get there? Why the controversy? Why do benign discoverers disclose?
WEIS The existing body of economic research on information security focuses on
WEIS The existing body of economic research on information security focuses on - decisions made by vendors
WEIS The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue)
WEIS The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs)
WEIS The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs) - users’ decision to patch
WEIS The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs) - users’ decision to patch - viability of a market for vulnerabilities…
WEIS The existing body of economic research on information security focuses on - decisions made by vendors - the “coordinator” (the opt. disclosure policy issue) - information sharing (ISACs) - users’ decision to patch - viability of a market for vulnerabilities… …but not on individual decisions to disclose. Our research is an attempt to close this gap.
WEIS Commonly believed motives for full public disclosure:
WEIS Commonly believed motives for full public disclosure: Signaling one’s abilities; Commonly believed motives for full public disclosure: Signaling one’s abilities;
WEIS Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users;
WEIS Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor. Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor.
WEIS Benign users are minimizing their expected loss Benign users are minimizing their expected loss Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor. Commonly believed motives for full public disclosure: Signaling one’s abilities; Warning other users; Putting pressure on the vendor. Our alternative explanation:
WEIS The Model
WEIS The Model Three types of “agents”:
WEIS Black Hats attack other users when they can The Model Three types of “agents”:
WEIS Black Hats attack other users when they can White Hats inform the vendor, decide whether and how to disclose The Model Three types of “agents”:
WEIS Black Hats attack other users when they can White Hats inform the vendor, decide whether and how to disclose Vendors issue a fix once attacks reach a certain intensity level The Model Three types of “agents”:
WEIS Black Hats attack other users when they can White Hats inform the vendor, decide whether and how to disclose Vendors issue a fix once attacks reach a certain intensity level The Model Three types of “agents”: Independent discoveries of the same bug are possible.
WEIS Disclose? Bug discovered by a benign user Massive attack No attack Next discoverer? Game ends NY Fix provided by vendor Game continues… BH WH Disclose? Single attack Y N
WEIS Loss Structure
WEIS Expected loss LN N1 N2 Proportion of white hats disclosing LN – expected loss of white hats who don’t disclose N1 – expected loss from a massive attack (result of FPD) N2 – exp. loss from ‘covert’ attacks (result of independent discoveries)
WEIS The ease of exploiting the published vulnerability, ε Exogenous parameters Users’ knowledge of software, κ (affects the probability of a fix developed by the user, ) Users’ knowledge of software, κ (affects the probability of a fix developed by the user, ) Population (B black hats + W white hats) Population (B black hats + W white hats) Potential damage from each attack, C Transparency of the bug, r (affects the chances of independent discoveries) The discoverer’s “impatience factor”, ρ
WEIS Expected Loss. Disclosing agent: Non-Disclosing agent: where is the probability that a white hat plays “disclose” and is the discounting factor.
The equilibrium proportion of white hats who choose full public disclosure (FPD):
WEIS Possible equilibria: 1. Pure no-disclosure (ND) equilibrium, α*<0 None of benign discoverers discloses Expected loss Proportion of white hats choosing FPD E(L N ) E(L D ) 01
WEIS Possible equilibria: 2. Pure full disclosure (FD) equilibrium, α*>1 All benign discoverers disclose Expected loss Proportion of white hats choosing FPD E(L N ) E(L D ) 01
WEIS Possible equilibria: Expected loss Proportion of white hats choosing FPD E(L N ) E(L D ) 3. Mixed strategy equilibrium, 0<α*<1 Some benign discoverers disclose, others don’t 01
WEIS FPD tends to occur more often as…
WEIS FPD tends to occur more often as… Bugs become easier to discover FPD tends to occur more often as… Bugs become easier to discover
WEIS FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic)
WEIS FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases
WEIS FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information
WEIS FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous
WEIS FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous If the social loss function equals the aggregate damage from attacks…
WEIS FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous If the social loss function equals the aggregate damage from attacks, then full public disclosure can be socially optimal
WEIS FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous FPD tends to occur more often as… Bugs become easier to discover Users get more patient (less myopic) The number of black hats increases It gets more difficult to develop an exploit based on the disclosed information The effect of the population size is ambiguous If the social loss function equals the aggregate damage from attacks, then full public disclosure can be socially optimal Whenever that is the case, it is the equilibrium strategy of individual benign discoverers
WEIS Disclose? Bug discovered by a benign user Massive attack No attack Next discoverer? Game ends NY Fix provided by vendor Game continues… BH WH Disclose? Single attack Y N
WEIS Choice of effort, X N Choice of effort, X Y Disclose? Patch installed? Patch installed? Bug discovered by a benign user Massive attack No attack Next discoverer? Game ends Game ends (no loss) YY N N NY Fix provided by vendor Game continues… BH WH Disclose? Single attack Y N
WEIS More transparent code leads to more effort put into finding a fix and less FPD. Κ=0 Κ>0 So does a greater potential damage from an attack E(L WN )/E(L WD ) α
WEIS What happens to the aggregate damage from attacks? Does it change the incentive structure? Suppose we have a coalition of agents anyone can disclose information to. The composition of the coalition population is assumed the same as for the rest of the world.
WEIS Choice of effort Disclose? Patch installed? Patch installed? Patch installed? Bug discovered Moderate size attack Massive attack No attack Next discoverer? Game ends Game ends (no loss) XCXC XWXW XNXN YYY N N N NW C
WEIS Software is not too complex Such a coalition improves social welfare only if Coalition members are willing to work on a patch Otherwise, a coalition has no effect! AND
Punishing those who choose full public disclosure… …is not a good idea Old New Loss % FD Policy alternatives
Punishing those who choose full public disclosure… …is not a good idea Old New Loss % FD Policy alternatives Let them disclose!
Better security of existing systems (a decrease in C, the loss from an attack) Aggregate loss decreases More frequent disclosure along the way Old New Exp. Loss % FD Policy alternatives
Punishing black hats Aggregate loss decreases More FPD along the way Old New Exp. Loss % FD Policy alternatives Costly but not hopeless
Software quality improvement Fewer bugs discovered Old New Loss % FD Policy alternatives
Software quality improvement Fewer bugs discovered Weaker incentives to disclose Old New Loss % FD + Policy alternatives Both effects have to be taken into account when discussing the effects of software quality improvement!!!
Making vendors issue patches faster Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives
Making vendors issue patches faster (One of the roles for the coordinator?) Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives
Making the source code transparent Bugs are patched faster (not necessarily by vendors) Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives
Making the source code transparent Bugs are patched faster (not necessarily by vendors) Less disclosure Smaller aggregate loss Old New Loss % FD Policy alternatives Would this be a threat to intellectual property rights?
WEIS Endogenizing vendors’ decisions and users’ decision to patch Role of the coordinator Testing the results empirically Endogenizing vendors’ decisions and users’ decision to patch Role of the coordinator Testing the results empirically Future modifications and extensions