Dynamic modeling of the cyber security threat problem: The black market for vulnerabilities

Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions

Volumn , Issue , 2009, Pages 1-22

  Radianti, Jaziar ^a   Gonzalez, Jose J ^a  

^a UNIVERSITY OF AGDER   (Norway)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 79952066310     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.4018/978-1-60566-326-5.ch001     Document Type: Chapter

References (48)

1. Anderson, R. (2001). Why information security is hard, an economic perspective. Paper presented at the 17th Annual Computer Security Applications Conference.
2. Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314, 610-613.
3. Bajada, C., & Schneider, F. (2005). Size, causes and consequences of the underground economy: An International Perspective. Ashgate: Aldershot.
4. Boulding, K. E. (1947). A note on the theory of the black market. The Canadian Journal of Economics and Political Science /Revue canadienne d'Economique et de Science politique, 13(1), 115-118.
5. Böhme, R. (2006). A comparison of market approaches to software vulnerability disclosure. Paper presented at the International Conference, ETRICS 2006, LNCS 3995 Freiburg, Germany.
6. Camp, L. J., & Wolfram, C. (2004). Pricing security, a market in vulnerabilities. In L. J. Camp & S. Lewis (Eds.), Economics of Information Security. Boston: Kluwer Academic Publishers.
7. Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2005). Emerging issues in responsible vulnerability disclosure. Paper presented at the 4th Workshop of Economic and Information Security (WEIS), Cambridge, MA, USA.
8. CERT/CC. (2000). Vulnerability disclosure policy. CERT Coordination Center. Retrieved June 10, 2007.
9. Clinard, M. B. (1969). The Black market: a study of white collar crime. Montclair, New Jersey: Patterson Smith.
10. Coase, R. H. (1988). The Firm, the market and the law. Chicago: The University of Chicago.
11. CyberEye. (2001). CERT's full-disclosure policy is responsible, but mistrust remains. Retrieved April, 15, 2007, from http://www.gcn.com/state/vol7_no1/tech-report/946-1.html
12. DeLong, J. B., & Froomkin, A. M (2000). Speculative microeconomics for tomorrow's Economy. In H. R. Varian (Ed.), Internet publishing & beyond: The economics of digital information & intellectual. Cambridge, MA, USA: MIT Press.
13. Du, W., & Mathur, A. P. (1998). Categorization of software errors that led to security breaches. Paper presented at the 21st National Information Systems Security Conference, Crystal City, Virginia, VA.
14. Evers, J. (2007). Offering a bounty for security bugs [Electronic Version], 2007. Retrieved from http://news.com.com/Offering+a+bounty+for+se curity+bugs/2100-7350_3-5802411.html?tag=sas.email
15. Francis, B. (2005). Know thy hacker. Retrieved April 28, 2007, from http://www.infoworld.com/article/05/01/28/05OPsecadvise_1.html
16. Franklin, J., Paxson, V., Perrig, A., & Savage, S. (2007). An inquiry into the nature and causes of the wealth of internet miscreants. Paper presented at the 14 th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, USA.
17. Gravelle, H., & Rees, R. (1981). Microeconomics. London: Longman.
18. Grimes, R. A. (2005). The full disclosure debate. Retrieved June 19, 2007, from http://www.infoworld.com/article/05/09/30/40OPsecadvise_1.html
19. IBM. (2007). IBM internet security systems X-Force 2006 trend statistics [Electronic Version]. Retrieved January, from http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf
20. Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726-740.
21. Landwehr, C. E., Bull, A. R., Mc. Dermott, J. P., & Choi, W. S. (1994). A taxonomy of computer program security flaws, with examples. ACM Computing Surveys, 26(3).
22. Lemos, R. (2004). Mozilla puts bounty on bugs. Retrieved June 10, 2007, from http://news.com.com/Mozilla+puts+bounty+on+bugs/2100-1002_3-5293659.html
23. Levy, E. (2001). Full disclosure is a necessary evil. Retrieved June 10, 2007, from http://www.securityfocus.com/news/238
24. Middleton, J. (2001). Coalition condemns full disclosure. Retrieved April 10 2007, from http://www.vnunet.com/vnunet/news/2116546/coalition-condemns-full-disclosure
25. OIS. (2004). Guidelines for security vulnerability reporting and response [Electronic Version], 2007, from http://www.oisafety.org/guidelines/
26. Ozment, A. (2004). Bug auctions: vulnerability market reconsidered. Paper presented at the Workshop of Economics and Information Security (WEIS), Minneapolis, MN.
27. Ozment, A., & Schechter, S. (2006). Milk or wine: does software security improve with age? Paper presented at the The Fifteenth Usenix Security Symposium. July 31 - August 4 2006, Vancouver, BC, Canada.
28. PandaLabs. (2007). Quarterly report PandaLabs [Electronic Version]. Retrieved July 15, 2007, from http://www.pandasecurity.com/
29. Parkin, M., Powell, M., & Matthews, K. Economics. (2005). Harlow, England: Pearson Addison Wesley.
30. Perloff, J. M. (2007). Microeconomics (Fourth Edition ed.). Boston: Pearson, Addison Wesley.
31. Radianti, J., & Gonzalez, J. J. (2007). A preliminary model of the vulnerability black market. Paper presented at the the 25th International System Dynamics Conference Boston, USA.
32. Randers, J. (1980). Elements of the system dynamics method. Cambridge, Massachusetts: The MIT Press.
33. Rauch, J. (1999). The Future of vulnerability disclosure? Retrieved June 19, 2007, from http://www.usenix.org/publications/login/1999-11/features/disclosure.html
34. Ray, S. K. (1981). Economics of the black market. Boulder, Colorado: Westview Press.
35. Rescola, E. (2004). Is finding security holes a good idea? Paper presented at the The Third Workshop on the Economics of Information Security, Minneapolis.
36. Richardson, G. P., & Alexander L. Pugh III. (1981). Introduction to system dynamics modeling. Portland, Oregon: Productivity Press.
37. Schechter, S. (2002). How to buy better testing: using competition to get the most security and robustness for your dollar. Paper presented at the Infrastructures Security Conference, Bristol, UK.
38. Schneier, B. (2000a). Full disclosure and the window of exposure. Crypto-Gram Newsletter Retrieved March 10, 2006, from http://www.schneier.com/crypto-gram-0009.html#1
39. Schneier, B. (2000b). Publicizing vulnerabilities. Retrieved April 10, 2007, from http://www.schneier.com/crypto-gram-0002.html
40. Schneier, B. (2001). Bug secrecy vs. full disclosure. Retrieved April 10, 2007, from http://news.zdnet.com/2100-9595_22-531066.html
41. Schneier, B. (2006). Economics and information security. Retrieved December 12, 2006, from http://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html
42. Schneier, B. (2007). Schneier: full disclosure of security vulnerabilities a 'damned good idea'. Retrieved June 19, 2007, from http://www.schneier.com/essay-146.html
43. Seacord, R. C., & Householder, A. D. (2005). A structured approach to classifying security vulnerabilities. Retrieved December 22, 2005, from http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn003.pdf
44. Sterman, J. D. (2000). Business dynamics: systems thinking and modeling for a complex world. Boston: Irwin/McGraw-Hill.
45. Sutton, M., & Nagle, F. (2006). Emerging economic models for vulnerability research. Paper presented at the The Fifth Workshop on the Economics of Information Security (WEIS), Robinson College, University of Cambridge, England.
46. Symantec. (2008). Symantec Global Internet Threat Report: Trend for July - Dec 07, [Electronic Version]. Retrieved January, from http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf
47. Varian, H. R. (Ed). (2000). Internet publishing & beyond: the economics of digital information & intellectual.... Cambridge, MA, USA: MIT Press.
48. Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., & Zou, W. (2007). Studying malicious websites and the underground economy on the Chinese website [Electronic Version]. Honeyblog. Retrieved February 25, 2008, from http://honeyblog.org/archives/2007/12/summary.html