NotesFAQContact Us
Search Tips
ERIC Number: ED548022
Record Type: Non-Journal
Publication Date: 2011
Pages: 114
Abstractor: As Provided
Reference Count: N/A
ISBN: 978-1-2674-8681-3
Three Essays on Information Security Policies
Yang, Yubao
ProQuest LLC, Ph.D. Dissertation, Carnegie Mellon University
Information security breaches pose a significant and increasing threat to national security and economic well-being. In the Symantec Internet Security Threat Report (2003), companies surveyed experienced an average of about 30 attacks per week. Anecdotal evidence suggests that losses from cyber-attacks can run into millions of dollars. The CSI-FBI survey (2005) estimates that the loss per company was more than $500,000 in 2004 and more than $200,000 in 2005. Besides the common view that information security can be resolved by technology measures, many researchers have noticed the business aspects of the information security. The literature in economics of information security attributes the reasons that cause the difficulties in information security into business factors like misalignment of incentives and externality. This research analyzes the information security policies that attempt to address the above issues. In particular, this research focus on the following topics (1) the vulnerability disclosure policy of several major vulnerability information outlets and their implications to the vendors' patch release behavior (2) the conformance of the software vendors to one of the most important software product security quality certification standard, Common Criteria certification (3) the effectiveness of Common Criteria Certification in improving the security quality of software products. Chapter 1 studies the software disclosure policy and its impact on the vendor patch release behavior. A key aspect of better and more secure software is timely patching of the vulnerabilities by software vendors in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information before a patch has been issued, has generated intense debate. An important consideration in this debate is the behavior of the software vendors. How quickly do vendors patch vulnerabilities, and how does disclosure affect patch release time? This research compiled a unique data set from CERT and SecurityFocus to answer this question. The results suggest that disclosure accelerates patch release. The instantaneous probability of patch release rises by nearly two and a half times due to disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are also more responsive to severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT which reflects the stronger lines of communication between CERT and vendors, and the value of the vulnerability analysis by CERT. We verify the results by using another publicly available dataset and find that results are consistent. We also show how our estimates can aid policy makers in their decision making. Chapter 2 contains a theoretical and empirical analysis of the conformance behavior of the IT vendors to Common Criteria Certification standard. The Common Criteria certification standard is an effort initiated by the government of several major industry countries to facilitate communication between vendors and customers with regard to the security quality of the IT product. In this chapter, I study the diffusion of the Common Criteria certification standard. My results show increasing speed of adoption over time, which indicates the success of approach in fulfilling customer expectations. The Common Criteria certification has created a positive value for the vendors and the customers and this value has been increasing with time. Moreover, the results show that the diffusion of CC certification is directly influenced by the strategic interaction across vendors. This strategic interaction acts like a 'repelling force' that pushes the vendors' adoption apart from each other. From a public policy point of view this interaction is unfavorable as it results in delay of the adoption among successive vendors, as the number of existing adopters increase. Chapter 3 continues the study of Common Criteria certification. In this chapter, I focus on the effectiveness of CC. There have been extensive debates among government, vendor, CC laboratories and security experts on the effectiveness of CC. Despite the different opinions, neither the vendors, nor the government, nor the evaluation laboratories have solid empirical evidence to support their claims. I provide a theoretical and empirical analysis of the extent to which CC is effective in improving software product security quality in this chapter, employing the number of vulnerability as the measure of software security quality. The operational hypothesis is that the result of Common Criteria, as a software security quality certification standard, should lead to less vulnerability in the product. In particular, higher evaluation assurance level should indicate even less vulnerability. And based on the testing evaluation methodology and process, we expect the certification be more effective in detecting and eliminating vulnerabilities introduced in the designing phases than those introduced in the coding phases of the software development process. (Abstract shortened by UMI.) [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page:]
ProQuest LLC. 789 East Eisenhower Parkway, P.O. Box 1346, Ann Arbor, MI 48106. Tel: 800-521-0600; Web site:
Publication Type: Dissertations/Theses - Doctoral Dissertations
Education Level: N/A
Audience: N/A
Language: English
Sponsor: N/A
Authoring Institution: N/A