软件漏洞市场的经济学行为分析
|
摘要
本文首先以经济学角度分析了形成软件漏洞市场的原因,根据软件漏洞市场主要参与者行为特征构造博弈模型,针对软件发布时间和漏洞数量,构造收益函数最大化模型,获得软件发布时间和漏洞数量之间的均衡值,对公开的漏洞市场模型进一步改进完善。本文主要工作如下:
1.分析软件漏洞产生的原因,软件漏洞市场结构,以及软件漏洞市场参与者的行为特征,构建软件发布时间和漏洞数量之间的博弈模型,并求出最优均衡值。
2.分析软件漏洞市场结构,针对软件漏洞信息市场理论模型中黑客利用漏洞信息攻击软件使用者的收益函数不够完善的缺陷,基于黑客与软件测试者之间竞争机制提出了一个改进模型,分析网络安全工作者如何以最优的投入水平,最有效地防御攻击者的攻击,并用matlab仿真得到最优投入水平与成本和收益之间的制约关系,对结果进行分析,为如何建立激励机制提供参考性建议。
3.在软件漏洞信息被发现之后,引入软件漏洞补丁的的管理策略,主要从软件使用者角度分析消费者下载补丁的决策选择,讨论软件产品的定价,下载补丁的成本,可能遭遇的攻击损失等对消费者决策的影响,以更好地激励用户。此项研究为实现更有效地监控软件漏洞市场和更好地管理软件漏洞带来的安全问题提供一些参考。
The formation reasons of software vulnerability market have been analyzed from economics at first, constructing the game model based on behaviors of the market major participants. Also, aiming at software release time and the number of vulnerabilities, a model which is based on maximizing the profit function has been set up for getting the equilibrium value on the two parameters and then the open vulnerabilities market model has also been improved. The main work can be described as three points below:
1. By analysis of formation reasons of software vulnerabilities, market structure and behaviors of the market major participants, the game model has been constructed between the software release time and the number of vulnerabilities and optimal equilibrium has been equated.
2. By analyzing the marketing structure of software vulnerabilities, an improved pattern has been advanced based on the competition mechanism between the hackers and testers, considering the defect where the hackers'profit function by attacking the software users through exploiting bugs in the current software bugs information market is inadequate. And then, the result has been received that how the network security workers investment in optimal level for preventing attackers effectively. The regulative relationship between optimal investment and cost-benefit is simulated and gained by matlab and finally concluded, preparing for the gain of incentive mechanism construction.
3. When vulnerabilities information is found, software vulnerability patch management strategy has been introduced, which considers mainly on proportion of patch download that fixes flaws from software user's point of view, discussing software pricing, patching costs, as well as influence of the consumer decision-making by attacking losses in order to encourage users. This research will provide good reference in the monitoring and management of the software bugs information market and the information security regarding to vulnerability more effectively.
1.分析软件漏洞产生的原因,软件漏洞市场结构,以及软件漏洞市场参与者的行为特征,构建软件发布时间和漏洞数量之间的博弈模型,并求出最优均衡值。
2.分析软件漏洞市场结构,针对软件漏洞信息市场理论模型中黑客利用漏洞信息攻击软件使用者的收益函数不够完善的缺陷,基于黑客与软件测试者之间竞争机制提出了一个改进模型,分析网络安全工作者如何以最优的投入水平,最有效地防御攻击者的攻击,并用matlab仿真得到最优投入水平与成本和收益之间的制约关系,对结果进行分析,为如何建立激励机制提供参考性建议。
3.在软件漏洞信息被发现之后,引入软件漏洞补丁的的管理策略,主要从软件使用者角度分析消费者下载补丁的决策选择,讨论软件产品的定价,下载补丁的成本,可能遭遇的攻击损失等对消费者决策的影响,以更好地激励用户。此项研究为实现更有效地监控软件漏洞市场和更好地管理软件漏洞带来的安全问题提供一些参考。
The formation reasons of software vulnerability market have been analyzed from economics at first, constructing the game model based on behaviors of the market major participants. Also, aiming at software release time and the number of vulnerabilities, a model which is based on maximizing the profit function has been set up for getting the equilibrium value on the two parameters and then the open vulnerabilities market model has also been improved. The main work can be described as three points below:
1. By analysis of formation reasons of software vulnerabilities, market structure and behaviors of the market major participants, the game model has been constructed between the software release time and the number of vulnerabilities and optimal equilibrium has been equated.
2. By analyzing the marketing structure of software vulnerabilities, an improved pattern has been advanced based on the competition mechanism between the hackers and testers, considering the defect where the hackers'profit function by attacking the software users through exploiting bugs in the current software bugs information market is inadequate. And then, the result has been received that how the network security workers investment in optimal level for preventing attackers effectively. The regulative relationship between optimal investment and cost-benefit is simulated and gained by matlab and finally concluded, preparing for the gain of incentive mechanism construction.
3. When vulnerabilities information is found, software vulnerability patch management strategy has been introduced, which considers mainly on proportion of patch download that fixes flaws from software user's point of view, discussing software pricing, patching costs, as well as influence of the consumer decision-making by attacking losses in order to encourage users. This research will provide good reference in the monitoring and management of the software bugs information market and the information security regarding to vulnerability more effectively.
引文
[1]刘艳,曹鸿强,信息安全经济学初探[J],安全网络技术应用,2003,(3),21-22
[2]Camp J.The State of Economics of Information Security [J/OL]. I/S:A Journal of Law And Policy,2008,22,190-204. http://www.is-journal.org/V02I02/2ISJLP189-Camp.pdf
[3]Longstaff T A, Pethia R, Chittister C, and Haimes Y Y. Are we forgetting the risks of information technology [J]. IEEE Computer,2001,3,43-52.
[4]Camp J and Wolfram C. Pricing security[C]. In Proceedings of the CERT Information Survivability Workshop,2000,10,31-39.
[5]R. Anderson. Why information security is hard-an economic perspective[C]. In ACSAC'01:Proceedings of the 17th Annual Computer Security Applications Conference,358, Washington, DC, USA,2001. IEEE Computer Society.
[6]Lawrence A. Gordon and Martin P. Loeb. Using information security as a response to competitor analysis systems[J]. Commun. ACM,2001,44(9):70-75.
[7]Daniel Geer. Making choices to show roi[J]. Secure Business Quarterly,2005, 1(2):1-5.
[8]Ross Anderson, Tyler Moore. The Economics of Information Security[J]. Science 314,2006,610.
[9]Rick Wash. Information, Incentives, and the Economics of Security and Privacy [J/OL]. http://archive.nyu.edu/bitstream/2451/15014/2/Infosec_ISR%2BWalsh.pdf
[10]E.Rescorla. Is finding security holes a good idea[C/OL].In Third Workshop on the Economics of Information Security,2004. http://www.dtc.umn.edu/weis2004/rescorla.pdf.
[11]A.Ozment. The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting[C/OL].In Fourth Workshop on the Economics of Information Security,2005, http://www.infosecon.net/workshop/pdf/10.pdf.
[12]A.Ozment and S.E.Schechter.Milk or wine:does software security improve with age[J].In 15th USENIX Security Symposium,2006,93-104.
[13]A.Arora, R.Telang and H.Xu. Optimal policy for software vulnerability disclosure[C/OL]. The Third Workshop on Economics of Information Security,2004, http://www.dtc.umn.edu/weis2004/xu.pdf.
[14]A.Arora,R.Krishnan, A.Nandkumar,R.Telang and Y.Yang. Impact of vulnerability disclosure and patch availability-an empirical analysis[C].Third Workshop on the Economics of Information Security,2004.
[15]Camp,L.&Wolfram,C.Pricing Security. In Proceedings of the CERT[C]. Information Survivability Workshop,2000,320-339.
[16]Stuart Schechter. How to buy better testing:Using competition to get the most security and robustness for your dollar. In Infrastructure [J] Security Conference, 2002,10,97-113.
[17]Stuart Schechter. Quantitatively differentiating system security[C].In Workshop on Economics and Information Security,2002,163-179.
[18]Stuart E.Schechter. Computer Security Strength & Risk A Quantitative Approach[D].PH.D. thesis, Harward Uniwersity,2004.
[19]A. Ozment. Bug auctions vulnerability markets reconsidered[C/OL]. In Third Workshop on the Economics of Information Security,2004. http://www.dtc.umn.edu/weis2004/ozment.pdf.
[20]Karthik Kannan, Rahul Telang.An Economic Analysis of Market for Software Vulnerabilities[J]. Workshop on Economics and Information Security,2004,213-224.
[21]Charlie Miller. Independent Security Evaluators indenting Security Evaluators[D]. CISSP,2007.
[22]G.A.Akerlof. The market for'lemons':quality uncertainty and the market mechanism[J]. Quarterly Journal of Economics,1970,488,84.
[23]PIN management requirements:PIN entry device security requirements manual[J/OL].2004. http://partnernetwork.visa.com/dv/pin/pdf/Visa ATM Security/ Requirements.pdf.
[24]Ross Anderson, Tyler Moore, The Economics of Information Security[J], Science 314,2006,610.
[25]Ashish Arora Jonathan P.Caulkins Rahul Telang. A.Arora,J.Caulkins, R.Telang Sell First,Fix Later:Impact of Patching on Software Quality[J]. Research Note Management Science 2006,52(3),465-471.
[26]Rick Wash. Information, Incentives, and the Economics of Security and Privacy[J/OL]. http://archive.nyu.edu/bitstream/2451/15014/2/Infosec_ISR%2BWalsh.pdf
[27]R.Bohme.A comparison of market approaches to software vulnerability disclosure[J].In ETRICS,2006,298-311.
[28]Harsanyi,.Games with Incomplete Information Played by'Bayesian Players[J], I-IIIManagement Science 14,159-183,320-334,486-501.1967/68.2003
[29]Hausken, K. (2006b), "Income, Interdependence, and Substitution Effects Affecting Incentives for Security Investment," Journal of Accounting and Public Policy 25,6,629-665.
[30]Kunreuther, H., Heal, G,Interdependent security. [J] The Journal of Risk and Uncertainty 26,2/3,231-249.2003s
[31]BOHME, R. Vulnerability markets:What is the economic value of a zero-day exploit[J]. Proc. of 22C3,205,27-30.
[32]王军.信息安全的经济学分析及管理策略研究[D]哈尔滨工业大学,2007.
[33]Terrence August, Tunay I. Tunca. Let the pirates patch? An Economic Analysis of Software Security Patch Restrictions[J]. Information Systems Research. 2008,19(1),48-70.
[34]Terrence August and Tunay I. Tunca Graduate School of Business Stanford University Network Software Security and User Incentives[J]. Mgmt.Science,2006, 52(11),1703-1720.
[35]Dacey,R.F. Effective patch management is critical to mitigating software vulnerabilities[J].GAO-03-1138T,2003:57-62.
[36]Shostack,A.Quantifying patch management [J]. Secure Business Quarterly. 2003.3(2):18-23.
[37]McGhie,L. Software patch management-the new frontier [J]. Secure Business Quarterly,2003.3(2):23-45
[38]周智佑,谈谈信息安全问题[J].术语标准化与信息技术,2008,(3),43-45.
[2]Camp J.The State of Economics of Information Security [J/OL]. I/S:A Journal of Law And Policy,2008,22,190-204. http://www.is-journal.org/V02I02/2ISJLP189-Camp.pdf
[3]Longstaff T A, Pethia R, Chittister C, and Haimes Y Y. Are we forgetting the risks of information technology [J]. IEEE Computer,2001,3,43-52.
[4]Camp J and Wolfram C. Pricing security[C]. In Proceedings of the CERT Information Survivability Workshop,2000,10,31-39.
[5]R. Anderson. Why information security is hard-an economic perspective[C]. In ACSAC'01:Proceedings of the 17th Annual Computer Security Applications Conference,358, Washington, DC, USA,2001. IEEE Computer Society.
[6]Lawrence A. Gordon and Martin P. Loeb. Using information security as a response to competitor analysis systems[J]. Commun. ACM,2001,44(9):70-75.
[7]Daniel Geer. Making choices to show roi[J]. Secure Business Quarterly,2005, 1(2):1-5.
[8]Ross Anderson, Tyler Moore. The Economics of Information Security[J]. Science 314,2006,610.
[9]Rick Wash. Information, Incentives, and the Economics of Security and Privacy [J/OL]. http://archive.nyu.edu/bitstream/2451/15014/2/Infosec_ISR%2BWalsh.pdf
[10]E.Rescorla. Is finding security holes a good idea[C/OL].In Third Workshop on the Economics of Information Security,2004. http://www.dtc.umn.edu/weis2004/rescorla.pdf.
[11]A.Ozment. The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting[C/OL].In Fourth Workshop on the Economics of Information Security,2005, http://www.infosecon.net/workshop/pdf/10.pdf.
[12]A.Ozment and S.E.Schechter.Milk or wine:does software security improve with age[J].In 15th USENIX Security Symposium,2006,93-104.
[13]A.Arora, R.Telang and H.Xu. Optimal policy for software vulnerability disclosure[C/OL]. The Third Workshop on Economics of Information Security,2004, http://www.dtc.umn.edu/weis2004/xu.pdf.
[14]A.Arora,R.Krishnan, A.Nandkumar,R.Telang and Y.Yang. Impact of vulnerability disclosure and patch availability-an empirical analysis[C].Third Workshop on the Economics of Information Security,2004.
[15]Camp,L.&Wolfram,C.Pricing Security. In Proceedings of the CERT[C]. Information Survivability Workshop,2000,320-339.
[16]Stuart Schechter. How to buy better testing:Using competition to get the most security and robustness for your dollar. In Infrastructure [J] Security Conference, 2002,10,97-113.
[17]Stuart Schechter. Quantitatively differentiating system security[C].In Workshop on Economics and Information Security,2002,163-179.
[18]Stuart E.Schechter. Computer Security Strength & Risk A Quantitative Approach[D].PH.D. thesis, Harward Uniwersity,2004.
[19]A. Ozment. Bug auctions vulnerability markets reconsidered[C/OL]. In Third Workshop on the Economics of Information Security,2004. http://www.dtc.umn.edu/weis2004/ozment.pdf.
[20]Karthik Kannan, Rahul Telang.An Economic Analysis of Market for Software Vulnerabilities[J]. Workshop on Economics and Information Security,2004,213-224.
[21]Charlie Miller. Independent Security Evaluators indenting Security Evaluators[D]. CISSP,2007.
[22]G.A.Akerlof. The market for'lemons':quality uncertainty and the market mechanism[J]. Quarterly Journal of Economics,1970,488,84.
[23]PIN management requirements:PIN entry device security requirements manual[J/OL].2004. http://partnernetwork.visa.com/dv/pin/pdf/Visa ATM Security/ Requirements.pdf.
[24]Ross Anderson, Tyler Moore, The Economics of Information Security[J], Science 314,2006,610.
[25]Ashish Arora Jonathan P.Caulkins Rahul Telang. A.Arora,J.Caulkins, R.Telang Sell First,Fix Later:Impact of Patching on Software Quality[J]. Research Note Management Science 2006,52(3),465-471.
[26]Rick Wash. Information, Incentives, and the Economics of Security and Privacy[J/OL]. http://archive.nyu.edu/bitstream/2451/15014/2/Infosec_ISR%2BWalsh.pdf
[27]R.Bohme.A comparison of market approaches to software vulnerability disclosure[J].In ETRICS,2006,298-311.
[28]Harsanyi,.Games with Incomplete Information Played by'Bayesian Players[J], I-IIIManagement Science 14,159-183,320-334,486-501.1967/68.2003
[29]Hausken, K. (2006b), "Income, Interdependence, and Substitution Effects Affecting Incentives for Security Investment," Journal of Accounting and Public Policy 25,6,629-665.
[30]Kunreuther, H., Heal, G,Interdependent security. [J] The Journal of Risk and Uncertainty 26,2/3,231-249.2003s
[31]BOHME, R. Vulnerability markets:What is the economic value of a zero-day exploit[J]. Proc. of 22C3,205,27-30.
[32]王军.信息安全的经济学分析及管理策略研究[D]哈尔滨工业大学,2007.
[33]Terrence August, Tunay I. Tunca. Let the pirates patch? An Economic Analysis of Software Security Patch Restrictions[J]. Information Systems Research. 2008,19(1),48-70.
[34]Terrence August and Tunay I. Tunca Graduate School of Business Stanford University Network Software Security and User Incentives[J]. Mgmt.Science,2006, 52(11),1703-1720.
[35]Dacey,R.F. Effective patch management is critical to mitigating software vulnerabilities[J].GAO-03-1138T,2003:57-62.
[36]Shostack,A.Quantifying patch management [J]. Secure Business Quarterly. 2003.3(2):18-23.
[37]McGhie,L. Software patch management-the new frontier [J]. Secure Business Quarterly,2003.3(2):23-45
[38]周智佑,谈谈信息安全问题[J].术语标准化与信息技术,2008,(3),43-45.