The global vulnerability discovery and disclosure system: a thematic system dynamics approach

Show simple item record

dc.contributor.advisor Hilton, J C Lewis, P S 2017-10-23T11:37:08Z 2017-10-23T11:37:08Z 2017-10-23
dc.description.abstract Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables. en_UK
dc.language.iso en en_UK
dc.rights © Cranfield University, 2015. All rights reserved. No part of this publication may be reproduced without the written permission of the copyright holder. en_UK
dc.subject Cyber security en_UK
dc.title The global vulnerability discovery and disclosure system: a thematic system dynamics approach en_UK
dc.type Thesis or dissertation en_UK
dc.type.qualificationlevel Doctoral en_UK
dc.type.qualificationname PhD en_UK

Files in this item

This item appears in the following Collection(s)

Show simple item record

Search CERES


My Account