The Experts below are selected from a list of 195 Experts worldwide ranked by ideXlab platform
Yubao Yang - One of the best experts on this subject based on the ideXlab platform.
-
an empirical analysis of software vendors patch release behavior impact of Vulnerability disclosure
Information Systems Research, 2010Co-Authors: Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao YangAbstract:A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software Vulnerability disclosure, which refers to the publication of Vulnerability Information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
-
an empirical analysis of vendor response to software Vulnerability disclosure
2005Co-Authors: Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao YangAbstract:Software Vulnerability disclosure refers to the publication of Vulnerability Information before a patch to address the Vulnerability has been issued by the software vendor. It has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant disclosure and limited or no disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and SecurityFocus to answer this question. Our results suggest that disclosure policy has a significant positive impact on the vendor patching speed. Vendors are 137% more likely to patch due to disclosure. In particular, instant disclosure hastens the patch delivery by almost 29 days. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond more slowly to vulnerabilities not handled by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC.
-
impact of Vulnerability disclosure and patch availability an empirical analysis
2004Co-Authors: Ashish Arora, Ramayya Krishnan, Anand Nandkumar, Yubao Yang, Rahul Telang, John H HeinzAbstract:Vulnerability disclosure is an area of public policy that has been subject to considerable debate, particularly between proponents of full and instant disclosure, and those of limited or no disclosure. This paper is an attempt to empirically test the impact of Vulnerability Information disclosure and availability of patches on attackers’ tendency to exploit vulnerabilities on one hand and on the vendors’ tendency to release patches on the other. Our results suggest that while vendors are quick to respond to instant disclosure, Vulnerability disclosure also increases the frequency of attacks. However, the frequency of attacks decreases over time. We also find that open source vendors patch more quickly than closed source vendors and that large vendors are more responsive.
Ashish Arora - One of the best experts on this subject based on the ideXlab platform.
-
an empirical analysis of software vendors patch release behavior impact of Vulnerability disclosure
Information Systems Research, 2010Co-Authors: Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao YangAbstract:A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software Vulnerability disclosure, which refers to the publication of Vulnerability Information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
-
does Information security attack frequency increase with Vulnerability disclosure an empirical analysis
Information Systems Frontiers, 2006Co-Authors: Ashish Arora, Anand Nandkumar, Rahul TelangAbstract:Research in Information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities. Disclosure of software Vulnerability has been controversial. On one hand are those who propose full and instant disclosure whether the patch is available or not and on the other hand are those who argue for limited or no disclosure. Which of the two policies is socially optimal depends critically on how attack frequency changes with disclosure and patching. In this paper, we empirically explore the impact of Vulnerability Information disclosure and availability of patches on attacks targeting the Vulnerability. Our results suggest that on an average both secret (non-published) and published (published and not patched) vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. When we control for time since publication and patches, we find that patching an already known Vulnerability decreases the number of attacks, although attacks gradually increase with time after patch release. Patching an unknown Vulnerability, however, causes a spike in attacks, which then gradually decline after patch release. Attacks on secret vulnerabilities slowly increase with time until the Vulnerability is published and then attacks rapidly decrease with time after publication.
-
an empirical analysis of vendor response to software Vulnerability disclosure
2005Co-Authors: Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao YangAbstract:Software Vulnerability disclosure refers to the publication of Vulnerability Information before a patch to address the Vulnerability has been issued by the software vendor. It has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant disclosure and limited or no disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and SecurityFocus to answer this question. Our results suggest that disclosure policy has a significant positive impact on the vendor patching speed. Vendors are 137% more likely to patch due to disclosure. In particular, instant disclosure hastens the patch delivery by almost 29 days. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond more slowly to vulnerabilities not handled by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC.
-
impact of Vulnerability disclosure and patch availability an empirical analysis
2004Co-Authors: Ashish Arora, Ramayya Krishnan, Anand Nandkumar, Yubao Yang, Rahul Telang, John H HeinzAbstract:Vulnerability disclosure is an area of public policy that has been subject to considerable debate, particularly between proponents of full and instant disclosure, and those of limited or no disclosure. This paper is an attempt to empirically test the impact of Vulnerability Information disclosure and availability of patches on attackers’ tendency to exploit vulnerabilities on one hand and on the vendors’ tendency to release patches on the other. Our results suggest that while vendors are quick to respond to instant disclosure, Vulnerability disclosure also increases the frequency of attacks. However, the frequency of attacks decreases over time. We also find that open source vendors patch more quickly than closed source vendors and that large vendors are more responsive.
Rahul Telang - One of the best experts on this subject based on the ideXlab platform.
-
an empirical analysis of software vendors patch release behavior impact of Vulnerability disclosure
Information Systems Research, 2010Co-Authors: Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao YangAbstract:A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software Vulnerability disclosure, which refers to the publication of Vulnerability Information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
-
does Information security attack frequency increase with Vulnerability disclosure an empirical analysis
Information Systems Frontiers, 2006Co-Authors: Ashish Arora, Anand Nandkumar, Rahul TelangAbstract:Research in Information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities. Disclosure of software Vulnerability has been controversial. On one hand are those who propose full and instant disclosure whether the patch is available or not and on the other hand are those who argue for limited or no disclosure. Which of the two policies is socially optimal depends critically on how attack frequency changes with disclosure and patching. In this paper, we empirically explore the impact of Vulnerability Information disclosure and availability of patches on attacks targeting the Vulnerability. Our results suggest that on an average both secret (non-published) and published (published and not patched) vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. When we control for time since publication and patches, we find that patching an already known Vulnerability decreases the number of attacks, although attacks gradually increase with time after patch release. Patching an unknown Vulnerability, however, causes a spike in attacks, which then gradually decline after patch release. Attacks on secret vulnerabilities slowly increase with time until the Vulnerability is published and then attacks rapidly decrease with time after publication.
-
an empirical analysis of vendor response to software Vulnerability disclosure
2005Co-Authors: Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao YangAbstract:Software Vulnerability disclosure refers to the publication of Vulnerability Information before a patch to address the Vulnerability has been issued by the software vendor. It has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant disclosure and limited or no disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and SecurityFocus to answer this question. Our results suggest that disclosure policy has a significant positive impact on the vendor patching speed. Vendors are 137% more likely to patch due to disclosure. In particular, instant disclosure hastens the patch delivery by almost 29 days. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond more slowly to vulnerabilities not handled by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC.
-
impact of Vulnerability disclosure and patch availability an empirical analysis
2004Co-Authors: Ashish Arora, Ramayya Krishnan, Anand Nandkumar, Yubao Yang, Rahul Telang, John H HeinzAbstract:Vulnerability disclosure is an area of public policy that has been subject to considerable debate, particularly between proponents of full and instant disclosure, and those of limited or no disclosure. This paper is an attempt to empirically test the impact of Vulnerability Information disclosure and availability of patches on attackers’ tendency to exploit vulnerabilities on one hand and on the vendors’ tendency to release patches on the other. Our results suggest that while vendors are quick to respond to instant disclosure, Vulnerability disclosure also increases the frequency of attacks. However, the frequency of attacks decreases over time. We also find that open source vendors patch more quickly than closed source vendors and that large vendors are more responsive.
M Kezunovic - One of the best experts on this subject based on the ideXlab platform.
-
Static security analysis based on weighted Vulnerability index
2011 IEEE Power and Energy Society General Meeting, 2011Co-Authors: Chengzong Pang, M KezunovicAbstract:This paper proposes weighted Vulnerability index method for power system static security analysis. The power system can be modeled as directed graph network based on the power flow results. Betweenness centrality is calculated to measure the importance of each vertex and edge in the modeled network, which is used to determine the weights for the proposed weighted Vulnerability index method. The performance of the proposed method is verified by using the standard IEEE 39-bus New England system. Case studies include the Vulnerability analysis for different load conditions and static N-1 contingency. The results indicate that the proposed method is a good way to assess the system security and Vulnerability Information.
-
Static Analysis of Vulnerability and Security Margin of the Power System
2005 2006 PES TD, 2006Co-Authors: H Song, M KezunovicAbstract:This paper introduces new concepts for evaluation of the power system steady state operations, namely the Vulnerability index (VI) and margin index (MI). They provide quantitative Vulnerability and security margin Information about generation, transmission, load conditions and then the whole system. System operators can assess the system security and Vulnerability Information using the margin and Vulnerability indices. Therefore, they can take some preventive and emergency control steps to keep the system operating at the secure level
-
Static security analysis based on Vulnerability Index (VI) and Network Contribution Factor (NCF) method
Proceedings of the IEEE Power Engineering Society Transmission and Distribution Conference, 2005Co-Authors: H Song, M KezunovicAbstract:This paper introduces a new approach of power system static security analysis based on the Vulnerability index (VI) and network contribution factor (NCF) method. Vulnerability index method provides quantitative Vulnerability Information about generation, transmission, load condition, and the whole system. NCF method gives fast approximate power flow results due to parameter change (contingency) based on the base load flow condition and network Information. The contingency list can be chosen based on NCF method and VI evaluation. Comparison with the full AC power flow method shows that this approach is promising for fast and accurate static security analysis
N G Wright - One of the best experts on this subject based on the ideXlab platform.
-
a network of knowledge on applying an indicator based methodology for minimizing flood Vulnerability
Hydrological Processes, 2009Co-Authors: S F Balica, N G WrightAbstract:Flood Vulnerability assessment plays a key role in the area of risk management. Therefore, techniques that make this assessment more straightforward and at the same time improve the results are important. In this briefing, we present an automated calculation of a flood Vulnerability index implemented through a web management interface (PHP) that enhances the ability of decision makers to strategically guide investment. To test the applicability of this methodology using this website, many case studies are required in order to cover the full range of cases in terms of scale such as river basin, subcatchment and urban area. This requires prompt solutions with large amounts of data and this has led to the development of this automated tool to help organize, monitor, process and compare the data of different case studies. The authors aim to create a network of knowledge between different institutions and universities in which this methodology is used. It is also hoped to encourage collaboration between the members of the network on managing flood Vulnerability Information and also promoting further studies on flood risk assessment at all scales.
