국립중앙도서관 "우편 복사 서비스"로 연결 됩니다.
Information security breaches pose a significant and increasing threat to national security and economic well-being. In the Symantec Internet Security Threat Report (2003), companies surveyed experienced an average of about 30 attacks per week. Anecd...
다국어 입력
あ
ぁ
か
が
さ
ざ
た
だ
な
は
ば
ぱ
ま
や
ゃ
ら
わ
ゎ
ん
い
ぃ
き
ぎ
し
じ
ち
ぢ
に
ひ
び
ぴ
み
り
う
ぅ
く
ぐ
す
ず
つ
づ
っ
ぬ
ふ
ぶ
ぷ
む
ゆ
ゅ
る
え
ぇ
け
げ
せ
ぜ
て
で
ね
へ
べ
ぺ
め
れ
お
ぉ
こ
ご
そ
ぞ
と
ど
の
ほ
ぼ
ぽ
も
よ
ょ
ろ
を
ア
ァ
カ
サ
ザ
タ
ダ
ナ
ハ
バ
パ
マ
ヤ
ャ
ラ
ワ
ヮ
ン
イ
ィ
キ
ギ
シ
ジ
チ
ヂ
ニ
ヒ
ビ
ピ
ミ
リ
ウ
ゥ
ク
グ
ス
ズ
ツ
ヅ
ッ
ヌ
フ
ブ
プ
ム
ユ
ュ
ル
エ
ェ
ケ
ゲ
セ
ゼ
テ
デ
ヘ
ベ
ペ
メ
レ
オ
ォ
コ
ゴ
ソ
ゾ
ト
ド
ノ
ホ
ボ
ポ
モ
ヨ
ョ
ロ
ヲ
―
http://chineseinput.net/에서 pinyin(병음)방식으로 중국어를 변환할 수 있습니다.
변환된 중국어를 복사하여 사용하시면 됩니다.
예시)
- 中文 을 입력하시려면 zhongwen을 입력하시고 space를누르시면됩니다.
- 北京 을 입력하시려면 beijing을 입력하시고 space를 누르시면 됩니다.
А
Б
В
Г
Д
Е
Ё
Ж
З
И
Й
К
Л
М
Н
О
П
Р
С
Т
У
Ф
Х
Ц
Ч
Ш
Щ
Ъ
Ы
Ь
Э
Ю
Я
а
б
в
г
д
е
ё
ж
з
и
й
к
л
м
н
о
п
р
с
т
у
ф
х
ц
ч
ш
щ
ъ
ы
ь
э
ю
я
′
″
℃
Å
¢
£
¥
¤
℉
‰
$
%
F
₩
㎕
㎖
㎗
ℓ
㎘
㏄
㎣
㎤
㎥
㎦
㎙
㎚
㎛
㎜
㎝
㎞
㎟
㎠
㎡
㎢
㏊
㎍
㎎
㎏
㏏
㎈
㎉
㏈
㎧
㎨
㎰
㎱
㎲
㎳
㎴
㎵
㎶
㎷
㎸
㎹
㎀
㎁
㎂
㎃
㎄
㎺
㎻
㎽
㎾
㎿
㎐
㎑
㎒
㎓
㎔
Ω
㏀
㏁
㎊
㎋
㎌
㏖
㏅
㎭
㎮
㎯
㏛
㎩
㎪
㎫
㎬
㏝
㏐
㏓
㏃
㏉
㏜
㏆
RISS 인기검색어
https://www.riss.kr/link?id=T13048802
- 저자
-
발행사항
[S.l.]: Carnegie Mellon University 2011
-
학위수여대학
Carnegie Mellon University School of Public Policy and Management, H. John Heinz III College
-
수여연도
2011
-
작성언어
영어
- 주제어
-
학위
Ph.D.
-
페이지수
108 p.
-
지도교수/심사위원
Adviser: Rahul Telang.
-
0
상세조회 -
0
다운로드
부가정보
다국어 초록 (Multilingual Abstract)
Information security breaches pose a significant and increasing threat to national security and economic well-being. In the Symantec Internet Security Threat Report (2003), companies surveyed experienced an average of about 30 attacks per week. Anecdotal evidence suggests that losses from cyber-attacks can run into millions of dollars. The CSI-FBI survey (2005) estimates that the loss per company was more than $500,000 in 2004 and more than $200,000 in 2005.
Besides the common view that information security can be resolved by technology measures, many researchers have noticed the business aspects of the information security. The literature in economics of information security attributes the reasons that cause the difficulties in information security into business factors like misalignment of incentives and externality.
This research analyzes the information security policies that attempt to address the above issues. In particular, this research focus on the following topics (1) the vulnerability disclosure policy of several major vulnerability information outlets and their implications to the vendors' patch release behavior (2) the conformance of the software vendors to one of the most important software product security quality certification standard, Common Criteria certification (3) the effectiveness of Common Criteria Certification in improving the security quality of software products.
Chapter 1 studies the software disclosure policy and its impact on the vendor patch release behavior. A key aspect of better and more secure software is timely patching of the vulnerabilities by software vendors in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information before a patch has been issued, has generated intense debate. An important consideration in this debate is the behavior of the software vendors. How quickly do vendors patch vulnerabilities, and how does disclosure affect patch release time? This research compiled a unique data set from CERT and SecurityFocus to answer this question. The results suggest that disclosure accelerates patch release. The instantaneous probability of patch release rises by nearly two and a half times due to disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are also more responsive to severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT which reflects the stronger lines of communication between CERT and vendors, and the value of the vulnerability analysis by CERT. We verify the results by using another publicly available dataset and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
Chapter 2 contains a theoretical and empirical analysis of the conformance behavior of the IT vendors to Common Criteria Certification standard. The Common Criteria certification standard is an effort initiated by the government of several major industry countries to facilitate communication between vendors and customers with regard to the security quality of the IT product. In this chapter, I study the diffusion of the Common Criteria certification standard. My results show increasing speed of adoption over time, which indicates the success of approach in fulfilling customer expectations. The Common Criteria certification has created a positive value for the vendors and the customers and this value has been increasing with time. Moreover, the results show that the diffusion of CC certification is directly influenced by the strategic interaction across vendors. This strategic interaction acts like a 'repelling force' that pushes the vendors' adoption apart from each other. From a public policy point of view this interaction is unfavorable as it results in delay of the adoption among successive vendors, as the number of existing adopters increase.
Chapter 3 continues the study of Common Criteria certification. In this chapter, I focus on the effectiveness of CC. There have been extensive debates among government, vendor, CC laboratories and security experts on the effectiveness of CC. Despite the different opinions, neither the vendors, nor the government, nor the evaluation laboratories have solid empirical evidence to support their claims. I provide a theoretical and empirical analysis of the extent to which CC is effective in improving software product security quality in this chapter, employing the number of vulnerability as the measure of software security quality. The operational hypothesis is that the result of Common Criteria, as a software security quality certification standard, should lead to less vulnerability in the product. In particular, higher evaluation assurance level should indicate even less vulnerability. And based on the testing evaluation methodology and process, we expect the certification be more effective in detecting and eliminating vulnerabilities introduced in the designing phases than those introduced in the coding phases of the software development process. (Abstract shortened by UMI.).
Besides the common view that information security can be resolved by technology measures, many researchers have noticed the business aspects of the information security. The literature in economics of information security attributes the reasons that cause the difficulties in information security into business factors like misalignment of incentives and externality.
This research analyzes the information security policies that attempt to address the above issues. In particular, this research focus on the following topics (1) the vulnerability disclosure policy of several major vulnerability information outlets and their implications to the vendors' patch release behavior (2) the conformance of the software vendors to one of the most important software product security quality certification standard, Common Criteria certification (3) the effectiveness of Common Criteria Certification in improving the security quality of software products.
Chapter 1 studies the software disclosure policy and its impact on the vendor patch release behavior. A key aspect of better and more secure software is timely patching of the vulnerabilities by software vendors in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information before a patch has been issued, has generated intense debate. An important consideration in this debate is the behavior of the software vendors. How quickly do vendors patch vulnerabilities, and how does disclosure affect patch release time? This research compiled a unique data set from CERT and SecurityFocus to answer this question. The results suggest that disclosure accelerates patch release. The instantaneous probability of patch release rises by nearly two and a half times due to disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are also more responsive to severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT which reflects the stronger lines of communication between CERT and vendors, and the value of the vulnerability analysis by CERT. We verify the results by using another publicly available dataset and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
Chapter 2 contains a theoretical and empirical analysis of the conformance behavior of the IT vendors to Common Criteria Certification standard. The Common Criteria certification standard is an effort initiated by the government of several major industry countries to facilitate communication between vendors and customers with regard to the security quality of the IT product. In this chapter, I study the diffusion of the Common Criteria certification standard. My results show increasing speed of adoption over time, which indicates the success of approach in fulfilling customer expectations. The Common Criteria certification has created a positive value for the vendors and the customers and this value has been increasing with time. Moreover, the results show that the diffusion of CC certification is directly influenced by the strategic interaction across vendors. This strategic interaction acts like a 'repelling force' that pushes the vendors' adoption apart from each other. From a public policy point of view this interaction is unfavorable as it results in delay of the adoption among successive vendors, as the number of existing adopters increase.
Chapter 3 continues the study of Common Criteria certification. In this chapter, I focus on the effectiveness of CC. There have been extensive debates among government, vendor, CC laboratories and security experts on the effectiveness of CC. Despite the different opinions, neither the vendors, nor the government, nor the evaluation laboratories have solid empirical evidence to support their claims. I provide a theoretical and empirical analysis of the extent to which CC is effective in improving software product security quality in this chapter, employing the number of vulnerability as the measure of software security quality. The operational hypothesis is that the result of Common Criteria, as a software security quality certification standard, should lead to less vulnerability in the product. In particular, higher evaluation assurance level should indicate even less vulnerability. And based on the testing evaluation methodology and process, we expect the certification be more effective in detecting and eliminating vulnerabilities introduced in the designing phases than those introduced in the coding phases of the software development process. (Abstract shortened by UMI.).
Information security breaches pose a significant and increasing threat to national security and economic well-being. In the Symantec Internet Security Threat Report (2003), companies surveyed experienced an average of about 30 attacks per week. Anecdotal evidence suggests that losses from cyber-attacks can run into millions of dollars. The CSI-FBI survey (2005) estimates that the loss per company was more than $500,000 in 2004 and more than $200,000 in 2005.
Besides the common view that information security can be resolved by technology measures, many researchers have noticed the business aspects of the information security. The literature in economics of information security attributes the reasons that cause the difficulties in information security into business factors like misalignment of incentives and externality.
This research analyzes the information security policies that attempt to address the above issues. In particular, this research focus on the following topics (1) the vulnerability disclosure policy of several major vulnerability information outlets and their implications to the vendors' patch release behavior (2) the conformance of the software vendors to one of the most important software product security quality certification standard, Common Criteria certification (3) the effectiveness of Common Criteria Certification in improving the security quality of software products.
Chapter 1 studies the software disclosure policy and its impact on the vendor patch release behavior. A key aspect of better and more secure software is timely patching of the vulnerabilities by software vendors in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information before a patch has been issued, has generated intense debate. An important consideration in this debate is the behavior of the software vendors. How quickly do vendors patch vulnerabilities, and how does disclosure affect patch release time? This research compiled a unique data set from CERT and SecurityFocus to answer this question. The results suggest that disclosure accelerates patch release. The instantaneous probability of patch release rises by nearly two and a half times due to disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are also more responsive to severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT which reflects the stronger lines of communication between CERT and vendors, and the value of the vulnerability analysis by CERT. We verify the results by using another publicly available dataset and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
Chapter 2 contains a theoretical and empirical analysis of the conformance behavior of the IT vendors to Common Criteria Certification standard. The Common Criteria certification standard is an effort initiated by the government of several major industry countries to facilitate communication between vendors and customers with regard to the security quality of the IT product. In this chapter, I study the diffusion of the Common Criteria certification standard. My results show increasing speed of adoption over time, which indicates the success of approach in fulfilling customer expectations. The Common Criteria certification has created a positive value for the vendors and the customers and this value has been increasing with time. Moreover, the results show that the diffusion of CC certification is directly influenced by the strategic interaction across vendors. This strategic interaction acts like a 'repelling force' that pushes the vendors' adoption apart from each other. From a public policy point of view this interaction is unfavorable as it results in delay of the adoption among successive vendors, as the number of existing adopters increase.
Chapter 3 continues the study of Common Criteria certification. In this chapter, I focus on the effectiveness of CC. There have been extensive debates among government, vendor, CC laboratories and security experts on the effectiveness of CC. Despite the different opinions, neither the vendors, nor the government, nor the evaluation laboratories have solid empirical evidence to support their claims. I provide a theoretical and empirical analysis of the extent to which CC is effective in improving software product security quality in this chapter, employing the number of vulnerability as the measure of software security quality. The operational hypothesis is that the result of Common Criteria, as a software security quality certification standard, should lead to less vulnerability in the product. In particular, higher evaluation assurance level should indicate even less vulnerability. And based on the testing evaluation methodology and process, we expect the certification be more effective in detecting and eliminating vulnerabilities introduced in the designing phases than those introduced in the coding phases of the software development process. (Abstract shortened by UMI.).
분석정보
이 자료와 함께 이용한 RISS 자료
나만을 위한 추천자료
