Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Vulnerability Pricing

This week, we are going to start looking at vulnerabilities. Vulnerabilities are software bugs — problems with computer software that aren’t intended. But not all bugs are vulnerabilities. Only some of them are can be exploited by attackers to get the computer to do something it wasn’t originally programmed to do. Think about it this way: a software is an unintentional hole that allows attackers to run their own programs on your computer.

We have to “update” software with security updates anytime a vulnerability is discovered. This is the best way to protect our computers — the update closes the hole, thus preventing attackers from controlling our computer. Everyone has installed software updates, and software updates are a problem for everyone, but everyone pretty much agrees that they are important.

Vulnerabilities are important. They are sometimes called “cyber weapons” — if you know about a vulnerability in your enemy’s computer, you can use that to take control of their computer and make it work for you. So vulnerabilities are really valuable to attackers because they are the basis of most cyber attacks. And knowing about vulnerabilities is important to defenders, because patching them is the best way to stop attacks.

But why? Why does software have vulnerabilities? Why don’t we just get it right the first time? How do we get people to discover vulnerabilities to tell us (the good guys) and not sell them to attackers for use in cybercrime?

This week, we are going to read some about the economics of cybersecurity, with a particular focus on understanding vulnerabilities. Start with this paper about the economics of cybersecurity.
Read pages 2-6, which should feel familiar because they cover the general economics topics we discussed earlier in class. Then read pages 6-9, the section on the economics of vulnerabilities.

Then, let’s expand on that a bit with some related concepts from economics. We are going to read part of chapter 8 from Ross Anderson’s Security Engineering textbook. Read sections 8.2 (p. 276-280), and 8.3 (p. 281-286), skip 8.4 and 8.5, and then read section 8.61 and 8.62 (p.293-298)

Finally, if you have time, read this paper that looks at why people might not want to install security updates even when they exist.

For this week’s quiz, I want you to consider an interesting policy question. Someone in the US government discovers a vulnerability in commonly used software. They have two options: 1) they can keep the vulnerability secret, and give it to the NSA or CIA, who will use it to attack the computer systems of other countries. OR, 2) they can tell the company that made the software, who will then figure out how to fix it and release a software patch, which will protect both US computers and the computers in other countries. If you worked for the government, how would you decide what to do?