Comments on: Towards an Economic Analysis of Disclosure http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Financial Cryptography http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-323 Financial Cryptography Mon, 14 Feb 2005 07:51:17 +0000 http://emergentchaos.com/?p=414#comment-323 <strong>Full disclosure: for and against</strong> How to address Internet security in an open source world is a simmering topic. Frank Hecker has documented his view of the Mozilla Full Disclosure debate that led to their current security policy. I haven't read it yet, but will.... Full disclosure: for and against

How to address Internet security in an open source world is a simmering topic. Frank Hecker has documented his view of the Mozilla Full Disclosure debate that led to their current security policy. I haven’t read it yet, but will….

]]> By: Financial Cryptography http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-322 Financial Cryptography Mon, 31 Jan 2005 09:45:21 +0000 http://emergentchaos.com/?p=414#comment-322 <strong>Security Breach Disclosure is required for the consumer to adjust risk assessment</strong> I was knowingly guilty of asking an innocent question last week on economics of disclosure. My penance will be forthcoming, no doubt, but in the meantime the question rebounds in the RFID breach post of yesterday. Jim posted:... Security Breach Disclosure is required for the consumer to adjust risk assessment

I was knowingly guilty of asking an innocent question last week on economics of disclosure. My penance will be forthcoming, no doubt, but in the meantime the question rebounds in the RFID breach post of yesterday. Jim posted:…

]]> By: Adam http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-320 Adam Sat, 29 Jan 2005 13:41:27 +0000 http://emergentchaos.com/?p=414#comment-320 "but they are on both sides of the equation" That's exactly my point -- each interested parties has the option to invest in certain activities with a variety of payoffs. In manipulating the costs and payoffs, we're seeking some optimum. Rahul Telang and company, in their papers point out that there are a number of ways we can attempt to measure if we're neutral. If we're not neutral, if we care much more about our own costs, then we seek to minimize our costs at the expense of the other players. There's a lot of this going on, all along the spectrum. “but they are on both sides of the equation”
That’s exactly my point — each interested parties has the option to invest in certain activities with a variety of payoffs. In manipulating the costs and payoffs, we’re seeking some optimum. Rahul Telang and company, in their papers point out that there are a number of ways we can attempt to measure if we’re neutral. If we’re not neutral, if we care much more about our own costs, then we seek to minimize our costs at the expense of the other players. There’s a lot of this going on, all along the spectrum.

]]> By: Pete http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-319 Pete Thu, 27 Jan 2005 23:57:07 +0000 http://emergentchaos.com/?p=414#comment-319 I think it is extremely important to factor in the point of view here. Costs are borne by at least four constituencies here - researchers, software developers, users, and attackers, but they are on both sides of the equation, aren't they? These are opposing forces, as far as I can tell. I would take the point of view of the enterprise by comparing the costs of my supplier plus the cost of my defense and response to the cost of the researcher plus the cost of the attacker. And don't forget that there are (must be) significant benefits, intangible or not, to researchers and attackers, or they wouldn't pursue it. I think it is extremely important to factor in the point of view here. Costs are borne by at least four constituencies here – researchers, software developers, users, and attackers, but they are on both sides of the equation, aren’t they? These are opposing forces, as far as I can tell.
I would take the point of view of the enterprise by comparing the costs of my supplier plus the cost of my defense and response to the cost of the researcher plus the cost of the attacker. And don’t forget that there are (must be) significant benefits, intangible or not, to researchers and attackers, or they wouldn’t pursue it.

]]> By: EKR http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-318 EKR Thu, 27 Jan 2005 14:14:32 +0000 http://emergentchaos.com/?p=414#comment-318 It seems to me you're missing the cost to the users of having the vulnerability used on their machines. It seems to me you’re missing the cost to the users of having the vulnerability used on their machines.

]]> By: adam http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-317 adam Thu, 27 Jan 2005 13:00:45 +0000 http://emergentchaos.com/?p=414#comment-317 I had missed both of those, thanks! Kannan, et al use a model with fewer participants: "There are four types of participants in this marketplace – the information intermediary, benign identifier, malign identifier and software users." I think that the other participants I've identified are useful, but I like their characterization of the market models. They also take things much further than I have--their work goes through the next steps that I hadn't thought through in any depth. I had missed both of those, thanks!
Kannan, et al use a model with fewer participants:
“There are four types of participants in this marketplace – the information intermediary, benign identifier, malign identifier and software users.” I think that the other participants I’ve identified are useful, but I like their characterization of the market models. They also take things much further than I have–their work goes through the next steps that I hadn’t thought through in any depth.

]]> By: Financial Cryptography http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-321 Financial Cryptography Thu, 27 Jan 2005 12:54:34 +0000 http://emergentchaos.com/?p=414#comment-321 <strong>Towards an Economic Analysis of Disclosure</strong> Adam says an economic analysis of Disclosure (of security bugs) has never been done, and makes a good start at it (perhaps in order to distract me from the stock market losses...). His list of costs are: 1. researcher, 2.... Towards an Economic Analysis of Disclosure

Adam says an economic analysis of Disclosure (of security bugs) has never been done, and makes a good start at it (perhaps in order to distract me from the stock market losses…). His list of costs are: 1. researcher, 2….

]]> By: Chris Walsh http://emergentchaos.com/archives/2005/01/towards-an-economic-analysis-of-disclosure.html/comment-page-1#comment-316 Chris Walsh Thu, 27 Jan 2005 01:10:44 +0000 http://emergentchaos.com/?p=414#comment-316 Have you looked at work by Karthik Kannan, Rahul Telang, Ashish Arora, and Hao Xu? <a href="http://www.dtc.umn.edu/weis2004/weis-xu.pdf" rel="nofollow">http://www.dtc.umn.edu/weis2004/weis-xu.pdf</a> <a href="http://csdl.computer.org/comp/proceedings/hicss/2004/2056/07/205670180a.pdf" rel="nofollow">http://csdl.computer.org/comp/proceedings/hicss/2004/2056/07/205670180a.pdf</a> Have you looked at work by Karthik Kannan, Rahul Telang, Ashish Arora, and Hao Xu?
http://www.dtc.umn.edu/weis2004/weis-xu.pdf
http://csdl.computer.org/comp/proceedings/hicss/2004/2056/07/205670180a.pdf

]]>