Adam says an economic analysis of Disclosure (of security bugs) has never been done, and makes a good start at it (perhaps in order to distract me from the stock market losses...). His list of costs are: 1. researcher, 2. primary vendor, 3. user patching, 4. secondary (layered) vendors, 5. attacker.
To which I would add this:
A. there is a cost to the user if they *don't* patch. That is, the user faces costs regardless, and in the decision to patch or not patch, they face one of two possibilities. Patching costs are low, but in the aggregate high. Not-patching costs are high individually, but in the aggregate, low(er). The question arises what the probability for breach event is, and what the cost of that breach is. This (multiplied) would then be compared against the user's patch costs.
B. there is also the decision not to disclose. In the event of not disclosing, we are essentially taking a gamble that nobody else figures it out (i.e., the decision not to disclose is the same as the decision to use security by obscurity, but by a different party). The key question I suppose is, "what is the probability that the information will still find its way to an attacker?" If that probability is low, then there might be merit in not disclosing. But, if one can show that this is information that is likely to get to the attacker, that merit disappears.
Once we identify all these different costs .. and probabilities, it should be a snap to develop a model that gives us some predictions! So yes I'm happy, especially as the economics of stock market shifts is so much voodoo anyway ;-)
Posted by iang at January 27, 2005 12:29 PM | TrackBackregarding A, absolutely! That tradeoff, and how to make it was the core of my paper with Crispin Cowan and Steve Beattie on 'Timing the application of security patches for optimal uptime.' One thing we didn't talk a lot about was the cost of applying patches, which we explicitly set to 0. That's wrong, and ignores the reality that there are patches that don't matter enough to apply. But it made modelling easier. :)
Posted by: Adam Shostack at January 27, 2005 01:10 PM