如何使我的 Bug 赏金具有成本效益?游戏理论模型

IF 5 3区 管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE
Leting Zhang, Emre M. Demirezen, Subodha Kumar
{"title":"如何使我的 Bug 赏金具有成本效益?游戏理论模型","authors":"Leting Zhang, Emre M. Demirezen, Subodha Kumar","doi":"10.1287/isre.2021.0349","DOIUrl":null,"url":null,"abstract":"A bug bounty program (BBP) is an innovative crowdsourcing security solution increasingly adopted by organizations. We use a game-theoretical model to analyze how key characteristics impact BBPs and offer practical insights into managing a BBP as part of an organization’s vulnerability management for better cost-effectiveness. Our findings indicate that organizations with high patching complexity should announce lower bounties, especially if they face limited security resources. BBPs should complement, not substitute, an organization’s security characteristics. Evaluating patching complexity and security posture is crucial when designing a BBP. Furthermore, security researchers drive BBP performance. Higher productivity in researchers doesn’t always require higher bounties even with high postdiscovery costs. Novice productivity can increase total costs if unit postdiscovery costs are high, whereas expert productivity consistently reduces costs. Organizations should disclose high-level product and information technology (IT) features to increase expert productivity. The number of security researchers in a BBP is important, but increasing their numbers doesn’t always necessitate higher bounties. A larger crowd may not always be cost-effective. Lastly, enhanced legal protection for security researchers might not increase organizational risks, especially in organizations with robust security or less sophisticated IT infrastructure. Industrial associations and policymakers should consider these factors in standards and legal frameworks.","PeriodicalId":48411,"journal":{"name":"Information Systems Research","volume":"8 1","pages":""},"PeriodicalIF":5.0000,"publicationDate":"2024-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model\",\"authors\":\"Leting Zhang, Emre M. Demirezen, Subodha Kumar\",\"doi\":\"10.1287/isre.2021.0349\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"A bug bounty program (BBP) is an innovative crowdsourcing security solution increasingly adopted by organizations. We use a game-theoretical model to analyze how key characteristics impact BBPs and offer practical insights into managing a BBP as part of an organization’s vulnerability management for better cost-effectiveness. Our findings indicate that organizations with high patching complexity should announce lower bounties, especially if they face limited security resources. BBPs should complement, not substitute, an organization’s security characteristics. Evaluating patching complexity and security posture is crucial when designing a BBP. Furthermore, security researchers drive BBP performance. Higher productivity in researchers doesn’t always require higher bounties even with high postdiscovery costs. Novice productivity can increase total costs if unit postdiscovery costs are high, whereas expert productivity consistently reduces costs. Organizations should disclose high-level product and information technology (IT) features to increase expert productivity. The number of security researchers in a BBP is important, but increasing their numbers doesn’t always necessitate higher bounties. A larger crowd may not always be cost-effective. Lastly, enhanced legal protection for security researchers might not increase organizational risks, especially in organizations with robust security or less sophisticated IT infrastructure. Industrial associations and policymakers should consider these factors in standards and legal frameworks.\",\"PeriodicalId\":48411,\"journal\":{\"name\":\"Information Systems Research\",\"volume\":\"8 1\",\"pages\":\"\"},\"PeriodicalIF\":5.0000,\"publicationDate\":\"2024-09-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information Systems Research\",\"FirstCategoryId\":\"91\",\"ListUrlMain\":\"https://doi.org/10.1287/isre.2021.0349\",\"RegionNum\":3,\"RegionCategory\":\"管理学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"INFORMATION SCIENCE & LIBRARY SCIENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Systems Research","FirstCategoryId":"91","ListUrlMain":"https://doi.org/10.1287/isre.2021.0349","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}
引用次数: 0

摘要

漏洞悬赏计划(BBP)是一种创新的众包安全解决方案,越来越多地被企业采用。我们利用博弈论模型分析了关键特征对 BBP 的影响,并就如何将 BBP 作为企业漏洞管理的一部分进行管理以提高成本效益提出了实用见解。我们的研究结果表明,打补丁复杂度高的组织应宣布较低的赏金,尤其是在安全资源有限的情况下。BBP 应该补充而不是替代企业的安全特性。在设计 BBP 时,评估补丁复杂性和安全态势至关重要。此外,安全研究人员也是 BBP 性能的驱动力。即使发现后的成本很高,提高研究人员的工作效率并不一定需要更高的赏金。如果单位发现后成本较高,新手的生产力可能会增加总成本,而专家的生产力则会持续降低成本。企业应披露高级产品和信息技术 (IT) 功能,以提高专家的生产力。BBP 中的安全研究人员数量很重要,但增加他们的数量并不一定需要更高的赏金。人数越多不一定就越划算。最后,加强对安全研究人员的法律保护可能不会增加组织的风险,尤其是在拥有强大安全或不太先进的 IT 基础设施的组织中。行业协会和政策制定者应在标准和法律框架中考虑这些因素。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model
A bug bounty program (BBP) is an innovative crowdsourcing security solution increasingly adopted by organizations. We use a game-theoretical model to analyze how key characteristics impact BBPs and offer practical insights into managing a BBP as part of an organization’s vulnerability management for better cost-effectiveness. Our findings indicate that organizations with high patching complexity should announce lower bounties, especially if they face limited security resources. BBPs should complement, not substitute, an organization’s security characteristics. Evaluating patching complexity and security posture is crucial when designing a BBP. Furthermore, security researchers drive BBP performance. Higher productivity in researchers doesn’t always require higher bounties even with high postdiscovery costs. Novice productivity can increase total costs if unit postdiscovery costs are high, whereas expert productivity consistently reduces costs. Organizations should disclose high-level product and information technology (IT) features to increase expert productivity. The number of security researchers in a BBP is important, but increasing their numbers doesn’t always necessitate higher bounties. A larger crowd may not always be cost-effective. Lastly, enhanced legal protection for security researchers might not increase organizational risks, especially in organizations with robust security or less sophisticated IT infrastructure. Industrial associations and policymakers should consider these factors in standards and legal frameworks.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
CiteScore
9.10
自引率
8.20%
发文量
120
期刊介绍: ISR (Information Systems Research) is a journal of INFORMS, the Institute for Operations Research and the Management Sciences. Information Systems Research is a leading international journal of theory, research, and intellectual development, focused on information systems in organizations, institutions, the economy, and society.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信