IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v26y2015i3p565-584.html
   My bibliography  Save this article

Information Disclosure and the Diffusion of Information Security Attacks

Author

Listed:
  • Sabyasachi Mitra

    (Georgia Institute of Technology, Atlanta, Georgia 30332)

  • Sam Ransbotham

    (Boston College, Chestnut Hill, Massachusetts 02467)

Abstract

With the nearly instantaneous dissemination of information in the modern era, policies regarding the disclosure of sensitive information have become the focus of significant discussion in several contexts. The fundamental debate centers on trade-offs inherent in disclosing information that society needs, but that can also be used for nefarious purposes. Using information security as a research context, our empirical study examines the adoption of software vulnerabilities by a population of attackers. We compare attacks based on software vulnerabilities disclosed through full-disclosure and limited-disclosure mechanisms. We find that full disclosure accelerates the diffusion of attacks, increases the penetration of attacks within the target population, and increases the risk of first attack after the vulnerability is reported. Interestingly, the effect of full disclosure is greater during periods when there are more overall vulnerabilities reported, indicating that attackers may strategically focus on busy periods when the effort of security professionals is spread across many vulnerabilities. Although the aggregate volume of attacks remains unaffected by full disclosure, attacks occur earlier in the life cycle of the vulnerability. Building off our theoretical insights, we discuss the implications of our findings in more general contexts.

Suggested Citation

  • Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    • Handle: RePEc:inm:orisre:v:26:y:2015:i:3:p:565-584
    DOI: 10.1287/isre.2015.0587
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2015.0587
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2015.0587?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Bessen, James, 2005. "Patents and the diffusion of technical information," Economics Letters, Elsevier, vol. 86(1), pages 121-128, January.
    3. Partha Dasgupta & Joseph Stiglitz, 1980. "Uncertainty, Industrial Structure, and the Speed of R&D," Bell Journal of Economics, The RAND Corporation, vol. 11(1), pages 1-28, Spring.
    4. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    5. Iacus, Stefano & King, Gary & Porro, Giuseppe, 2009. "cem: Software for Coarsened Exact Matching," Journal of Statistical Software, Foundation for Open Access Statistics, vol. 30(i09).
    6. Frank M. Bass, 1969. "A New Product Growth for Model Consumer Durables," Management Science, INFORMS, vol. 15(5), pages 215-227, January.
    7. Madhavan Parthasarathy & Anol Bhattacherjee, 1998. "Understanding Post-Adoption Behavior in the Context of Online Services," Information Systems Research, INFORMS, vol. 9(4), pages 362-379, December.
    8. Christophe Van den Bulte & Yogesh V. Joshi, 2007. "New Product Diffusion with Influentials and Imitators," Marketing Science, INFORMS, vol. 26(3), pages 400-421, 05-06.
    9. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    10. David J. Teece, 2007. "Explicating dynamic capabilities: the nature and microfoundations of (sustainable) enterprise performance," Strategic Management Journal, Wiley Blackwell, vol. 28(13), pages 1319-1350, December.
    11. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    12. Christophe Van den Bulte & Stefan Stremersch, 2004. "Social Contagion and Income Heterogeneity in New Product Diffusion: A Meta-Analytic Test," Marketing Science, INFORMS, vol. 23(4), pages 530-544, July.
    13. Matthew Blackwell & Stefano Iacus & Gary King & Giuseppe Porro, 2009. "cem: Coarsened exact matching in Stata," Stata Journal, StataCorp LP, vol. 9(4), pages 524-546, December.
    14. Christopher Harris & John Vickers, 1985. "Perfect Equilibrium in a Model of a Race," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 52(2), pages 193-209.
    15. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    16. Bloch, Francis & Markowitz, Paul, 1996. "Optimal disclosure delay in multistage R&D competition," International Journal of Industrial Organization, Elsevier, vol. 14(2), pages 159-179.
    17. Teck-Hua Ho & Sergei Savin & Christian Terwiesch, 2002. "Managing Demand and Sales Dynamics in New Product Diffusion Under Supply Constraint," Management Science, INFORMS, vol. 48(2), pages 187-206, February.
    18. Kathleen M. Eisenhardt & Jeffrey A. Martin, 2000. "Dynamic capabilities: what are they?," Strategic Management Journal, Wiley Blackwell, vol. 21(10‐11), pages 1105-1121, October.
    19. Randolph B. Cooper & Robert W. Zmud, 1990. "Information Technology Implementation Research: A Technological Diffusion Approach," Management Science, INFORMS, vol. 36(2), pages 123-139, February.
    20. Kevin Zheng Zhou & Fang Wu, 2010. "Technological capability, strategic flexibility, and product innovation," Strategic Management Journal, Wiley Blackwell, vol. 31(5), pages 547-561, May.
    21. Fudenberg, Drew & Gilbert, Richard & Stiglitz, Joseph & Tirole, Jean, 1983. "Preemption, leapfrogging and competition in patent races," European Economic Review, Elsevier, vol. 22(1), pages 3-31, June.
    22. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    23. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    24. Carmen Matutes & Pierre Regibeau & Katharine Rockett, 1996. "Optimal Patent Design and the Diffusion of Innovations," RAND Journal of Economics, The RAND Corporation, vol. 27(1), pages 60-83, Spring.
    25. David J. Teece, 1980. "The Diffusion of an Administrative Innovation," Management Science, INFORMS, vol. 26(5), pages 464-470, May.
    26. Jason Owen-Smith & Walter W. Powell, 2004. "Knowledge Networks as Channels and Conduits: The Effects of Spillovers in the Boston Biotechnology Community," Organization Science, INFORMS, vol. 15(1), pages 5-21, February.
    27. van den Bulte, C. & Stremersch, S., 2003. "Contagion and heterogeneity in new product diffusion: An emperical test," ERIM Report Series Research in Management ERS-2003-077-MKT, Erasmus Research Institute of Management (ERIM), ERIM is the joint research institute of the Rotterdam School of Management, Erasmus University and the Erasmus School of Economics (ESE) at Erasmus University Rotterdam.
    28. Baker, Scott & Mezzetti, Claudio, 2005. "Disclosure as a Strategy in the Patent Race," Journal of Law and Economics, University of Chicago Press, vol. 48(1), pages 173-194, April.
    29. Klaus Kultti & Tuomas Takalo & Juuso Toikka, 2006. "Simultaneous Model of Innovation, Secrecy, and Patent Policy," American Economic Review, American Economic Association, vol. 96(2), pages 82-86, May.
    30. Vijay Mookerjee & Radha Mookerjee & Alain Bensoussan & Wei T. Yue, 2011. "When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination," Information Systems Research, INFORMS, vol. 22(3), pages 606-623, September.
    31. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    32. Rosemarie Ham Ziedonis, 2004. "Don't Fence Me In: Fragmented Markets for Technology and the Patent Acquisition Strategies of Firms," Management Science, INFORMS, vol. 50(6), pages 804-820, June.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Sylvie Héroux & Anne Fortin, 2024. "Board of directors’ attributes and aspects of cybersecurity disclosure," Journal of Management & Governance, Springer;Accademia Italiana di Economia Aziendale (AIDEA), vol. 28(2), pages 359-404, June.
    2. Jens Foerderer & Sebastian W. Schuetz, 2022. "Data Breach Announcements and Stock Market Reactions: A Matter of Timing?," Management Science, INFORMS, vol. 68(10), pages 7298-7322, October.
    3. Yu-Kai Lin & Arun Rai & Yukun Yang, 2022. "Information Control for Creator Brand Management in Subscription-Based Crowdfunding," Information Systems Research, INFORMS, vol. 33(3), pages 846-866, September.
    4. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    5. Jacob Haislip & Jee-Hae Lim & Robert Pinsker, 2021. "The Impact of Executives’ IT Expertise on Reported Data Security Breaches," Information Systems Research, INFORMS, vol. 32(2), pages 318-334, June.
    6. Sylvie Héroux & Anne Fortin, 2020. "Cybersecurity Disclosure by the Companies on the S&P/TSX 60 Index," Accounting Perspectives, John Wiley & Sons, vol. 19(2), pages 73-100, June.
    7. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    8. Arunabha Mukhopadhyay & Samir Chatterjee & Kallol K. Bagchi & Peteer J. Kirs & Girja K. Shukla, 2019. "Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance," Information Systems Frontiers, Springer, vol. 21(5), pages 997-1018, October.
    9. Bertschek, Irene & Briglauer, Wolfgang & Hüschelrath, Kai & Krämer, Jan & Frübing, Stefan & Kesler, Reinhold & Saam, Marianne, 2016. "Metastudie zum Fachdialog Ordnungsrahmen für die Digitale Wirtschaft: Im Auftrag des Bundesministeriums für Wirtschaft und Energie (BMWi)," ZEW Expertises, ZEW - Leibniz Centre for European Economic Research, number 147040.
    10. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    11. Ng, Irene C.L. & Wakenshaw, Susan Y.L., 2017. "The Internet-of-Things: Review and research directions," International Journal of Research in Marketing, Elsevier, vol. 34(1), pages 3-21.
    12. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    2. Peters, Kay & Albers, Sönke & Kumar, V., 2008. "Is there more to international Diffusion than Culture? An investigation on the Role of Marketing and Industry Variables," EconStor Preprints 27678, ZBW - Leibniz Information Centre for Economics.
    3. Sang-Gun Lee & Eui-bang Lee & Chang-Gyu Yang, 2014. "Strategies for ICT product diffusion: the case of the Korean mobile communications market," Service Business, Springer;Pan-Pacific Business Association, vol. 8(1), pages 65-81, March.
    4. Jing Wang & Anocha Aribarg & Yves F. Atchadé, 2013. "Modeling Choice Interdependence in a Social Network," Marketing Science, INFORMS, vol. 32(6), pages 977-997, November.
    5. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    6. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    7. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    8. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    9. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    10. Florian Probst & Laura Grosswiele & Regina Pfleger, 2013. "Who will lead and who will follow: Identifying Influential Users in Online Social Networks," Business & Information Systems Engineering: The International Journal of WIRTSCHAFTSINFORMATIK, Springer;Gesellschaft für Informatik e.V. (GI), vol. 5(3), pages 179-193, June.
    11. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    12. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    13. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    14. Dosis, Anastasios & Muthoo, Abhinay, 2019. "Experimentation in Dynamic R&D Competition," CRETA Online Discussion Paper Series 52, Centre for Research in Economic Theory and its Applications CRETA.
    15. Peres, Renana & Muller, Eitan & Mahajan, Vijay, 2010. "Innovation diffusion and new product growth models: A critical review and research directions," International Journal of Research in Marketing, Elsevier, vol. 27(2), pages 91-106.
    16. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    17. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    18. Gans, Joshua S. & Murray, Fiona E. & Stern, Scott, 2017. "Contracting over the disclosure of scientific knowledge: Intellectual property and academic publication," Research Policy, Elsevier, vol. 46(4), pages 820-835.
    19. Haarhaus, Tim & Liening, Andreas, 2020. "Building dynamic capabilities to cope with environmental uncertainty: The role of strategic foresight," Technological Forecasting and Social Change, Elsevier, vol. 155(C).
    20. Nilsen, Øivind A. & Raknerud, Arvid, 2024. "Dynamics of first-time patenting firms," Research Policy, Elsevier, vol. 53(8).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:26:y:2015:i:3:p:565-584. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.