Information Technology Reference
In-Depth Information
Instead, the main advantage of the adoption of an open source, or at least
an off-the-shelf, component, is that the number of resources searching for a vul-
nerability may become much larger than the pool managed by the defender. In
fact. the search for the vulnerabilities may involve also other instances of the
component in distinct infrastructures. As a counterpart, the number of attack-
ers may increase as well, because other people may be interested in attacking
distinct instances of the component. However, if the open source component is
widely adopted, the defender is fairly sure that, independently of the strategy
to allocate his/her resources, all the vulnerabilities in all the components will be
covered because other people are searching for them. Hence, it is highly unlikely
that very few defenders are searching for a vulnerability and that it will not
arise the dangerous case considered at the end of Sect. 3.1 where a few defender
resources are allocated to a vulnerability. We stress that an open source com-
ponent cannot guarantee by itself the existence of a larger pool of resources for
either the attacker or the defender because the sizes of these pools depend upon
the adoption of the component in distinct systems, i.e. being open source is a
necessary but not sucient condition for larger pools of resources.
When adopting an off-the-shelf component, the number of resources search-
ing for vulnerabilities may be actually so large that these numbers are almost
independent of the pools managed by, respectively, the attacker and the defender.
This may be a noticeable advantage with respect to a proprietary solution any-
time the number of defenders cannot be very large. Consider, as an example,
a small enterprise where the defenders may also have limited skills in this very
specific field. Instead, if the expected number of attackers is low and they are
low skilled, the adoption of an open source component may be a disadvantage.
Since it is defined in terms of
ϕ
,
na
and
nd
, i.e. the numbers of attackers
and defenders, the 0-delay model makes it possible to compare in a quantitative
way the advantages of a proprietary solution, i.e. a smaller number of attackers
and defenders, against those of a widely adopted open source component, i.e. a
larger numbers of both attackers and defenders. Even if the values of
ϕ
,
na
and
nd
that are used are just a rough approximation of the real ones, some general
guidelines on the relative advantages of proprietary or open source components
may be deduced from the mathematical framework underlying the 0-delay model.
References
1. Acquisti, A.: Privacy and security of personal information. Economic incentives
and technological solutions, Workshop on Economics of Information Security, Uni-
versity of California, Berkley (2002)
2. Adkins, R.: An Insurance Style Model for Determining the Appropriate Invest-
ment Level against Maximum Loss arising from an Information Security Breach,
Workshop on Economics of Information Security, University of Minnesota (2004)
3. Alberts, C.J., Dorofee, A.J.: An introduction to the OCTAVE method. http://
www.cert.org/octave/methodintro.html
4. Anderson, R.J.: Why Information Security is Hard-An Economic Perspective, 17th
Applied Computer Security Applications Conference (2001)
