Making Security Work: Vulnerability Disclosure Programs (VDPs) and the Organizational Foundations of Cybersecurity

让安全发挥作用：漏洞披露计划 (VDP) 和网络安全的组织基础

• 批准号: 2203175
• 负责人: Ryan Ellis
• 金额: $ 34.13万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-06-01 至 2025-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2203175&HistoricalAwards=false
• 关键词: Making; Security; Work; Vulnerability; Disclosure

Cybersecurity is now an organizational imperative. High-profile data breaches, ransomware attacks, and other costly exploits and attacks have made cybersecurity a priority for all manner of public and private organizations. Organizations are increasingly adopting vulnerability disclosure programs (VDPs) as a key strategy for managing and mitigating cybersecurity risk. These programs crowdsource security work—they invite independent security researchers to report newly identified software bugs. Yet, the adoption and management of these programs is rarely simple or straightforward. They can create new points of stress and complication within organization. This project examines how these programs work and, importantly, how they can be improved. Protecting digital networks, devices, and software is a key national priority. Ultimately, the research project’s insights will help organizations improve their security.While organizations have long relied on a blend of in-house information technology expertise and contracted computer services, VDPs are a different approach to harnessing expertise. This project uncovers the ongoing intra-organizational work required to integrate these new intuitional models of software review within organizations; and it assesses the ultimate effectiveness of VDPs to improve organizational cybersecurity. Specifically, the project addresses two related research questions: (i) What forms of institutional work are needed to create and sustain VDPs?; (ii) How effective are VDPs at improving security? To answer these questions, the project creates and analyzes a novel set of qualitative and quantitative data drawn from select ongoing VDPs. Collected data includes anonymized program data, administrative data, and interviews with staff associated with managing VDPs. This project provides a window into: (i) how new cybersecurity practices are adopted, maintained, and transformed by and within organizations; and (ii) the efficacy of VDPs to improve organizational cybersecurity. Answering these questions will provide insight into larger organizational dimensions of cybersecurity and the efficacy of VDPs to improve security outcomes. More broadly, in addressing these research questions, the project advances insights into the often-overlooked institutional work associated with adopting and sustaining new organizational innovations.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络安全现在是组织的当务之急。备受瞩目的数据泄露、勒索软件攻击以及其他代价高昂的漏洞和攻击使得网络安全成为各种公共和私人组织的首要任务。组织越来越多地采用漏洞披露计划（vdp）作为管理和减轻网络安全风险的关键策略。这些程序将安全工作众包——它们邀请独立的安全研究人员报告新发现的软件漏洞。然而，这些程序的采用和管理很少是简单或直接的。它们可以在组织内部制造新的压力点和复杂性。这个项目研究了这些程序是如何工作的，更重要的是，如何改进它们。保护数字网络、设备和软件是国家的首要任务。最终，该研究项目的见解将帮助组织提高其安全性。虽然组织长期依赖于内部信息技术专业知识和合同计算机服务的混合，但vdp是利用专业知识的一种不同方法。这个项目揭示了正在进行的组织内部工作，需要在组织内集成这些新的软件评审的直观模型；它评估了vdp在提高组织网络安全方面的最终有效性。具体而言，该项目涉及两个相关的研究问题：(i)需要何种形式的体制工作来建立和维持虚拟发展方案？（ii） vdp在改善保安方面的成效如何？为了回答这些问题，该项目创建并分析了从选择的正在进行的vdp中提取的一组新的定性和定量数据。收集的数据包括匿名程序数据、管理数据以及与管理vdp相关的工作人员的访谈。本项目为以下方面提供了一个窗口：(i)组织内部如何采用、维护和转变新的网络安全实践；以及（ii） vdp在改善组织网络安全方面的有效性。回答这些问题将有助于深入了解网络安全的更大组织维度，以及vdp在改善安全结果方面的有效性。更广泛地说，在解决这些研究问题时，该项目推进了对与采用和维持新的组织创新相关的经常被忽视的机构工作的见解。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。