The impact of regulatory mechanisms on vulnerability disclosure behavior during crowdsourcing cybersecurity testing
-
Published:2023
Issue:11
Volume:20
Page:19012-19039
-
ISSN:1551-0018
-
Container-title:Mathematical Biosciences and Engineering
-
language:
-
Short-container-title:MBE
Author:
Zhao Liurong,Yu Xiaoxi,Zhou Xinyu
Abstract
<abstract><p>There are various regulatory mechanisms to coordinate vulnerability disclosure behaviors during crowdsourcing cybersecurity testing. However, in the case of unclear regulatory effectiveness, enterprises cannot obtain sufficient vulnerability information, third-party crowdsourcing cybersecurity testing platforms fail to provide trusted services, and the government lacks strong credibility. We have constructed a tripartite evolutionary game model to analyze the evolutionary process of the equilibrium of {legal disclosure, active operation, strict regulation}, and the paper reveals the impact of three regulatory mechanisms. We find that these participants' positive behaviors are in a stable state. Higher initial willingness accelerates the speed of reaching the evolutionary stability of the system, and this equilibrium is satisfied only if the governmental regulatory benefits are sufficiently high. Regarding the punishment mechanism, increased punishment for enterprises causes them to adopt positive behaviors faster, while the opposite occurs for platforms; increased punishment for platforms drives both participants to adopt positive behaviors faster. Concerning the subsidy mechanism, increased subsidy to enterprises causes them to adopt legal disclosure behaviors faster, while platforms remain unresponsive; increased subsidy to platforms motivates both players to choose their own positive behaviors. In terms of the collaborative disclosure mechanism, excessive collaborative costs reduce the platforms' willingness to operate actively, which decreases the enterprises' incentives to disclose vulnerability legally. These findings guide the government to establish suitable mechanisms to regulate the participants' behavior and promote the healthy development of the cybersecurity crowdsourcing industry.</p></abstract>
Publisher
American Institute of Mathematical Sciences (AIMS)
Subject
Applied Mathematics,Computational Mathematics,General Agricultural and Biological Sciences,Modeling and Simulation,General Medicine
Reference48 articles.
1. Y. S. Pil, The Way Forward for Security Vulnerability Disclosure Policy: Comparative Analysis of US, EU, and Netherlands, (2013), 119–131, https://doi.org/10.1007/978-3-031-19608-9_10 2. M. Zhao, A. Laszka, T. Maillart, J. Grossklags, Crowdsourced security vulnerability discovery: Modeling and organizing bug-bounty programs, in The HCOMP Workshop on Mathematical Foundations of Human Computation, Austin, TX, USA, 2016. 3. T. Maillart, M. Zhao, J. Grossklags, J. Chuang, Given enough eyeballs, all bugs are shallow? revisiting eric raymond with bug bounty programs, J. Cybersecur., 3 (2017), 81–90. https://doi.org/10.1093/cybsec/tyx008 4. X. Liu, Y. Zhang, H. Zhang, X. Cheng, The practice, achievements, and enlightenment of bug bounty programs of the U.S. department of defense, Natl. Defense Technol., 40 (2019). 5. M. Zhao, A. Laszka and J. Grossklags, Devising effective policies for bug-bounty platforms and security vulnerability discovery, J. Inf. Policy, 7 (2017), 372–418. http://doi.org/10.5325/jinfopoli.7.2017.0372
|
|