I’ve been working with Amy Woszczynski and DJ Oliver on a study that is near and dear to my heart due to my personal experiences in the area of interest. This week, we were informed that our study had been accepted for publication in “Computers & Security,” an A-level journal on the Australian Business Deans Journal list. You can see the pre-print version of the study at https://doi.org/10.1016/j.cose.2024.103880
Vulnerability researchers are a class of people who look for weaknesses in software, hardware, or systems to alert organizations that may be vulnerable to the issues found. Unlike cybercriminals who seek to take advantage of these weaknesses, vulnerability researchers engage in these activities to be helpful.
Currently, vulnerability researchers face an uphill struggle when trying to report problems they discover. For example, who does a vulnerability researcher contact at an organization when they find a problem? Reporting is also a risky proposition. There are numerous reported instances of organizations pursuing criminal charges or civil action against researchers, resulting in arrests, indictments, trials, and civil lawsuits.
One possible solution to address this issue is for an organization to publish a vulnerability disclosure policy (VDP). A typical VDP will let researchers know what systems are in-scope for examination, who to report findings to, and explicitly state that researchers will not face repercussions from reporting if they follow the VDP. Unfortunately, many organizations either have badly constructed VDPs or don’t have one at all.
Given the current climate, our research team wanted to examine the decision-making processes that vulnerability researchers undertake when faced with reporting in both VDP and non-VDP situations. To do this, we extended the Protection Motivation theory (PMT) in a novel context to help us study the problem. PMT has been used in prior security research to help understand how employees respond to fear-based appeals to engage in behaviors the organization wants them to, such as backing up data, having strong passwords, and so forth.
In our context, vulnerability researchers do not work for the organization and would not be susceptible to the same types of fear appeals that organizations use on their employees. While employees are generally susceptible to fear-based appeals, we theorized that vulnerability researchers would not be. We created a survey instrument and sent it out to active vulnerability researchers to collect the data we needed to dig into the problem.
Our analysis showed that organizations should reduce researchers’ fear perceptions and consider adaptive rewards for researchers in order to encourage reporting. We suggested that organizations could do these things by having a well-written VDP that clearly outlines system scope and reporting processes. Additionally, we suggested that organizations have a clearly written “safe harbor” section in the VDP that clearly outlines good faith reporting and provides assurances that organizations will not seek to have researchers arrested or sued civilly for reporting.
This was a fun project, filled with challenges and frustrations along the way. We started work more than a year ago, and it’s nice to finally have it concluded and landed at a top-level journal. I’m especially grateful to have been a part of this team. Amy is a trusted mentor and longtime research partner, and I’m fortunate to be able to learn from her. I’ve known DJ since his time in our Ph.D. program at KSU, and he’s simply a good person and fun to work with and be around. I couldn’t ask for a better group to work with, and I’m lucky to be part of their team!
Andy Green, Ph.D. 