Full Disclosure mailing list archives
New paper on theory of disclosure for security & competitive reasons
From: "Peter Swire" <peter () peterswire net>
Date: Tue, 13 Dec 2005 22:11:08 -0500
To the Full Disclosure list: Last year I got a lot of comments from this list on a draft paper, many of which were helpful. The final version of that paper, "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?" is at www.ssrn.com/abstracts=531782 Now the follow-up paper is ready for your (tender/helpful/snide) comments. www.ssrn.com/abstracts=842228. The current paper is called "A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government." The current version reflects comments from when I presented it at last month's ACM Conference on Computer and Communications Security. Excerpts from the abstract: A chief point of this paper is that the incentives for disclosure depend on two, largely independent, assessments - the degree to which disclosure helps or hurts security, and the degree to which disclosure creates advantages or disadvantages for the organization competitively. The paper presents a 2x3 matrix, where disclosure for security and competition are assessed for three types of systems or software: Open Source; proprietary software; and government systems. The paper finds greater convergence on disclosure between Open Source and proprietary software than most commentators have believed. For instance, Open Source security experts use secrecy in "stealth firewalls" and in other ways. Open Source programmers also often rely on gaps in Open Source licenses to gain competitive advantage by keeping key information secret. Meanwhile, proprietary software often uses more disclosure than assumed. For security, large purchasers and market forces often lead to disclosure about proprietary software. For competitive reasons, proprietary software companies often disclose a great deal when seeking to become a standard in an area or for other reasons.... This research provides a general approach for determining when disclosure is societally efficient (the first paper) as well as for describing the incentives actors face to disclose or not (this paper). The actual decision of whether to disclose in a given instance will depend on assessment of the empirical magnitude of the factors set forth in the papers. The research provides, however, the first theoretical structure for assessing these issues, which are so important to the design of systems and software in our information-rich age. ------------- I appreciate any constructive comments. I especially welcome technical insights and examples about where secrecy is used in Open Source software or where disclosure is used in proprietary software. Cites to prior, relevant literature also most welcome. Peter Prof. Peter P. Swire C. William O'Neill Professor of Law Moritz College of Law of The Ohio State University Visiting Senior Fellow, Center for American Progress (240) 994-4142, www.peterswire.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Snort as IDS/IPS in mission-critical enterprise network Native.Code (Dec 08)
- Re: Snort as IDS/IPS in mission-critical enterprise network none none (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network c0ntex (Dec 09)
- RE: Snort as IDS/IPS in mission-critical enterprisenetwork Paul Melson (Dec 09)
- New paper on theory of disclosure for security & competitive reasons Peter Swire (Dec 13)
- Re: Snort as IDS/IPS in mission-critical enterprise network coderman (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network c0ntex (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Michael Holstein (Dec 09)
- RE: Snort as IDS/IPS in mission-critical enterprisenetwork Paul Melson (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprisenetwork Michael Holstein (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network none none (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprisenetwork sk (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network coderman (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Technica Forensis (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Native.Code (Dec 11)