Uncategorized

Journal Entry 13

Posted by hstiv001 on

A later module address cybersecurity policy through a social science framework. At this point, attention can be drawn to one type of policy, known as bug bounty policies. These policies pay individuals. For identifying vulnerabilities in a company’s cyber infrastructure. To identify the vulnerabilities, ethical hackers are invited to try exploring the cyberinfrastructure using their penetration testing skills. The policies relate to economics in that they are based on cost/benefits principles. Read this article and write a summary reaction to the use of the policies in your journal. Focus primarily on the literature review and the discussion of the findings.

https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true

This argument goes in-depth about the economic reasons for needing some kind of bug bounty system. A bug bounty system is when an organization (in this article HackerOne) has a system where ethical hackers can turn in vulnerabilities they find in a company’s system and get paid for turning in that vulnerability. This is beneficial for the company because it can allow them the fix the vulnerability and avoid a cyber-attack. The reason this was not initially taken advantage of by companies is that they did not have vulnerability disclosure policies in place, meaning they had no clue how to go about reporting the vulnerability and fixing it without being sued for knowledge of vulnerability and not sharing it properly. Now that it is required to have a VDP in place, more companies are joining bug bounty organizations. When looking at this problem from an economic viewpoint, large companies have a lot of different moving pieces when it comes to IT, this introduces a lot of possible vulnerabilities even when the organization has invested in cybersecurity measures. However, there are always chances that there is a hole for hackers to get into. With a bug bounty system, hackers can report that hole and get paid for finding it. Many companies have to make a decision on whether they would rather pay someone outside of their organization for finding and reporting the vulnerability or pay for the recovery of a cyber-attack. In most cases, paying the bug bounty would be a lot less than paying for a cyber-attack recovery. Not only would that company have to pay the employees for overtime to fix the issue, other employees could potentially be shut down from working which would reduce company production in the office and elsewhere, due to being so reliant on technology.

Leave a Reply

Your email address will not be published. Required fields are marked *