Basic Training

Ang Cui, Angelos d. KeroMytis, And sAlvAtore J. stolfo Columbia University a whole. Yet skeptics (including some security professionals) argue that short-term expenditures on such “nonessential” items as analy sis should be curtailed, and that the results of any analyses should be kept secret. The return on investment in security isn’t visible in the short term, and, therefore, detractors feel empowered to ignore the well-known long-term costs of vulnerability, which include negative effects on the value of intangible assets and goodwill. They argue that investment in security is squandering corporate assets that could be better utilized to generate strong short-run returns for shareholders. Unfortunately, corporate information security skeptics currently have a firm hold inside many enterprises. In particular, empirical data indicates that companies aren’t successfully anticipating and managing information risk. For example, in the 2008 PricewaterhouseCoopers annual information security survey of more than 7,000 respondents— comprising CEOs, CFOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 119 countries—at least three of 10 respondents couldn’t answer basic questions about their organizations’ information security practices. Thirty-five percent didn’t know how many security incidents occurred in the past year; 44 percent didn’t know what types of security incidents presented the greatest threats to the company; 42 percent couldn’t identify the source of security incidents; and, finally, 67 percent said their of vulnerability research and who counts as a “vulnerability researcher” is a subject of debate in the academic and business communities. For purposes of this article, we presume that vulnerability researchers are driven by a desire to prevent information security harms and engage in responsible disclosure upon discovery of a security vulnerability.) Yet provided that these researchers and practitioners do not themselves engage in conduct that causes harm, their conduct doesn’t necessarily run afoul of ethical and legal considerations. We advocate crafting a code of conduct for vulnerability researchers and practitioners, including the implementation of procedural safeguards to ensure minimization of harm.