Security Econometrics: The Dynamics of (In)Security

The security of information technology is effected by a wide variety of actors and processes which together make up a security ecosystem. We examine this ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. We analyze the roles of the major actors and processes they participate in, the paths vulnerability data take through the ecosystem, and the impact of each of these on security risk. Based on a quantitative analysis of 27,000 vulnerabilities disclosed over the past decade we quantify the systematic gap between exploit and patch availability. We provide the first examination of the impact and the risks associated with this gap on the ecosystem as a whole. Our analysis provides a metric for the success of the "responsible disclosure" process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the "free press" of the ecosystem.