Jiang, Jian
(2021)
Vulnerabilities, Cybersecurity, and the Role of Law and
Regulation herein, [Dissertation thesis], Alma Mater Studiorum Università di Bologna.
Dottorato di ricerca in
European doctorate in law and economics DOI 10.48676/unibo/amsdottorato/9998.
Documenti full-text disponibili:
|
Documento PDF (English)
- Richiede un lettore di PDF come Xpdf o Adobe Acrobat Reader
Disponibile con Licenza: Salvo eventuali più ampie autorizzazioni dell'autore, la tesi può essere liberamente consultata e può essere effettuato il salvataggio e la stampa di una copia per fini strettamente personali di studio, di ricerca e di insegnamento, con espresso divieto di qualunque utilizzo direttamente o indirettamente commerciale. Ogni altro diritto sul materiale è riservato.
Download (6MB)
|
Abstract
Nowadays, it is not difficult to conjure up images of hacked power plants, remote-hijacked
public transportation systems, etc. By exploiting hidden vulnerabilities, hackers are plundering
business secrets, stealing digital consumers’ records, and trying to reshape the world
inconspicuously. Most of society lacks awareness of software vulnerabilities. Software vendors
seem unlikely to discuss flaws in their products publicly, and the related markets of
vulnerabilities are often opaque. This thesis tries to introduce its readers to a structured
discussion and analysis of software vulnerabilities vis-à-vis the challenges of cyberattacks.
This thesis focuses on an analysis of software vulnerabilities and their relevance to
cybersecurity from an economic perspective, and it discusses the role of law and regulation
designed to address problems of vulnerabilities and cybersecurity utilizing the law and
economics approach.
A software vulnerability has its intrinsic value and a life cycle. There are people who search
for these vulnerabilities - the bug hunters, and there are three markets for vulnerabilities - white,
grey, and black. The assumption of profit maximization in traditional economics also applies
to bug hunters. Moreover, this thesis finds that the nature of the white market vis-à-vis the grey
or black market is much more competitive. Among the factors that influence the price level of
a software vulnerability in the black market, the bounty price (white market price) is
particularly worthy of attention.
This thesis finds that the practice of governments to retain vulnerabilities is acceptable in the
short run for the purpose of legal enforcement or intelligence, given the advanced encryption
and anonymization technologies used by criminals. However, in the long run, government
agencies should avoid vulnerability transactions. Furthermore, government agencies should
give the utmost attention to how to protect their vulnerability stockpiles from being stolen.
The empirical results of this thesis prove that a market failure exists at least to some extent in
relation to vulnerabilities. There was no significant market pressure upon the software vendor
even when the software had been proved seriously risky by a severe cyberattack. Possible
avenues to correct this market failure could be found in private law, administrative law, or
2
other means of central intervention. This thesis advocates a solution of jointly using liability
rules and safety regulation backed by a public fine (regulation backed by an administrative fine)
for the harm caused by a vulnerability. More details are provided by means of an economic
model. It is a combination of torts and regulation (ex-ante and ex-post), which is in line with
the suggestions made in Shavell (1984), and Faure, Visscher & Weber (2016).
Abstract
Nowadays, it is not difficult to conjure up images of hacked power plants, remote-hijacked
public transportation systems, etc. By exploiting hidden vulnerabilities, hackers are plundering
business secrets, stealing digital consumers’ records, and trying to reshape the world
inconspicuously. Most of society lacks awareness of software vulnerabilities. Software vendors
seem unlikely to discuss flaws in their products publicly, and the related markets of
vulnerabilities are often opaque. This thesis tries to introduce its readers to a structured
discussion and analysis of software vulnerabilities vis-à-vis the challenges of cyberattacks.
This thesis focuses on an analysis of software vulnerabilities and their relevance to
cybersecurity from an economic perspective, and it discusses the role of law and regulation
designed to address problems of vulnerabilities and cybersecurity utilizing the law and
economics approach.
A software vulnerability has its intrinsic value and a life cycle. There are people who search
for these vulnerabilities - the bug hunters, and there are three markets for vulnerabilities - white,
grey, and black. The assumption of profit maximization in traditional economics also applies
to bug hunters. Moreover, this thesis finds that the nature of the white market vis-à-vis the grey
or black market is much more competitive. Among the factors that influence the price level of
a software vulnerability in the black market, the bounty price (white market price) is
particularly worthy of attention.
This thesis finds that the practice of governments to retain vulnerabilities is acceptable in the
short run for the purpose of legal enforcement or intelligence, given the advanced encryption
and anonymization technologies used by criminals. However, in the long run, government
agencies should avoid vulnerability transactions. Furthermore, government agencies should
give the utmost attention to how to protect their vulnerability stockpiles from being stolen.
The empirical results of this thesis prove that a market failure exists at least to some extent in
relation to vulnerabilities. There was no significant market pressure upon the software vendor
even when the software had been proved seriously risky by a severe cyberattack. Possible
avenues to correct this market failure could be found in private law, administrative law, or
2
other means of central intervention. This thesis advocates a solution of jointly using liability
rules and safety regulation backed by a public fine (regulation backed by an administrative fine)
for the harm caused by a vulnerability. More details are provided by means of an economic
model. It is a combination of torts and regulation (ex-ante and ex-post), which is in line with
the suggestions made in Shavell (1984), and Faure, Visscher & Weber (2016).
Tipologia del documento
Tesi di dottorato
Autore
Jiang, Jian
Supervisore
Dottorato di ricerca
Coordinatore
Settore disciplinare
Settore concorsuale
Parole chiave
software vulnerabilities, cybersecurity, law and regulation, law and economics
URN:NBN
DOI
10.48676/unibo/amsdottorato/9998
Data di discussione
11 Novembre 2021
URI
Altri metadati
Tipologia del documento
Tesi di dottorato
Autore
Jiang, Jian
Supervisore
Dottorato di ricerca
Coordinatore
Settore disciplinare
Settore concorsuale
Parole chiave
software vulnerabilities, cybersecurity, law and regulation, law and economics
URN:NBN
DOI
10.48676/unibo/amsdottorato/9998
Data di discussione
11 Novembre 2021
URI
Statistica sui download
Gestione del documento: