Email RIS file
Bookmark
Report an Issue

Organizations security management in different problem domains : Empirical Evidence and game-theoretic modeling

Author
Farhang, Sadegh
Published
[University Park, Pennsylvania] : Pennsylvania State University, 2021.
Physical Description
1 electronic document
Additional Creators
Liu, Peng
Access Online

Availability

I Want It
I Want It

Finding items...

Graduate Program
Restrictions on Access
Open Access.
Summary
Security patch updates and operating system upgrades play a pivotal role in enhancing software performance, and they are a critical component of resolving software bugs and patching security issues. However, we are witnessing that both consumers and organizations do not often follow the best practices in terms of security updates and operating system upgrades. Therefore, it is essential to better understand the reasons why consumers and organizations do not follow best practices and how we can improve security practices in organizations. In this dissertation, we present three different studies on how consumers and organizations manage their security updates and operating system upgrades. First, we discuss how an organization should manage its security in the presence of the business need for new innovations and product versioning over time. In particular, with the help of a comprehensive survey study, we aim to investigate user upgrade practices with respect to different versions of the Microsoft operating system. A critical focus of our work is to better understand the impact and optimal management of end-of-life policies (i.e., when software support officially ends) and how organizations should deliver new innovations to consumers. Second, we perform a comprehensive study of 3,171 Android-related vulnerabilities and study to which degree they are reflected in the Android security bulletin, as well as in the security bulletins of three leading vendors: Samsung, LG, and Huawei. In our analysis, we focus on the metadata of these security bulletins (e.g., timing, affected layers, severity, and CWE data) to better understand the similarities and differences among vendors. We find that (i) the studied vendors in the Android ecosystem have adopted different structures for vulnerability reporting, (ii) vendors are less likely to react with delay for CVEs with Android Git repository references, and (iii) vendors handle Qualcomm-related CVEs different from the rest of external layer CVEs. In the third study, we model the competition of different vendors in the Android ecosystem and how it affects security. In particular, we show how vendors are incentivized to differentiate their products from the default Android Open Source Project (AOSP) and from each other, and how prices are shaped through this differentiation process. We further demonstrate the lack of incentives to invest in security when the consumers do not have the ability to evaluate the security properties of the software bundles on their purchased devices. We also model the impact of a regulator-imposed fine to incentivize vendors to conduct appropriate security investments.
Other Subject(s)
Genre(s)
Dissertation Note
Ph.D. Pennsylvania State University 2021.
Reproduction Note
Microfilm (positive). 1 reel ; 35 mm. (University Microfilms 28841726)
Technical Details
The full text of the dissertation is available as an Adobe Acrobat .pdf file ; Adobe Acrobat Reader required to view the file.
View MARC record | catkey: 35143936