Security Economics Report at ENISA
Monday March 17, 2008 at 7:46 am CST
Posted by Karthik Raman
I came across a report entitled “Security Economics and the Internal Market,” published on the Web site of the European Network and Information Security Agency (ENISA) by Ross Anderson, Rainer Böhme, Richard Clayton. and Tyler Moore. The authors are well-known academics and security experts in Europe.
The report is a staggering 114 pages long, gives us some light reading for the weekend (no, no), and makes some important recommendations for the creation of European Union regulations informed by information-security economics. But the research behind these recommendations may have relevance in any country or region. Two recommendations of note to vulnerability research types:
- “We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.
- “We recommend security patches be offered for free, and that patches be kept separate from feature updates.”
Read the report for some in-depth analysis of security economics. Neat stuff indeed.