Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Sharing of vulnerability information amongcompanies: a survey of Swedish companies
RISE - Research Institutes of Sweden, ICT, SICS.ORCID iD: 0000-0002-2933-1925
Lund University, Sweden.
Lund University, Sweden.
RISE - Research Institutes of Sweden, ICT, SICS.ORCID iD: 0000-0003-2017-7914
Show others and affiliations
2019 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Software products are rarely developed from scratch and vulnerabilities in such products might reside in parts that are either open source software or provided by another organization. Hence, the total cybersecurity of a product often depends on cooperation, explicit or implicit, between several organizations. We study the attitudes and practices of companies in software ecosystems towards sharing vulnerability information. Furthermore, we compare these practices to contemporary cybersecurity recommendations. This is performed through a questionnaire-based qualitative survey. The questionnaire is divided into two parts: the providers' perspective and the acquirers' perspective. The results show that companies are willing to share information with each other regarding vulnerabilities. Sharing is not considered to be harmful neither to the cybersecurity nor their business, even though a majority of the respondents consider vulnerability information sensitive. However, the companies, despite being open to sharing, are less inclined to proactively sharing vulnerability information. Furthermore, the providers do not perceive that there is a large interest in vulnerability information from their customers. Hence, the companies' overall attitude to sharing vulnerability information is passive but open. In contrast, contemporary cybersecurity guidelines recommend active disclosure and sharing among actors in an ecosystem.

Place, publisher, year, edition, pages
2019.
National Category
Engineering and Technology
Identifiers
URN: urn:nbn:se:ri:diva-40577OAI: oai:DiVA.org:ri-40577DiVA, id: diva2:1362932
Conference
Euromicro Conference on Software Engineering and Advanced Applications 2019, August 28-30, 2019 Kallithea, Chalkidiki, Greece
Available from: 2019-10-22 Created: 2019-10-22 Last updated: 2019-12-04Bibliographically approved

Open Access in DiVA

No full text in DiVA

Authority records BETA

Olsson, ThomasFranke, UlrikBorg, Markus

Search in DiVA

By author/editor
Olsson, ThomasFranke, UlrikBorg, Markus
By organisation
SICS
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 2 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.35.8