Prompt: A later module addresses cybersecurity policy through a social science framework. At this point, attention can be drawn to one type of policy, known as bug bounty policies. These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure. To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration testing skills. The policies relate to economics in that they are based on cost/benefits principles. Read this article and write a summary reaction to the use of the policies in your journal. Focus primarily on the literature review and the discussion of the findings.
I do not fully agree with Sridhar and Ng’s statement that small and medium enterprises (SMEs) need cybersecurity professionals the most. While this may be true currently because of the cybersecurity labor shortage, if SMEs employed most of the cybersecurity workforce, it would make large companies with lots of resources easy and lucrative targets. As a result, most cybercriminals would then focus on large businesses. Both large and small companies are equally in need of talented cybersecurity professionals and should be adequately staffed based on their relative size attractiveness as targets.
I like Sridhar and Ng’s idea of using bug bounties to diversify cybersecurity strategies by offering them in addition to full-time cybersecurity professionals. While offering bug bounties invites more attention to a network, cybercriminals are likely already poking around said network or eventually will. As a result, compensating those who alert a business of vulnerabilities without exploiting them likely does not add significant additional risk because hackers who would have exploited such vulnerabilities probably had no interest in reporting them in the first place.
It is particularly interesting the research found that many hackers, especially those who are new or less experienced, are less likely to care about the monetary reward and more concerned about the potential to boost their reputations and gain experience. This seems to correlate with the competitiveness of cybersecurity jobs in general, but specifically entry-level ones, stemming from many employers valuing experience above all else. As a result, I can see implementing bug bounties being beneficial for businesses and those trying to land a full-time cybersecurity career. Bug bounty programs allow up-and-coming cybersecurity professionals to gain valuable experience and compensation while allowing businesses to save on expenses by only needing to compensate those actively contributing to their cybersecurity posture by reporting legitimate security vulnerabilities.