A later module addresses cybersecurity policy through a social science framework. At this point, attention can be drawn to one type of policy, known as bug bounty policies. These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure. To identify the vulnerabilities, ethical hackers are invited to try exploring the cyber infrastructure using their penetration testing skills. The policies relate to economics in that they are based on cost/benefits principles. Read this article, and write a summary reaction to the use of the policies in your journal. Focus primarily on the literature review and the discussion of the findings.
To summarize the key findings and discussion:
Estimated price elasticity of hackers is between 0.1 and 0.2, which indicates price inelasticity; hackers tend to be influenced by factors that are non-monetary whether it be to gain experience, or for fun or even revenge (as mentioned in past modules regarding hacker motivations outside of money/pay).
Findings of the 2SLS regression analysis conveyed that for any size company, bug bounties will be effective. Moreover, findings conveyed that the size of the company does not matter when it comes to the information learned from bug bounties.
Findings of the 2SLS regression analysis also conveyed that bug bounties tend to produce less reports for companies in retail, financial, and medical industries in that order because of opportunity costs. Moreover, to add additional context, the companies in these industries are more proactive about protecting data which would lead to an increased difficulty for any malicious activity.
There was no evidence to suggest that new programs affect the number of reports received by companies; but there was evidence to suggest that if programs do not increase their bounties as they mature, then those programs will receive fewer reports over time.
Lastly, the 2SLS regression analysis indicates that there are a multitude of external factors between programs that result in variation in the bug bounty reports, with examples being revenue and brand profile, where unidentified variables (scope and bug severity) could account for some of the variation.