Q: A later module addresses cybersecurity policy through a social science framework.  At this point, attention can be drawn to one type of policy, known as bug bounty policies.  These policies pay individuals for identifying vulnerabilities in a company’s cyber infrastructure.  To identify the vulnerabilities, ethical hackers are invited to try explore the cyber infrastructure using their penetration testing skills.  The policies relate to economics in that they are based on cost/benefits principles.  Read this article https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true and write a summary reaction to the use of the policies in your journal.  Focus primarily on the literature review and the discussion of the findings. 

A: Essentially, the following article debates about a business policy called “bug bounty”, in which ethical hackers are implemented within a business to test the vulnerabilities of a business by using the same tools and techniques that a real attacker would use in a cyber attack. Currently, there’s a lot of controversy surrounding ethical hackers and the business behind them. For instance, hiring ethical hackers has a huge benefit because they utilize real methods to attack the organization for the sole purpose of identifying the vulnerabilities of the cyber system, creating a real-world situation that the company can use to strengthen their cybersecurity. However, the downside with individual ethical hackers is that there’s a lot of trust that must be placed into them to perform their job and respect the businesses privacy policies, since they’re still technically attacking the organization and have knowledge of their vulnerabilities and what information is the most at risk to cyber attacks. Plus, there’s other factors to consider based on the situation, like private vs public programs, how much access the hacker is allowed within the business to attempt to exploit, the reliability of the hackers, etc. From the research done, bug bounty policies seem like a good solution to knowing for sure if your cybersecurity system is secure and how well it performs in a real attack, with the only downside coming from a few trust issues and the perception of “professional hackers” in general.