Making Security Work: Vulnerability Disclosure Programs (VDPs) and the Organizational Foundations of Cybersecurity
Northeastern University, Boston MA
Investigators
Abstract
Cybersecurity is now an organizational imperative. High-profile data breaches, ransomware attacks, and other costly exploits and attacks have made cybersecurity a priority for all manner of public and private organizations. Organizations are increasingly adopting vulnerability disclosure programs (VDPs) as a key strategy for managing and mitigating cybersecurity risk. These programs crowdsource security work—they invite independent security researchers to report newly identified software bugs. Yet, the adoption and management of these programs is rarely simple or straightforward. They can create new points of stress and complication within organization. This project examines how these programs work and, importantly, how they can be improved. Protecting digital networks, devices, and software is a key national priority. Ultimately, the research project’s insights will help organizations improve their security. While organizations have long relied on a blend of in-house information technology expertise and contracted computer services, VDPs are a different approach to harnessing expertise. This project uncovers the ongoing intra-organizational work required to integrate these new intuitional models of software review within organizations; and it assesses the ultimate effectiveness of VDPs to improve organizational cybersecurity. Specifically, the project addresses two related research questions: (i) What forms of institutional work are needed to create and sustain VDPs?; (ii) How effective are VDPs at improving security? To answer these questions, the project creates and analyzes a novel set of qualitative and quantitative data drawn from select ongoing VDPs. Collected data includes anonymized program data, administrative data, and interviews with staff associated with managing VDPs. This project provides a window into: (i) how new cybersecurity practices are adopted, maintained, and transformed by and within organizations; and (ii) the efficacy of VDPs to improve organizational cybersecurity. Answering these questions will provide insight into larger organizational dimensions of cybersecurity and the efficacy of VDPs to improve security outcomes. More broadly, in addressing these research questions, the project advances insights into the often-overlooked institutional work associated with adopting and sustaining new organizational innovations. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →