Standard

Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. / Cetin, F.O.; Ganán, Carlos; Korczynski, Maciej; van Eeten, Michel.

16th Workshop on the Economics of Information Security (WEIS 2017). 2017. p. 1-23.

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

Harvard

Cetin, FO, Ganán, C, Korczynski, M & van Eeten, M 2017, Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. in 16th Workshop on the Economics of Information Security (WEIS 2017). pp. 1-23, WEIS 2017, San Diego, United States, 26/06/18.

APA

Cetin, F. O., Ganán, C., Korczynski, M., & van Eeten, M. (2017). Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. In 16th Workshop on the Economics of Information Security (WEIS 2017) (pp. 1-23)

Vancouver

Cetin FO, Ganán C, Korczynski M, van Eeten M. Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. In 16th Workshop on the Economics of Information Security (WEIS 2017). 2017. p. 1-23

Author

Cetin, F.O. ; Ganán, Carlos ; Korczynski, Maciej ; van Eeten, Michel. / Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. 16th Workshop on the Economics of Information Security (WEIS 2017). 2017. pp. 1-23

BibTeX

@inproceedings{621f4a4fe5d94f04abc446252f9db3db,
title = "Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning",
abstract = "As large-scale vulnerability detection becomes more feasible, it also increases the urgency to find effective largescale notification mechanisms to inform the affected parties. Researchers, CERTs, security companies and other organizations with vulnerability data have a variety of options to identify, contact and communicate with the actors responsible for the affected system or service. A lot of things can – and do – go wrong. It might be impossible to identify the appropriate recipient of the notification, the message might not be trusted by the recipient, it might be overlooked or ignored or misunderstood. Such problems multiply as the volume of notifications increases. In this paper, we undertake several large-scale notification campaigns for a vulnerable configuration of authoritative nameservers. We investigate three issues: What is the most effective way to reach the affected parties? What communication path mobilizes the strongest incentive for remediation? And finally, what is the impact of providing recipients a mechanism to actively demonstrate the vulnerability for their own system, rather than sending them the standard static notification message. We find that retrieving contact information at scale is highly problematic, though there are different degrees of failure for different mechanisms. For those parties who are reached, notification significantly increases remediation rates. Reaching out to nameserver operators directly had better results than going via their customers, the domain owners. While the latter, in principle, have a stronger incentive to care and their request for remediation would trigger the commercial incentive of the operator to keep its customers happy, this communication path turned out to have slightly worse remediation rates. Finally, we find no evidence that vulnerability demonstrations did better than static messages. In fact, few recipients engaged with the demonstration website. ",
author = "F.O. Cetin and Carlos Gan{\'a}n and Maciej Korczynski and {van Eeten}, Michel",
note = "Accepted Author Manuscript; WEIS 2017 ; Conference date: 26-06-2018 Through 27-06-2018",
year = "2017",
language = "English",
pages = "1--23",
booktitle = "16th Workshop on the Economics of Information Security (WEIS 2017)",

}

RIS

TY - GEN

T1 - Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning

AU - Cetin, F.O.

AU - Ganán, Carlos

AU - Korczynski, Maciej

AU - van Eeten, Michel

N1 - Accepted Author Manuscript

PY - 2017

Y1 - 2017

N2 - As large-scale vulnerability detection becomes more feasible, it also increases the urgency to find effective largescale notification mechanisms to inform the affected parties. Researchers, CERTs, security companies and other organizations with vulnerability data have a variety of options to identify, contact and communicate with the actors responsible for the affected system or service. A lot of things can – and do – go wrong. It might be impossible to identify the appropriate recipient of the notification, the message might not be trusted by the recipient, it might be overlooked or ignored or misunderstood. Such problems multiply as the volume of notifications increases. In this paper, we undertake several large-scale notification campaigns for a vulnerable configuration of authoritative nameservers. We investigate three issues: What is the most effective way to reach the affected parties? What communication path mobilizes the strongest incentive for remediation? And finally, what is the impact of providing recipients a mechanism to actively demonstrate the vulnerability for their own system, rather than sending them the standard static notification message. We find that retrieving contact information at scale is highly problematic, though there are different degrees of failure for different mechanisms. For those parties who are reached, notification significantly increases remediation rates. Reaching out to nameserver operators directly had better results than going via their customers, the domain owners. While the latter, in principle, have a stronger incentive to care and their request for remediation would trigger the commercial incentive of the operator to keep its customers happy, this communication path turned out to have slightly worse remediation rates. Finally, we find no evidence that vulnerability demonstrations did better than static messages. In fact, few recipients engaged with the demonstration website.

AB - As large-scale vulnerability detection becomes more feasible, it also increases the urgency to find effective largescale notification mechanisms to inform the affected parties. Researchers, CERTs, security companies and other organizations with vulnerability data have a variety of options to identify, contact and communicate with the actors responsible for the affected system or service. A lot of things can – and do – go wrong. It might be impossible to identify the appropriate recipient of the notification, the message might not be trusted by the recipient, it might be overlooked or ignored or misunderstood. Such problems multiply as the volume of notifications increases. In this paper, we undertake several large-scale notification campaigns for a vulnerable configuration of authoritative nameservers. We investigate three issues: What is the most effective way to reach the affected parties? What communication path mobilizes the strongest incentive for remediation? And finally, what is the impact of providing recipients a mechanism to actively demonstrate the vulnerability for their own system, rather than sending them the standard static notification message. We find that retrieving contact information at scale is highly problematic, though there are different degrees of failure for different mechanisms. For those parties who are reached, notification significantly increases remediation rates. Reaching out to nameserver operators directly had better results than going via their customers, the domain owners. While the latter, in principle, have a stronger incentive to care and their request for remediation would trigger the commercial incentive of the operator to keep its customers happy, this communication path turned out to have slightly worse remediation rates. Finally, we find no evidence that vulnerability demonstrations did better than static messages. In fact, few recipients engaged with the demonstration website.

M3 - Conference contribution

SP - 1

EP - 23

BT - 16th Workshop on the Economics of Information Security (WEIS 2017)

T2 - WEIS 2017

Y2 - 26 June 2018 through 27 June 2018

ER -

ID: 40692120