IDEAS home Printed from https://ideas.repec.org/a/plo/pone00/0304467.html
   My bibliography  Save this article

Regulatory mechanism of vulnerability disclosure behavior considering security crowd-testing: An evolutionary game analysis

Author

Listed:
  • Liurong Zhao
  • Xiaoxi Yu
  • Xinyu Zhou

Abstract

The security crowd-testing regulatory mechanism is a vital means to promote collaborative vulnerability disclosure. However, existing regulatory mechanisms have not considered multi-agent responsibility boundaries and stakeholders’ conflicts of interest, leading to their dysfunction. Distinguishing from previous research on the motivations and constraints of ethical hacks’ vulnerability disclosure behaviors from a legal perspective, this paper constructs an evolutionary game model of SRCs, security researchers, and the government from a managerial perspective to propose regulatory mechanisms promoting tripartite collaborative vulnerability disclosure. The results show that the higher the initial willingness of the three parties to choose the collaborative strategy, the faster the system evolves into a stable state. Regarding the government’s incentive mechanism, establishing reward and punishment mechanisms based on effective thresholds is essential. However, it is worth noting that the government has an incentive to adopt such mechanisms only if it receives sufficient regulatory benefits. To further facilitate collaborative disclosure, Security Response Centers (SRC) should establish incentive mechanisms including punishment and trust mechanisms. Additionally, publicity and training mechanisms for security researchers should be introduced to reduce their revenue from illegal participation, which promotes the healthy development of security crowd-testing. These findings contribute to improving SRCs’ service quality, guiding security researchers’ legal participation, enhancing the government’s regulatory effectiveness, and ultimately establishing a multi-party collaborative vulnerability disclosure system.

Suggested Citation

  • Liurong Zhao & Xiaoxi Yu & Xinyu Zhou, 2024. "Regulatory mechanism of vulnerability disclosure behavior considering security crowd-testing: An evolutionary game analysis," PLOS ONE, Public Library of Science, vol. 19(6), pages 1-31, June.
    • Handle: RePEc:plo:pone00:0304467
    DOI: 10.1371/journal.pone.0304467
    as

    Download full text from publisher

    File URL: https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0304467
    Download Restriction: no
    File URL: https://journals.plos.org/plosone/article/file?id=10.1371/journal.pone.0304467&type=printable
    Download Restriction: no
    File URL: https://libkey.io/10.1371/journal.pone.0304467?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Alaa O. Khadidos & Hariprasath Manoharan & Shitharth Selvarajan & Adil O. Khadidos & Khaled H. Alyoubi & Ayman Yafoz, 2022. "A Classy Multifacet Clustering and Fused Optimization Based Classification Methodologies for SCADA Security," Energies, MDPI, vol. 15(10), pages 1-24, May.
    2. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    3. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    4. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    5. Qiang Xiong & Yifei Zhu & Zhangying Zeng & Xinqi Yang & Roberto Natella, 2023. "Signal Game Analysis between Software Vendors and Third-Party Platforms in Collaborative Disclosure of Network Security Vulnerabilities," Complexity, Hindawi, vol. 2023, pages 1-11, March.
    6. Zhou, Wenwen & shi, Yu & Zhao, Tian & Cao, Ximeng & Li, Jialin, 2024. "Government regulation, horizontal coopetition, and low-carbon technology innovation: A tripartite evolutionary game analysis of government and homogeneous energy enterprises," Energy Policy, Elsevier, vol. 184(C).
    7. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    8. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    9. Yingxin Chen & Jing Zhang & Pandu R. Tadikamalla & Xutong Gao, 2019. "The Relationship among Government, Enterprise, and Public in Environmental Governance from the Perspective of Multi-Player Evolutionary Game," IJERPH, MDPI, vol. 16(18), pages 1-17, September.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    2. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    3. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    4. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    5. Xiao Liu & Qingjin Wang & Zhengrui Li & Shan Jiang, 2025. "An Evolutionary Game Analysis of Decision-Making and Interaction Mechanisms of Chinese Energy Enterprises, the Public, and the Government in Low-Carbon Development Based on Prospect Theory," Energies, MDPI, vol. 18(8), pages 1-20, April.
    6. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    7. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    8. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    9. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    10. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    11. Turki Alsuwian & Aiman Shahid Butt & Arslan Ahmed Amin, 2022. "Smart Grid Cyber Security Enhancement: Challenges and Solutions—A Review," Sustainability, MDPI, vol. 14(21), pages 1-21, October.
    12. Wenke Wang & Xiaoqiong You & Kebei Liu & Yenchun Jim Wu & Daming You, 2020. "Implementation of a Multi-Agent Carbon Emission Reduction Strategy under the Chinese Dual Governance System: An Evolutionary Game Theoretical Approach," IJERPH, MDPI, vol. 17(22), pages 1-21, November.
    13. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    14. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    15. Yongliang Yang & Yuting Zhu & Xiaopeng Wang & Yi Li, 2022. "The Perception of Environmental Information Disclosure on Rural Residents’ Pro-Environmental Behavior," IJERPH, MDPI, vol. 19(13), pages 1-22, June.
    16. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    17. Harish Guda & Milind Dawande & Ganesh Janakiraman, 2021. "“Seemingly‐Beneficial” Interventions," Production and Operations Management, Production and Operations Management Society, vol. 30(10), pages 3337-3353, October.
    18. Dinghuan Yuan & Jiaxin Li & Qiuxiang Li & Yang Fu, 2024. "Tripartite Evolutionary Game and Policy Simulation: Strategic Governance in the Redevelopment of the Urban Village in Guangzhou," Land, MDPI, vol. 13(11), pages 1-21, November.
    19. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    20. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:plo:pone00:0304467. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: plosone (email available below). General contact details of provider: https://journals.plos.org/plosone/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.