Research on Security and Risk

Emerging security and risk: While most research focuses on maximizing the potential positive impact of technologies, my security and risk research focuses on understanding, minimizing and balancing negative effects.

Some current and recent projects are:

    Paths to Compromise:
    (with Saby Mitra) This project combines a detailed qualitative study of the information security compromise process with large-scale empirical analysis of intrusion detection system logs. A report on this research appeared in Information Systems Research, vol. 20, no. 1, pp. 121–139, 2009. (runner-up for ISR Best Published Paper in 2009). Download
    Market Mechanisms and Vulnerability Disclosure Policy:
    (with Saby Mitra and Jon Ramsey) Recent, vulnerability markets have been introduced to reward security researchers for discovery of vulnerabilities. We examine the effect of these markets on the diffusion of exploits. An early version of this report is available from the ICIS 2008 proceedings Download. A complete version is forthcoming at MIS Quarterly. Download
    Metagraph based tools:
    (with Saby Mitra) With ever-increasing interconnectedness of heterogeneous systems across organizations, it is difficult to assess the resultant security risks. We extend existing tools by introducing node attributed metagraphs and develop operators which take advantage of these attributes to provide security management metrics. A conference version of this paper is available from SSRN
    Banking industry attacks:
    (with Saby Mitra) We combine bank specific information from the FDIC with two-years of alert data (400 million alerts) from intrusion detection systems to understand antecedents of security risk. [Contact me for a working paper.]
    Healthcare litigation risk:
    (with Eric Overby) Implementations of computerized practitioner order entry systems within hospitals are desirable because they may reduce error. However, they also may increase risk to healthcare as they can provide a “smoking gun” if errors occur. We combine system adoption information and medical malpractice claim records to create a detailed panel which examines the positive and negative impacts of order entry system adoption. [Contact me for a working paper.]
    Open Source software and Vulnerability Exploitation:
    Open Source software is often thought to be more secure because of the large number of potential code reviewers and testers. However, this same openness may work again open source software when vulnerabilities are announced and potential attackers can view the code. I examine the effect of open source versus closed source on the diffusion of exploits from vulnerabilities. [Contact me for a working paper.]