File(s) stored somewhere else

Please note: Linked content is NOT stored on Carnegie Mellon University and we can't guarantee its availability, quality, security or accept any liability.

Three Essays on Information Security Policies

journal contribution
posted on 01.07.2008 by Yubao Yang
Information security breaches pose a significant and increasing threat to national security and economic well-being. In the Symantec Internet Security Threat Report (2003), companies surveyed experienced an average of about 30 attacks per week. Anecdotal evidence suggests that losses from cyber-attacks can run into millions of dollars. The CSI-FBI survey (2005) estimates that the loss per company was more than $500,000 in 2004 and more than $200,000 in 2005. This research analyzes the information security policies that attempt to address the above issues. In particular, this research focus on the following topics (1) the vulnerability disclosure policy of several major vulnerability information outlets and their implications to the vendors’ patch release behavior (2) the conformance of the software vendors to one of the most important software product security quality certification standard, Common Criteria certification (3) the effectiveness of Common Criteria Certification in improving the security quality of software products.