Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

Martin Hell; Martin Höst

doi:10.1007/978-3-030-91452-3_15

Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

Martin Hell, Martin Höst

Research output: Chapter in Book/Report/Conference proceeding › Paper in conference proceeding › peer-review

101 Downloads (Pure)

Abstract

The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and inter-company communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer.

Original language	English
Title of host publication	International Conference on Product-Focused Software Process Improvement
Subtitle of host publication	PROFES 2021
Pages	215-230
ISBN (Electronic)	978-3-030-91452-3
DOIs	https://doi.org/10.1007/978-3-030-91452-3_15
Publication status	Published - 2021

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer Nature
ISSN (Electronic)	1611-3349

Subject classification (UKÄ)

Business Administration
Software Engineering

Access to Document

10.1007/978-3-030-91452-3_15

Profes_case_studyAccepted author manuscript, 228 KB

HATCH: HATCH: Handling Vulnerabilities in the Value Chain
Höst, M. (PI) & Hell, M. (Researcher)
Swedish Government Agency for Innovation Systems (Vinnova)
2018/11/30 → 2021/11/30
Project: Research
SMARTY: Säkra mjukvaruuppdateringar för den smarta staden
Hell, M. (PI), Magnusson, B. (PI), Gehrmann, C. (CoI), Paladi, N. (Researcher), Karlsson, L. (Researcher), Sönnerup, J. (Researcher), Johnsson, B. A. (Researcher), Hedin, G. (Researcher), Nordahl, M. (Researcher), Pagnin, E. (Researcher), Kundu, R. (Researcher), Åkesson, A. (Researcher), Stankovski Wagner, P. (Researcher) & Ramezanian, S. (Researcher)
Swedish Foundation for Strategic Research, SSF
2018/03/01 → 2024/12/31
Project: Research

Cite this

@inproceedings{1b6e9dd4963f41b8b2c1e4279aacf3bd,

title = "Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study",

abstract = "The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and inter-company communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer.",

author = "Martin Hell and Martin H{\"o}st",

year = "2021",

doi = "10.1007/978-3-030-91452-3_15",

language = "English",

series = "Lecture Notes in Computer Science",

publisher = "Springer Nature",

pages = "215--230",

booktitle = "International Conference on Product-Focused Software Process Improvement",

}

Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study. / Hell, Martin; Höst, Martin.
International Conference on Product-Focused Software Process Improvement: PROFES 2021. 2021. p. 215-230 (Lecture Notes in Computer Science).

Research output: Chapter in Book/Report/Conference proceeding › Paper in conference proceeding › peer-review

TY - GEN

T1 - Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

AU - Hell, Martin

AU - Höst, Martin

PY - 2021

Y1 - 2021

N2 - The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and inter-company communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer.

AB - The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and inter-company communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer.

U2 - 10.1007/978-3-030-91452-3_15

DO - 10.1007/978-3-030-91452-3_15

M3 - Paper in conference proceeding

T3 - Lecture Notes in Computer Science

SP - 215

EP - 230

BT - International Conference on Product-Focused Software Process Improvement

ER -

Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

Abstract

Publication series

Subject classification (UKÄ)

Access to Document

Fingerprint

Projects

HATCH: HATCH: Handling Vulnerabilities in the Value Chain

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden

Cite this