Illustration: Polly Becker

Associate professor Sam Ransbotham, who teaches in the information systems department at the Carroll School of Management, is interested in cyber crime. Specifically, he wants to understand, from an organizational perspective, the conditions that promote, prevent, and/or slow the spread of cyber attacks. And he wants to shed light on a debate in the Internet security field: When security professionals discover a software vulnerability—a flaw in code, say—is it best to publicly and immediately disclose the defect? Or is it safer to limit disclosure (the prevailing approach), thereby allowing the software vendor time to devise a patch before the problem becomes public?

Through an arrangement with the global security services company Dell SecureWorks (whose client list includes business and financial institutions, hospitals, universities, and other entities), Ransbotham analyzed software security alerts involving 960 companies and organizations over two years (2006 and 2007)—more than 400 million notifications in all. To factor in the effect of immediate public disclosure, he incorporated information from the National Vulnerability Database, a federally maintained, open-to-the-public clearinghouse of computer security breaches and vulnerabilities.

Ransbotham put the combined sets of information through three analytical models to identify (a) the initial attack on a company’s system after a given vulnerability was disclosed; (b) the diffusion of attacks (how many firms were affected); and (c) the volume of attacks per organization during a given attack episode.

In a paper presented at a 2011 security conference, Ransbotham and coauthor Sabyasachi Mitra, a professor at Georgia Tech’s Scheller College of Business, reported that when software vulnerabilities were immediately announced to the public, attacks spread more quickly than in lower-profile circumstances, with more companies being at a higher risk of a first attack. The data, however, pointed to a paradox: Even though the number of firms attacked in a well-publicized episode was relatively high, the total number of attack attempts was relatively low. Why? Ransbotham and Mitra described opportunistic cyber criminals as engaged in the equivalent of reconnaissance missions, quickly moving from company to company as they encountered shored-up security.

Based on these findings and others, Ransbotham recommends a strategy of limited disclosure of vulnerability information. Computer emergency response teams should disclose a vulnerability to the software vendor and to security service providers who can take countermeasures (for example, filtering traffic for an attacker’s signature) while the vendor works on a fix.

“It comes down to thinking about it more as an economic problem. All attacks would stop tomorrow if the return on investment is negative,” Ransbotham says. “So, what can we do to manipulate that return on investment for the ‘bad guy’?” The evidence suggests that limiting public disclosure of vulnerabilities bolsters activity that lowers attackers’ returns, thereby slowing and containing attacks.

Ransbotham’s interest in what he calls “the darker side” of ubiquitous computing ranges widely. He has conducted research to consider whether open-source code is more secure than proprietary software (some believe it is because it’s open to everyone to make corrections; Ransbotham’s data says no); and whether the adoption of electronic medical records by physicians and hospitals promotes medical malpractice claims because of the ease of legal discovery (again, the data says no).

Based on his investigations, Ransbotham in February was awarded a five-year, $402,000 CAREER grant from the National Science Foundation for “Using Analytics on Security Data to Understand Negative Innovations.” Given to pre-tenure faculty members in general support of their scholarly pursuits, the grant will allow Ransbotham to hone and expand his research. “Malicious uses of IT are rampant,” Ransbotham says. “It is tempting to wish for technical panaceas to make them disappear. But technology alone will not stop them,” he says. “We need to consider managerial, organizational, and economic aspects as well.”

Jeri Zeder is a writer in the Boston area.

Read more by Jeri Zeder