The role of vulnerability disclosure programs in an organisational cybersecurity strategy.
Loading...
Date
2020
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Today’s world is a technological one, with devices and software becoming more interconnected. Inherent
to these devices and software are vulnerabilities that if discovered by malicious parties, may be exploited.
In order to discover, investigate and remediate these vulnerabilities timeously with little or no impact to
users, organisations have started to invest in vulnerability disclosure programs (VDP). This provided
researchers with a platform in order to communicate discovered vulnerabilities to the organisation in a
standardised and consistent manner. It also provided organisations with a method of detecting security
flaws that were not normally detected by vulnerability scanners. VDP’s assist in identifying these
vulnerabilities in a coordinated manner to facilitate speedy remediation.
This research investigated the challenges and benefits of VDP’s and the need for such a program as part
of the organisational cybersecurity strategy.
Quantitative analysis was used to conduct the study by means of an online questionnaire. 147 participants
who were members of ISACA South Africa spread across South Africa, with Information Technology
(IT) and cybersecurity experience, responded to the questionnaire. The questionnaire measured the
opinions, views and experience of the various stakeholders. The questionnaire comprised of rating and
ranking scales such as the Likert scale in order to obtain a rich and accurate data set for analysis. The
questionnaire data was analysed using descriptive analysis (i.e.: frequency analysis, mean and standard
deviation) and correlation. Statistical analysis tools such as PSPP and Real Statistics which is an add on
in Excel were used to analyse the data. Based on the research performed, the key findings were around
the lack of awareness of VDP’s in the IT and cybersecurity space within South Africa. This included the
understanding of the types of VDP’s as well as the processes associated with VDP’s as well as the lack of
management support towards VDP’s. It was also evident that many organisations did not have an official
channel to report VDP’s.
Description
Masters Degree. University of KwaZulu-Natal, Pietermaritzburg.