Oulun yliopisto - Etusivulle University of Oulu in English

ee.oulu.fi

Electrical and Information Engineering

University of Oulu > Faculty of Technology > Electrical and Information Engineering


OUSPG

[This page is CSS2 enabled. Your browser might not fully support it]

Communication in the Software Vulnerability Reporting Process [thesis]

$RCSfile: index.html,v $ $Revision: 1.6 $ $Date: 2004/01/16 16:27:42 $

ABSTRACT

Our society has become more and more dependent on information technology and, thus, also on computer security. Reporting software vulnerabilities to vendors is central to software quality development. This study aimed to analyze how software vulnerability reporting is organized, and to compare the differences of opinions between reporters and receivers of the reports, i.e. the two main participant groups in the reporting process. The communication process in a software vulnerability reporting network was described. Knowledge production, mediation, and application in the network were analyzed. Publicity, crisis, and risk management as well as professional ethics, trust, and corporate social responsibility in the network were discussed. The study was based on a quantitative survey that was completed during summer 2002. So called snowball sampling was used to reach potential respondents. Altogether 157 valid answers were received, of which 60 were from receivers and 97 from reporters. The analysis of the results was conducted with the help of factor analyses, Chi Square-tests, and Mann-Whitney U-tests. In the study it was concluded that communication in the software vulnerability reporting process seems quite often to be one-way, although two-way symmetrical communication could in many cases make the knowledge application easier. This may have a negative effect on the publicity management of the communication participants and complicate the communication process. The communication network was described to be informative. The inter-organizational learning process was described. It was discerned that especially procedural knowledge, i.e., know-how and know-who, in the reporting process seems to need development. It was also detected that the combination of information with existing knowledge assets is essential in the receiving organizations. A lack of codification seems to be typical to the communication process, which may, among other things, have an effect on the development of trust between the communication participants. Also the opinions about the publicity and extent of the disclosures were determined in the study. Overall, both the receivers and reporters opposed immediate and full disclosure. The receivers opposed full disclosure more than the reporters in its every form. The two groups agreed on publishing some part of the information after a pre-defined time.

Publication details and availability
Title: Communication in the Software Vulnerability Reporting Process
Publication details: Havana, Tiina. "Communication in the Software Vulnerability Reporting Process". M.A. Thesis for the Department of Communication and PR at the University of Jyväskylä.
Availability: [PDF_] Full thesis (in English)
[PDF_] A brochure summarizing the thesis (in English)
[PS__] A brochure summarizing the thesis (in English)

[This page is CSS2 enabled. Your browser might not fully support it]