The role of vulnerability disclosure programs in an organisational cybersecurity strategy.

Abstract

Today’s world is a technological one, with devices and software becoming more interconnected. Inherent to these devices and software are vulnerabilities that if discovered by malicious parties, may be exploited. In order to discover, investigate and remediate these vulnerabilities timeously with little or no impact to users, organisations have started to invest in vulnerability disclosure programs (VDP). This provided researchers with a platform in order to communicate discovered vulnerabilities to the organisation in a standardised and consistent manner. It also provided organisations with a method of detecting security flaws that were not normally detected by vulnerability scanners. VDP’s assist in identifying these vulnerabilities in a coordinated manner to facilitate speedy remediation. This research investigated the challenges and benefits of VDP’s and the need for such a program as part of the organisational cybersecurity strategy. Quantitative analysis was used to conduct the study by means of an online questionnaire. 147 participants who were members of ISACA South Africa spread across South Africa, with Information Technology (IT) and cybersecurity experience, responded to the questionnaire. The questionnaire measured the opinions, views and experience of the various stakeholders. The questionnaire comprised of rating and ranking scales such as the Likert scale in order to obtain a rich and accurate data set for analysis. The questionnaire data was analysed using descriptive analysis (i.e.: frequency analysis, mean and standard deviation) and correlation. Statistical analysis tools such as PSPP and Real Statistics which is an add on in Excel were used to analyse the data. Based on the research performed, the key findings were around the lack of awareness of VDP’s in the IT and cybersecurity space within South Africa. This included the understanding of the types of VDP’s as well as the processes associated with VDP’s as well as the lack of management support towards VDP’s. It was also evident that many organisations did not have an official channel to report VDP’s.