To Disclose, to Conceal or to Sell: Zero-Day Exploits and Emerging Institutions in Cybersecurity
Date of Award
Doctor of Philosophy (PhD)
School of Information Studies
Milton L. Mueller
cybersecurity, discourse, dual use technology, emerging institutions, software vulnerability markets, vulnerability disclosure
Social and Behavioral Sciences
This dissertation examines the controversy about the disclosure and sale of software vulnerabilities and zero-day exploits, and how this discourse relates to the emergence of new institutions in cybersecurity, such as vulnerability markets and export control regimes. The goal of the research is to advance our understanding of the way discourses are related to the emergence of governance institutions, and to shed light on the socio-technical processes required to control dual-use information technology.
The research applies theories and methods of science and technology studies and institutional theory to the debate over the production, sale and regulation of software vulnerabilities and exploits. To study the historical, organizational, and institutional developments of these markets and the control regimes, this qualitative, empirical research employed (1) a comprehensive document analysis of publicly accessible documents, including technical briefs, policy memos, and industry reports; and (2) conducted in-depth interviews with information security professionals and policy experts. The research analyzed the emerging institutions and the discourse from the early 1990s to 2015. In particular, it analyzed the actors, their concepts and ideas in the discursive exchanges and identified frames the actors used.
The research identified four frames that shaped the discourse and contributed to the formation of market and control institutions: the ‘Duty to Disclose’ and ‘Market’ frames were relevant in the institutionalization of vulnerability trading; and the ‘Controlling the Digital Arms Trade’ and ‘Controlling the Proliferation of Cyber Weapons’ frames explained the adoption of export control regimes to regulate the global trade in software exploits and surveillance technology.
Surface provides description only. Full text is available to ProQuest subscribers. Ask your Librarian for assistance.
Kuehn, Andreas, "To Disclose, to Conceal or to Sell: Zero-Day Exploits and Emerging Institutions in Cybersecurity" (2016). Dissertations - ALL. 653.