The Uncontrolled Web: Measuring Security Governance on the Web


IEICE TRANSACTIONS on Information and Systems   Vol.E104-D    No.11    pp.1828-1838
Publication Date: 2021/11/01
Publicized: 2021/07/08
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2021NGP0003
Type of Manuscript: Special Section PAPER (Special Section on Next-generation Security Applications and Practice)
security governance,  web measurement,  cyber resilience,  

Full Text: PDF(739.8KB)>>
Buy this Article

While websites are becoming more and more complex daily, the difficulty of managing them is also increasing. It is important to conduct regular maintenance against these complex websites to strengthen their security and improve their cyber resilience. However, misconfigurations and vulnerabilities are still being discovered on some pages of websites and cyberattacks against them are never-ending. In this paper, we take the novel approach of applying the concept of security governance to websites; and, as part of this, measuring the consistency of software settings and versions used on these websites. More precisely, we analyze multiple web pages with the same domain name and identify differences in the security settings of HTTP headers and versions of software among them. After analyzing over 8,000 websites of popular global organizations, our measurement results show that over half of the tested websites exhibit differences. For example, we found websites running on a web server whose version changes depending on access and using a JavaScript library with different versions across over half of the tested pages. We identify the cause of such governance failures and propose improvement plans.

open access publishing via