Examining Exploitability Risk of Vulnerabilities: A Hazard Model

With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Communications of the Association for Information Systems 2020-01, Vol.46, p.421-443
Hauptverfasser: Roumani, Yaman, Nwankpa, Joseph
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities.
ISSN:1529-3181
1529-3181
DOI:10.17705/1CAIS.04618