Examining Exploitability Risk of Vulnerabilities: A Hazard Model

Examining Exploitability Risk of Vulnerabilities: A Hazard Model

With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Communications of the Association for Information Systems 2020-01, Vol.46, p.421-443
Hauptverfasser: Roumani, Yaman, Nwankpa, Joseph
Format: Artikel
Sprache:eng
Schlagworte:
Exploitation
Fixing
Information technology
Risk
Security
Survival analysis
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 443
container_issue
container_start_page 421
container_title Communications of the Association for Information Systems
container_volume 46
creator Roumani, Yaman
Nwankpa, Joseph
description With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities.
doi_str_mv 10.17705/1CAIS.04618
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2500498850</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2500498850</sourcerecordid><originalsourceid>FETCH-LOGICAL-c263t-4b38ec6cf6b4d29dfce05b8ce1c57d66534353120112905c50e103d4bc36c7113</originalsourceid><addsrcrecordid>eNpNkE1Lw0AYhBdRsFZv_oAFr6a-734l8WQpqS1UBL-uS7LZyNY0qbsJtP56S-PB0wzDMAMPIdcIE4xjkHc4my5fJyAUJidkhJKlEccET__5c3IRwhoAhUzZiDxku3zjGtd80my3rVvX5YWrXbenLy580baiH33dWD-kzoZ7OqWL_Cf3JX1qS1tfkrMqr4O9-tMxeZ9nb7NFtHp-XM6mq8gwxbtIFDyxRplKFaJkaVkZC7JIjEUj41IpyQWXHBkgshSkkWAReCkKw5WJEfmY3Ay7W99-9zZ0et32vjlcaiYBRJokEg6t26FlfBuCt5XeerfJ_V4j6CMjfWSkj4z4L_dvV7U</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2500498850</pqid></control><display><type>article</type><title>Examining Exploitability Risk of Vulnerabilities: A Hazard Model</title><source>Digital Commons Online Journals</source><creator>Roumani, Yaman ; Nwankpa, Joseph</creator><creatorcontrib>Roumani, Yaman ; Nwankpa, Joseph</creatorcontrib><description>With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities.</description><identifier>ISSN: 1529-3181</identifier><identifier>EISSN: 1529-3181</identifier><identifier>DOI: 10.17705/1CAIS.04618</identifier><language>eng</language><publisher>Atlanta: Association for Information Systems</publisher><subject>Exploitation ; Fixing ; Information technology ; Risk ; Security ; Survival analysis</subject><ispartof>Communications of the Association for Information Systems, 2020-01, Vol.46, p.421-443</ispartof><rights>Copyright Association for Information Systems 2020</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c263t-4b38ec6cf6b4d29dfce05b8ce1c57d66534353120112905c50e103d4bc36c7113</citedby></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27923,27924</link.rule.ids></links><search><creatorcontrib>Roumani, Yaman</creatorcontrib><creatorcontrib>Nwankpa, Joseph</creatorcontrib><title>Examining Exploitability Risk of Vulnerabilities: A Hazard Model</title><title>Communications of the Association for Information Systems</title><description>With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities.</description><subject>Exploitation</subject><subject>Fixing</subject><subject>Information technology</subject><subject>Risk</subject><subject>Security</subject><subject>Survival analysis</subject><issn>1529-3181</issn><issn>1529-3181</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2020</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GNUQQ</sourceid><recordid>eNpNkE1Lw0AYhBdRsFZv_oAFr6a-734l8WQpqS1UBL-uS7LZyNY0qbsJtP56S-PB0wzDMAMPIdcIE4xjkHc4my5fJyAUJidkhJKlEccET__5c3IRwhoAhUzZiDxku3zjGtd80my3rVvX5YWrXbenLy580baiH33dWD-kzoZ7OqWL_Cf3JX1qS1tfkrMqr4O9-tMxeZ9nb7NFtHp-XM6mq8gwxbtIFDyxRplKFaJkaVkZC7JIjEUj41IpyQWXHBkgshSkkWAReCkKw5WJEfmY3Ay7W99-9zZ0et32vjlcaiYBRJokEg6t26FlfBuCt5XeerfJ_V4j6CMjfWSkj4z4L_dvV7U</recordid><startdate>20200101</startdate><enddate>20200101</enddate><creator>Roumani, Yaman</creator><creator>Nwankpa, Joseph</creator><general>Association for Information Systems</general><scope>AAYXX</scope><scope>CITATION</scope><scope>3V.</scope><scope>7WY</scope><scope>7WZ</scope><scope>7XB</scope><scope>87Z</scope><scope>8FE</scope><scope>8FG</scope><scope>8FK</scope><scope>8FL</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BEZIV</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>FRNLG</scope><scope>F~G</scope><scope>GNUQQ</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K60</scope><scope>K6~</scope><scope>K7-</scope><scope>L.-</scope><scope>M0C</scope><scope>P5Z</scope><scope>P62</scope><scope>PQBIZ</scope><scope>PQBZA</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>Q9U</scope></search><sort><creationdate>20200101</creationdate><title>Examining Exploitability Risk of Vulnerabilities: A Hazard Model</title><author>Roumani, Yaman ; Nwankpa, Joseph</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c263t-4b38ec6cf6b4d29dfce05b8ce1c57d66534353120112905c50e103d4bc36c7113</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2020</creationdate><topic>Exploitation</topic><topic>Fixing</topic><topic>Information technology</topic><topic>Risk</topic><topic>Security</topic><topic>Survival analysis</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Roumani, Yaman</creatorcontrib><creatorcontrib>Nwankpa, Joseph</creatorcontrib><collection>CrossRef</collection><collection>ProQuest Central (Corporate)</collection><collection>ABI/INFORM Collection</collection><collection>ABI/INFORM Global (PDF only)</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>ABI/INFORM Global (Alumni Edition)</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni) (purchase pre-March 2016)</collection><collection>ABI/INFORM Collection (Alumni Edition)</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Business Premium Collection</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>Business Premium Collection (Alumni)</collection><collection>ABI/INFORM Global (Corporate)</collection><collection>ProQuest Central Student</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Business Collection (Alumni Edition)</collection><collection>ProQuest Business Collection</collection><collection>Computer Science Database</collection><collection>ABI/INFORM Professional Advanced</collection><collection>ABI/INFORM Global</collection><collection>Advanced Technologies &amp; Aerospace Database</collection><collection>ProQuest Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest One Business</collection><collection>ProQuest One Business (Alumni)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>ProQuest Central Basic</collection><jtitle>Communications of the Association for Information Systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Roumani, Yaman</au><au>Nwankpa, Joseph</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Examining Exploitability Risk of Vulnerabilities: A Hazard Model</atitle><jtitle>Communications of the Association for Information Systems</jtitle><date>2020-01-01</date><risdate>2020</risdate><volume>46</volume><spage>421</spage><epage>443</epage><pages>421-443</pages><issn>1529-3181</issn><eissn>1529-3181</eissn><abstract>With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities.</abstract><cop>Atlanta</cop><pub>Association for Information Systems</pub><doi>10.17705/1CAIS.04618</doi><tpages>23</tpages></addata></record>
fulltext fulltext
identifier ISSN: 1529-3181
ispartof Communications of the Association for Information Systems, 2020-01, Vol.46, p.421-443
issn 1529-3181
1529-3181
language eng
recordid cdi_proquest_journals_2500498850
source Digital Commons Online Journals
subjects Exploitation
Fixing
Information technology
Risk
Security
Survival analysis
title Examining Exploitability Risk of Vulnerabilities: A Hazard Model
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-12T13%3A32%3A40IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Examining%20Exploitability%20Risk%20of%20Vulnerabilities:%20A%20Hazard%20Model&rft.jtitle=Communications%20of%20the%20Association%20for%20Information%20Systems&rft.au=Roumani,%20Yaman&rft.date=2020-01-01&rft.volume=46&rft.spage=421&rft.epage=443&rft.pages=421-443&rft.issn=1529-3181&rft.eissn=1529-3181&rft_id=info:doi/10.17705/1CAIS.04618&rft_dat=%3Cproquest_cross%3E2500498850%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2500498850&rft_id=info:pmid/&rfr_iscdi=true