IDEAS home Printed from https://ideas.repec.org/a/sae/joudef/v19y2022i1p13-22.html
   My bibliography  Save this article

Vulnerability Selection for Remediation: An Empirical Analysis

Author

Listed:
  • Ankit Shah
  • Katheryn A. Farris
  • Rajesh Ganesan
  • Sushil Jajodia

Abstract

Vulnerabilities are security flaws in software and network systems that criminal hackers can exploit to gain an asymmetric advantage. Cyber-Security Operations Centers must routinely triage and patch vulnerabilities in their system(s) to minimize external exposure to attackers. The personnel resources required to address vulnerability remediation tasks are limited and constrained, thus motivating the need for optimization approaches to improve the efficiency of the vulnerability selection process. This paper investigates two different approaches to vulnerability selection for mitigation through (a) Individual Attribute Value Optimization and (b) Multiple Attribute Value Optimization. The former approach presents a methodology that optimizes the selection of vulnerabilities for mitigation with respect to an individual attribute, while the latter approach considers multiple attributes in the vulnerability selection decision-making. Real scan data from a Cyber-Security Operations Center are used to compare the results between the two mathematical approaches. Furthermore, comparisons are made with the results obtained from (a) the actual (baseline) Cyber-Security Operations Center performance, and (b) a vulnerability prioritization algorithm called VULCON that appeared in recent literature.

Suggested Citation

  • Ankit Shah & Katheryn A. Farris & Rajesh Ganesan & Sushil Jajodia, 2022. "Vulnerability Selection for Remediation: An Empirical Analysis," The Journal of Defense Modeling and Simulation, , vol. 19(1), pages 13-22, January.
    • Handle: RePEc:sae:joudef:v:19:y:2022:i:1:p:13-22
    DOI: 10.1177/1548512919874129
    as

    Download full text from publisher

    File URL: https://journals.sagepub.com/doi/10.1177/1548512919874129
    Download Restriction: no
    File URL: https://libkey.io/10.1177/1548512919874129?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Andrew Fielder & Sandra König & Emmanouil Panaousis & Stefan Schauer & Stefan Rass, 2018. "Risk Assessment Uncertainties in Cybersecurity Investments," Games, MDPI, vol. 9(2), pages 1-14, June.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Jiri Neubauer & Martin Vlkovsky & Jaroslav Michalek, 2024. "Statistical modeling of cargo securing on selected military trucks and road surfaces," The Journal of Defense Modeling and Simulation, , vol. 21(3), pages 341-355, July.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    2. Diao, Xiaoxu & Zhao, Yunfei & Smidts, Carol & Vaddi, Pavan Kumar & Li, Ruixuan & Lei, Hangtian & Chakhchoukh, Yacine & Johnson, Brian & Blanc, Katya Le, 2024. "Dynamic probabilistic risk assessment for electric grid cybersecurity," Reliability Engineering and System Safety, Elsevier, vol. 241(C).
    3. Radha Mookerjee & Jayarajan Samuel, 2023. "Managing the security of information systems with partially observable vulnerability," Production and Operations Management, Production and Operations Management Society, vol. 32(9), pages 2902-2920, September.
    4. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    5. Chao Luo & Hiroyuki Okamura & Tadashi Dohi, 2016. "Optimal planning for open source software updates," Journal of Risk and Reliability, , vol. 230(1), pages 44-53, February.
    6. Hunt, Kyle & Agarwal, Puneet & Zhuang, Jun, 2022. "On the adoption of new technology to enhance counterterrorism measures: An attacker–defender game with risk preferences," Reliability Engineering and System Safety, Elsevier, vol. 218(PB).
    7. Doroudi, Sherwin & Avgerinos, Thanassis & Harchol-Balter, Mor, 2021. "To clean or not to clean: Malware removal strategies for servers under load," European Journal of Operational Research, Elsevier, vol. 292(2), pages 596-609.
    8. Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.
    9. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    10. Li, Bo & Tan, Zhen & Arreola-Risa, Antonio & Huang, Yiwei, 2023. "On the improvement of uncertain cloud service capacity," International Journal of Production Economics, Elsevier, vol. 258(C).
    11. Anshul Tickoo & P. K. Kapur & A. K. Shrivastava & Sunil K. Khatri, 2016. "Testing effort based modeling to determine optimal release and patching time of software," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 427-434, December.
    12. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    13. Huseyin Cavusoglu & Hasan Cavusoglu, 2007. "Assessing the Value of Network Security Technologies: The Impact of Configuration and Interaction on Value," Working Papers 07-19, NET Institute, revised Aug 2007.
    14. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    15. Chen, Wenbo, 2018. "Retailer-driven carbon emission abatement with consumer environmental awareness and carbon tax: Revenue-sharing versus Cost-sharingAuthor-Name: Yang, Huixiao," Omega, Elsevier, vol. 78(C), pages 179-191.
    16. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    17. Yijun Liu & Xiaokun Jin & Yunrui Zhang, 2024. "Identifying risks in temporal supernetworks: an IO-SuperPageRank algorithm," Palgrave Communications, Palgrave Macmillan, vol. 11(1), pages 1-21, December.
    18. Juntao Chen & Quanyan Zhu & Tamer Başar, 2021. "Dynamic Contract Design for Systemic Cyber Risk Management of Interdependent Enterprise Networks," Dynamic Games and Applications, Springer, vol. 11(2), pages 294-325, June.
    19. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    20. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:sae:joudef:v:19:y:2022:i:1:p:13-22. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: SAGE Publications (email available below). General contact details of provider: .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.