A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits
2015 (English)In: Information and Software Technology, ISSN 0950-5849, Vol. 58, 304-318 p.Article in journal (Refereed) Published
Context: Software vulnerabilities in general, and software vulnerabilities with publicly available exploits in particular, are important to manage for both developers and users. This is however a difficult matter to address as time is limited and vulnerabilities are frequent. Objective: This paper presents a Bayesian network based model that can be used by enterprise decision makers to estimate the likelihood that a professional penetration tester is able to obtain knowledge of critical vulnerabilities and exploits for these vulnerabilities for software under different circumstances. Method: Data on the activities in the model are gathered from previous empirical studies, vulnerability databases and a survey with 58 individuals who all have been credited for the discovery of critical software vulnerabilities. Results: The proposed model describes 13 states related by 17 activities, and a total of 33 different datasets. Conclusion: Estimates by the model can be used to support decisions regarding what software to acquire, or what measures to invest in during software development projects.
Place, publisher, year, edition, pages
2015. Vol. 58, 304-318 p.
Cyber security, Vulnerabilities, Exploits, Statistical model, Security metrics
Computer and Information Science
IdentifiersURN: urn:nbn:se:kth:diva-159347DOI: 10.1016/j.infsof.2014.07.001ISI: 000347022800018ScopusID: 2-s2.0-84914169057OAI: oai:DiVA.org:kth-159347DiVA: diva2:785108
QC 201502022015-02-022015-01-292015-02-02Bibliographically approved