Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.ORCID iD: 0000-0001-7386-7471
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.ORCID iD: 0000-0003-3922-9606
2015 (English)In: Information and Software Technology, ISSN 0950-5849, E-ISSN 1873-6025, Vol. 58, 304-318 p.Article in journal (Refereed) Published
Abstract [en]

Context: Software vulnerabilities in general, and software vulnerabilities with publicly available exploits in particular, are important to manage for both developers and users. This is however a difficult matter to address as time is limited and vulnerabilities are frequent. Objective: This paper presents a Bayesian network based model that can be used by enterprise decision makers to estimate the likelihood that a professional penetration tester is able to obtain knowledge of critical vulnerabilities and exploits for these vulnerabilities for software under different circumstances. Method: Data on the activities in the model are gathered from previous empirical studies, vulnerability databases and a survey with 58 individuals who all have been credited for the discovery of critical software vulnerabilities. Results: The proposed model describes 13 states related by 17 activities, and a total of 33 different datasets. Conclusion: Estimates by the model can be used to support decisions regarding what software to acquire, or what measures to invest in during software development projects.

Place, publisher, year, edition, pages
2015. Vol. 58, 304-318 p.
Keyword [en]
Cyber security, Vulnerabilities, Exploits, Statistical model, Security metrics
National Category
Computer and Information Science
Identifiers
URN: urn:nbn:se:kth:diva-159347DOI: 10.1016/j.infsof.2014.07.001ISI: 000347022800018Scopus ID: 2-s2.0-84914169057OAI: oai:DiVA.org:kth-159347DiVA: diva2:785108
Note

QC 20150202

Available from: 2015-02-02 Created: 2015-01-29 Last updated: 2017-12-05Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Authority records BETA

Korman, MatusEkstedt, Mathias

Search in DiVA

By author/editor
Holm, HannesKorman, MatusEkstedt, Mathias
By organisation
Industrial Information and Control Systems
In the same journal
Information and Software Technology
Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 213 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf