The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
COBIT and Its Utilization: A Framework from the Literature
HICSS '04 Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 8 - Volume 8
A model for evaluating IT security investments
Communications of the ACM - Has the Internet become indispensable?
EEE '05 Proceedings of the 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE'05) on e-Technology, e-Commerce and e-Service
Business process-based valuation of IT-security
EDSER '05 Proceedings of the seventh international workshop on Economics-driven software engineering research
Large-scale vulnerability analysis
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Stakeholder Value Driven Threat Modeling for Off the Shelf Based Systems
ICSE COMPANION '07 Companion to the proceedings of the 29th International Conference on Software Engineering
Value Driven Security Threat Modeling Based on Attack Path Analysis
HICSS '07 Proceedings of the 40th Annual Hawaii International Conference on System Sciences
Using the vulnerability information of computer systems to improve the network security
Computer Communications
Efficient Security Measurements and Metrics for Risk Assessment
ICIMP '08 Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection
An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price
IEEE Transactions on Software Engineering
The Laws of Vulnerabilities: Which security vulnerabilities really matter?
Information Security Tech. Report
Design science in information systems research
MIS Quarterly
Modelling and analysing network security policies in a given vulnerability setting
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
Security vulnerabilities in software systems: a quantitative perspective
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
An economic modelling approach to information security risk management
International Journal of Information Management: The Journal for Information Professionals
Threat agents: a necessary component of threat analysis
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Improving VRSS-based vulnerability prioritization using analytic hierarchy process
Journal of Systems and Software
Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis
Journal of Management Information Systems
| Hi-index | 0.00 |
The growing number of software security vulnerabilities is an ever-increasing challenge for organizations. As security managers in the industry have to operate within limited budgets they also have to prioritize their vulnerability responses. The Common Vulnerability Scoring System (CVSS) aids in such prioritization by providing a metric for the severity of vulnerabilities. In its most prominent application, as the severity metric in the U.S. National Vulnerability Database (NVD), CVSS scores omit information pertaining the potential exploit victims' context. Researchers and managers in the industry have long understood that the severity of vulnerabilities varies greatly among different organizational contexts. Therefore the CVSS scores provided by the NVD alone are of limited use for vulnerability prioritization in practice. Security managers could address this limitation by adding the missing context information themselves to improve the quality of their CVSS-based vulnerability prioritization. It is unclear for them, however, whether the potential improvements are worth the additional effort. We present a method that enables practitioners to estimate these improvements. Our method is of particular use to practitioners who do not have the resources to gather large amounts of empirical data, because it allows them to simulate the improvement potential using only publicly available data in the NVD and distribution models from the literature. We applied the method on a sample set of 720 vulnerability announcements from the NVD and found that adding context information significantly improved the prioritization and selection of vulnerability response process. Our findings contribute to the discourse on returns on security investment, measurement of security processes and quantitative security management.