Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Economic Analysis of the Market for Software Vulnerability Disclosure
HICSS '04 Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 7 - Volume 7
Communications of the ACM - Voting systems
Optimum Identification of Worm-Infected Hosts
IPOM '08 Proceedings of the 8th IEEE international workshop on IP Operations and Management
Simulating cyber-attacks for fun and profit
Proceedings of the 2nd International Conference on Simulation Tools and Techniques
SAFECOMP '09 Proceedings of the 28th International Conference on Computer Safety, Reliability, and Security
Using security metrics coupled with predictive modeling and simulation to assess security processes
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Improving CVSS-based vulnerability prioritization and response with context information
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Vulnerability analysis for a quantitative security evaluation
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Security impact ratings considered harmful
HotOS'09 Proceedings of the 12th conference on Hot topics in operating systems
Ontology-based document profile for vulnerability relevancy analysis
ACS'10 Proceedings of the 10th WSEAS international conference on Applied computer science
Is open source security a myth?
Communications of the ACM
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Are markets for vulnerabilities effective?
MIS Quarterly
A large scale exploratory analysis of software vulnerability life cycles
Proceedings of the 34th International Conference on Software Engineering
A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets
Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security
| Hi-index | 0.02 |
The security level of networks and systems is determined by the software vulnerabilities of its elements. Defending against large scale attacks requires a quantitative understanding of the vulnerability lifecycle. Specifically, one has to understand how exploitation and remediation of vulnerabilities, as well as the distribution of information thereof is handled by industry.In this paper, we examine how vulnerabilities are handled in large-scale, analyzing more than 80,000 security advisories published since 1995. Based on this information, we quantify the performance of the security industry as a whole. We discover trends and discuss their implications. We quantify the gap between exploit and patch availability and provide an analytical representation of our data which lays the foundation for further analysis and risk management.