A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits |
| |
| Affiliation: | 1. INAIL Dipartimento Innovazione Tecnologica, Via Fontana Candidal; Monteporzio Catone 00078, Italy;2. Università di Messina Dipartimento di Ingegneria, C.da di Dio, Sant’Agata, Messina 98166, Italy;1. Bar-Ilan University, Ramat-Gan 52900, Israel;2. Tel-Aviv Academic College of Engineering, Tel-Aviv 69988, Israel |
| |
| Abstract: | ContextSoftware vulnerabilities in general, and software vulnerabilities with publicly available exploits in particular, are important to manage for both developers and users. This is however a difficult matter to address as time is limited and vulnerabilities are frequent.ObjectiveThis paper presents a Bayesian network based model that can be used by enterprise decision makers to estimate the likelihood that a professional penetration tester is able to obtain knowledge of critical vulnerabilities and exploits for these vulnerabilities for software under different circumstances.MethodData on the activities in the model are gathered from previous empirical studies, vulnerability databases and a survey with 58 individuals who all have been credited for the discovery of critical software vulnerabilities.ResultsThe proposed model describes 13 states related by 17 activities, and a total of 33 different datasets.ConclusionEstimates by the model can be used to support decisions regarding what software to acquire, or what measures to invest in during software development projects. |
| |
| Keywords: | Cyber security Vulnerabilities Exploits Statistical model Security metrics |
| 本文献已被 ScienceDirect 等数据库收录! |
|
