Patching zero-day vulnerabilities: an empirical analysis

被引:12
作者
Roumani, Yaman [1 ]
机构
[1] Oakland Univ, Dept Decis & Informat Sci, 275 Varner Dr, Rochester, MI 48309 USA
来源
JOURNAL OF CYBERSECURITY | 2021年 / 7卷 / 01期
关键词
zero-day vulnerability; patch release time; survival analysis; vulnerability; attributes; SOFTWARE VENDORS; SECURITY; INFORMATION; MANAGEMENT; RELEASE; TIME; SYSTEMS; IMPACT; POLICY; RISKS;
D O I
10.1093/cybsec/tyab023
中图分类号
C [社会科学总论];
学科分类号
03 ; 0303 ;
摘要
Zero-day vulnerabilities remain one of the major security threats that are faced by organizations. Once a vendor learns about a zero-day vulnerability, releasing a timely patch becomes a priority given the risk of zero-day exploits. However, we still lack information on the factors that affect patch release time of such vulnerabilities. The main objective of this study is to examine the impact of other as-yet unexplored factors on the patch release time of zero-day vulnerabilities. Using zeroday vulnerability dataset captured between 2010 and 2020, we employ survival analysis technique. Our model explores the impact of vulnerability attack vector, attack complexity, privileges required, user interaction, scope, confidentiality, integrity, and availability impact on patch release timing. Findings show that a zero-day vulnerability is more likely to be patched on time if the vulnerability results in a scope change and affects more vendors, products, and versions. However, a zero-day vulnerability is less likely to be patched on time if it requires privileges and impacts confidentiality. Our sub-analyses also reveal how patch release times vary across different products and vulnerability types.
引用
收藏
页数:13
相关论文
共 51 条
[1]  
[Anonymous], 2011, Allison, P10
[2]  
[Anonymous], Internet Security Threat Report 10
[3]   Optimal policy for software vulnerability disclosure [J].
Arora, Ashish ;
Telang, Rahul ;
Xu, Hao .
MANAGEMENT SCIENCE, 2008, 54 (04) :642-656
[4]   Does information security attack frequency increase with vulnerability disclosure? An empirical analysis [J].
Arora, Ashish ;
Nandkumar, Anand ;
Telang, Rahul .
INFORMATION SYSTEMS FRONTIERS, 2006, 8 (05) :350-362
[5]   An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure [J].
Arora, Ashish ;
Krishnan, Ramayya ;
Telang, Rahul ;
Yang, Yubao .
INFORMATION SYSTEMS RESEARCH, 2010, 21 (01) :115-132
[6]   Let the pirates patch? An economic analysis of software security patch restrictions [J].
August, Terrence ;
Tunca, Tunay I. .
INFORMATION SYSTEMS RESEARCH, 2008, 19 (01) :48-70
[7]   The number of primary events per variable affects estimation of the subdistribution hazard competing risks model [J].
Austin, Peter C. ;
Allignol, Arthur ;
Fine, Jason P. .
JOURNAL OF CLINICAL EPIDEMIOLOGY, 2017, 83 :75-84
[8]  
Beres Y, 2012, IFIP ADV INF COMM TE, V376, P424
[9]  
Briggs R. O., 2020, GROWING COMPLEXITY E
[10]   Security patch management: Share the burden or share the damage? [J].
Cavusoglu, Hasan ;
Cavusoglu, Huseyin ;
Zhang, Jun .
MANAGEMENT SCIENCE, 2008, 54 (04) :657-670