Effect of Security Controls on Patching Window: A Causal Inference based Approach

In many organisations there are up to 15 security controls that help defenders accurately identify and prioritise information security risks. Due to the lack of clarity into the effectiveness and capabilities of these defences, and poor visibility to overall risk posture has led to a crisis of prioritisation. Lately, organisations rely on scenario based red teaming exercises which test the contribution of a security control to the security preparedness of the organisation, and testing the resilience of a control. However, these assessments don't quantify the effect of controls on the security policies already in place. Measuring this effect can help stakeholders to re-calibrate and effectively prioritise their risks. In this work, we propose a causal inference based approach to understand the influence of security control on patching behaviour in the organisations. We introduce a novel scoring function for security controls based on 6 criteria to evaluate its effectiveness. Utilising the scoring function and state of art causal inference methods we estimate the average effect (in days) of a control in patching policy of an organisation. We also assess the influence of individual control for CVE's which have high vs low CVSS scores. We validate the proposed method on observational data collected from 2000 organisations with varied asset sizes. We estimate that on an average there is a delay of 9.5 days in the patching of a CVE due to the presence of security controls on an asset. We also analyse the assumptions and algorithms with refuting methods to validate the predicted estimates and generalisation of the observed outcomes.