Forecasting IT security vulnerabilities - An empirical analysis

Yasasin, Emrah and Prester, Julian and Wagner, Gerit and Schryen, Guido (2020) Forecasting IT security vulnerabilities - An empirical analysis. COMPUTERS & SECURITY, 88: 101610. ISSN 0167-4048, 1872-6208

Full text not available from this repository. (Request a copy)

Abstract

Today, organizations must deal with a plethora of IT security threats and to ensure smooth and uninterrupted business operations, firms are challenged to predict the volume of IT security vulnerabilities and allocate resources for fixing them. This challenge requires decision makers to assess which system or software packages are prone to vulnerabilities, how many post-release vulnerabilities can be expected to occur during a certain period of time, and what impact exploits might have. Substantial research has been dedicated to techniques that analyze source code and detect security vulnerabilities. However, only limited research has focused on forecasting security vulnerabilities that are detected and reported after the release of software. To address this shortcoming, we apply established methodologies which are capable of forecasting events exhibiting specific time series characteristics of security vulnerabilities, i.e., rareness of occurrence, volatility, non-stationarity, and seasonality. Based on a dataset taken from the National Vulnerability Database (NVD), we use the Mean Absolute Error (MAE) and Root Mean Square Error (RMSE) to measure the forecasting accuracy of single, double, and triple exponential smoothing methodologies, Croston's methodology, ARIMA, and a neural network-based approach. We analyze the impact of the applied forecasting methodology on the prediction accuracy with regard to its robustness along the dimensions of the examined system and software package "operating systems", "browsers" and "office solutions" and the applied metrics. To the best of our knowledge, this study is the first to analyze the effect of forecasting methodologies and to apply metrics that are suitable in this context. Our results show that the optimal forecasting methodology depends on the software or system package, as some methodologies perform poorly in the context of IT security vulnerabilities, that absolute metrics can cover the actual prediction error precisely, and that the prediction accuracy is robust within the two applied forecasting-error metrics. (C) 2019 Elsevier Ltd. All rights reserved.

Item Type: Article
Uncontrolled Keywords: ABSOLUTE ERROR MAE; INTERMITTENT DEMAND; TIME-SERIES; NEURAL-NETWORK; MODELS; PREDICTION; COMBINATION; ACCURACY; IMPACT; RMSE; Security vulnerability; Prediction; Forecasting; Competition setup; Time series
Subjects: 600 Technology > 650 Management & auxiliary services
Divisions: Business, Economics and Information Systems > Institut für Wirtschaftsinformatik > Alumni or Retired Professors > Professur für Wirtschaftsinformatik (Prof. Dr. Guido Schryen)
Depositing User: Dr. Gernot Deinzer
Date Deposited: 09 Apr 2021 11:45
Last Modified: 09 Apr 2021 11:45
URI: https://pred.uni-regensburg.de/id/eprint/45560

Actions (login required)

View Item View Item
pred is powered by EPrints 3.4 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.