Emrah Yasasin scite author profile

Organization have to deal with a plethora of IT security threats nowadays and to ensure smooth and uninterrupted business operations, firms are challenged to predict the volume of IT security vulnerabilities and to allocate resources for fixing them. This challenge requires decision makers to assess which system or software packages are prone to vulnerabilities, what impact exploits might have, and how many vulnerabilities can be expected to occur during a certain period of time. The academic literature has increasingly drawn attention to the need for predicting IT security vulnerabilities.However, only limited research has addressed the problem of forecasting IT security vulnerabilities based on time series that deal with the specific properties of IT security vulnerabilities, i.e., rareness of occurrence and high volatility. To address this shortcoming, we apply established methods which are capable of forecasting events characterized by rareness of occurrence and high volatility. Based on a dataset taken from the National Vulnerability Database (NVD), we use the Mean Absolute Error (MAE) and Root Mean Square Error (RMSE) to measure the forecasting accuracy of single, double and triple exponential smoothing methodologies, Croston's method, ARIMA, and a neural network-based approach. We analyze the impact of the applied forecasting methodology on the prediction accuracy with regard to its robustness along the dimensions of the examined system and software packages "operating systems", "browsers" and "office solutions" and the applied metrics.To the best of our knowledge, this study is the first that analyzes the effect of prediction techniques and applies forecasting metrics that are suitable in this context. Our results show that the optimal forecasting methodology depends on the software or system package as some methods perform poorly in the context of IT security vulnerabilities, that absolute metrics can cover the actual prediction error precisely and that the prediction accuracy is robust within the two applied forecasting-error metrics.

show abstract

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

Weishäupl

Yasasin

Schryen

2018

Computers & Security

View full text Add to dashboard Cite

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms' investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis.

show abstract

Literature Reviews in IS Research: What Can Be Learnt from the Past and Other Fields?

Schryen

Benlian

Rowe

et al. 2017

CAIS

View full text Add to dashboard Cite

A Decision Support System for IT Security Incident Management

Rauchecker

Yasasin

Schryen

2014

View full text Add to dashboard Cite

A Fuzzy Security Investment Decision Support Model for Highly Distributed Systems

Yasasin

Rauchecker

Prester

et al. 2014

View full text Add to dashboard Cite

The economic aspect of information security is a comparatively new discipline so that there is hardly any extensive research work. This applies in particular to measures in highly distributed systems which have been neglected in previous research. The present paper focuses on the security investments in such systems. We augment an existing research about a fuzzy decision support model by defining appropriate operators in order to applicate this work in practice. The proposed model includes uncertainty with respect to the impact of investments on the achieved security levels of components of the distributed system. We further develop a heuristic to solve the problem and test the heuristic experimentally. The paper concludes with a discussion and gives an outlook to future work in the context of security investments.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Emrah Yasasin

Forecasting IT security vulnerabilities – An empirical analysis

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

Literature Reviews in IS Research: What Can Be Learnt from the Past and Other Fields?

A Decision Support System for IT Security Incident Management

A Fuzzy Security Investment Decision Support Model for Highly Distributed Systems

Contact Info

Product

Resources

About