Proceedings of the 51st Hawaii International Conference on System Sciences 2018
DOI: 10.24251/hicss.2018.687
|View full text |Cite
|
Sign up to set email alerts
|

Estimating Software Vulnerability Counts in the Context of Cyber Risk Assessments

Abstract: Abstract-Stakeholders often conduct cyber risk assessments as a first step towards understanding and managing their risks due to cyber use. Many risk assessment methods in use today include some form of vulnerability analysis. Building on prior research and combining data from several sources, this paper develops and applies a metric to estimate the proportion of latent vulnerabilities to total vulnerabilities in a software system and applies the metric to five scenarios involving software on the scale of oper… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1

Citation Types

0
2
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
5
1

Relationship

1
5

Authors

Journals

citations
Cited by 6 publications
(2 citation statements)
references
References 17 publications
0
2
0
Order By: Relevance
“…The capability-based approach is in contrast to the historically more common attack-centric approach used in cybersecurity analysis that requires one to enumerate and analyze attack possibilities. We find capability-based analysis more tractable than attack and vulnerability enumeration [42] and justify the approach on the hypothesis that the more one mitigates offensive capabilities possessed by the anticipated adversary, the more difficult it is for the adversary to compose viable attacks from remaining, unmitigated capabilities.…”
Section: Figure 1: Capability-based Representationmentioning
confidence: 94%
“…The capability-based approach is in contrast to the historically more common attack-centric approach used in cybersecurity analysis that requires one to enumerate and analyze attack possibilities. We find capability-based analysis more tractable than attack and vulnerability enumeration [42] and justify the approach on the hypothesis that the more one mitigates offensive capabilities possessed by the anticipated adversary, the more difficult it is for the adversary to compose viable attacks from remaining, unmitigated capabilities.…”
Section: Figure 1: Capability-based Representationmentioning
confidence: 94%
“…Since a modern vehicle can contain over 100M lines of code, aligned with a rough estimation of at least one bug per 1000 lines of code, it indicates more than 100k bugs in a modern vehicle. Moreover, in [9], T. Llanso and M. McNeil estimate that at least 1% of software vulnerabilities can be exploited, further indicating around 1k potential ways to compromise the vehicle software. Thus, due to technological advancements such as increased connectivity and the introduction of autonomous driving, incidents that require digital forensic investigations will inevitably rise to become more prevalent in the future.…”
Section: Automotive Digital Forensicsmentioning
confidence: 99%