The Efficiency of ICT Suppliers' Product Security Incident Response Teams in Reducing the Risk of Exploitation of Vulnerabilities in the Wild

25 Pages Posted: 10 Sep 2024

Abstract

Exploitation of vulnerabilities in digital products is among the key components of cyberattacks. Suppliers (including manufacturers and vendors) of ICT and digital products deploy different security-by-design good practices to respond to discovered vulnerabilities and minimise the cybersecurity risk for consumers and the society. One such practice is the establishment of a product security incident response team – PSIRT: a dedicated team to manage vulnerabilities. There are, however, few attempts to assess the effectiveness of those practices deemed good, including the PSIRT.In this paper, we investigate the effectiveness of PSIRT in reducing the risks of exploitation of vulnerabilities 'in the wild' (i.e. their active use in real-world cyberattacks). We propose a customised model based on randomised matched case-control design. Our proposed model uses data from a variety of authoritative public online sources. Results testify that the existence of PSIRT within the supplier reduces the likelihood of exploitation of vulnerabilities in the wild, with the absolute risk reduction (ARR) of 17%. The study also confirms that the presence of proof of concept for vulnerability exploitation is a significant risk factor to consider, since it alters the ARR by 10%; type of supplier’s industry and the open-source nature of its products are relevant risk factors, yet to a lesser extent since they alter the ARR by 3.6% and 2.2% respectively.The study concludes that cybersecurity practitioners – especially those involved with secure development lifecycle of digital products – should consider PSIRT as a good practice to reduce risk of vulnerability exploitation in the wild. To further reduce the risk, we suggest them to couple PSIRT with other recognised good practices. This study provides a useful model that researchers and practitioners can apply to assess the efficiency of other security-by-design practices deemed be good in reducing the risk of exploitation in the wild of vulnerabilities.

Keywords: vulnerability exploitation, vulnerability management, product security, cybersecurity risks, incident response, security-by-design, secure development lifecycle

Suggested Citation

Radunovic, Vladimir and Veinović, Mladen and Jevremović, Aleksandar, The Efficiency of ICT Suppliers' Product Security Incident Response Teams in Reducing the Risk of Exploitation of Vulnerabilities in the Wild. Available at SSRN: https://ssrn.com/abstract=4952352 or http://dx.doi.org/10.2139/ssrn.4952352

Vladimir Radunovic (Contact Author)

DiploFoundation ( email )

Anutruf, Ground Floor
Hriereb Street
Msida, MSD 1675
Malta

HOME PAGE: http://www.diplomacy.edu

Mladen Veinović

Singidunum University ( email )

Danijelova 32
Belgrade, 11000
Serbia

Aleksandar Jevremović

Singidunum University ( email )

Danijelova 32
Belgrade, 11000
Serbia

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
12
Abstract Views
69
PlumX Metrics