The Efficiency of ICT Suppliers' Product Security Incident Response Teams in Reducing the Risk of Exploitation of Vulnerabilities in the Wild
25 Pages Posted: 10 Sep 2024
Abstract
Exploitation of vulnerabilities in digital products is among the key components of cyberattacks. Suppliers (including manufacturers and vendors) of ICT and digital products deploy different security-by-design good practices to respond to discovered vulnerabilities and minimise the cybersecurity risk for consumers and the society. One such practice is the establishment of a product security incident response team – PSIRT: a dedicated team to manage vulnerabilities. There are, however, few attempts to assess the effectiveness of those practices deemed good, including the PSIRT.In this paper, we investigate the effectiveness of PSIRT in reducing the risks of exploitation of vulnerabilities 'in the wild' (i.e. their active use in real-world cyberattacks). We propose a customised model based on randomised matched case-control design. Our proposed model uses data from a variety of authoritative public online sources. Results testify that the existence of PSIRT within the supplier reduces the likelihood of exploitation of vulnerabilities in the wild, with the absolute risk reduction (ARR) of 17%. The study also confirms that the presence of proof of concept for vulnerability exploitation is a significant risk factor to consider, since it alters the ARR by 10%; type of supplier’s industry and the open-source nature of its products are relevant risk factors, yet to a lesser extent since they alter the ARR by 3.6% and 2.2% respectively.The study concludes that cybersecurity practitioners – especially those involved with secure development lifecycle of digital products – should consider PSIRT as a good practice to reduce risk of vulnerability exploitation in the wild. To further reduce the risk, we suggest them to couple PSIRT with other recognised good practices. This study provides a useful model that researchers and practitioners can apply to assess the efficiency of other security-by-design practices deemed be good in reducing the risk of exploitation in the wild of vulnerabilities.
Keywords: vulnerability exploitation, vulnerability management, product security, cybersecurity risks, incident response, security-by-design, secure development lifecycle
Suggested Citation: Suggested Citation