Article ID: | iaor2017447 |
Volume: | 47 |
Issue: | 6 |
Start Page Number: | 1073 |
End Page Number: | 1102 |
Publication Date: | Dec 2016 |
Journal: | Decision Sciences |
Authors: | Heim Gregory R, Sen Ravi |
Keywords: | management, security |
Enterprises experience opportunistic exploits targeted at vulnerable technology. Vulnerabilities in software‐based applications, service systems, enterprise platforms, and supply chains are discovered and disclosed on an alarmingly regular basis. A necessary enterprise risk management task concerns identifying and patching vulnerabilities. Yet it is a costly affair to develop and deploy patches to alleviate risk and prevent damage from exploit attacks. Given the limited resources available, technology producers and users must identify priorities for such tasks. When not overlooked, vulnerability‐patching tasks often are prioritized based on vulnerability disclosure dates, thus vulnerabilities disclosed earlier usually have patches developed and deployed earlier. We suggest priorities also should focus on time‐dependent likelihoods of exploits getting published. We analyze data on software exploits to identify factors associated with the duration between a vulnerability discovery date and the date when an exploit is publicly available, a time window for patching before exploit attack levels may escalate. Actively prioritizing vulnerability patching based on likelihoods of exploit publication may help lessen losses due to exploit attacks. Technology managers might apply the insights to better estimate relative risk levels, and better prioritize protection efforts toward vulnerabilities having higher risk of earlier exploitation.