Title: Prioritising vulnerabilities using ANP and evaluating their optimal discovery and patch release time

Authors: Yogita Kansal; P.K. Kapur; Uday Kumar; Deepak Kumar

Addresses: Amity Institute of Information Technology, Amity University, Noida, India ' Amity Centre for Interdisciplinary Research, Amity University, Noida, India ' Luleå University of Technology, Luleå, Sweden ' Amity Institute of Information Technology, Amity University, Noida, India

Abstract: Method for filtering and identifying a vulnerability class that has high probability of occurrence is needed by organisations to patch their software in a timely manner. In this paper, our first step is to filter the most frequently observed vulnerability type/class through a multi-criteria decision making that involves dependency among various criteria and feedback from various alternatives, known as analytic network process. We will also formulate a cost model to provide a solution to the developers facing high revenue debt because of the occurrence of highly exploited vulnerabilities belonging to the filtered group. The main aim of formulating the cost model is to evaluate the optimal discovery and patch release time such that the total developer's cost could be minimised subject to risk constraints. To illustrate the proposed approach, reported vulnerabilities of Google Chrome with high exploitability have been examined at its source level.

Keywords: vulnerability; multi criteria decision making; analytical network process; optimisation; patches.

DOI: 10.1504/IJMOR.2019.097758

International Journal of Mathematics in Operational Research, 2019 Vol.14 No.2, pp.236 - 267

Received: 23 Jan 2017
Accepted: 13 Sep 2017

Published online: 07 Feb 2019 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article