Quantitative assessment of software vulnerabilities based on economic-driven security metrics

Vulnerability exploits cost organizations large amounts of resources, mainly due to disruption of ICT services, and thus loss of confidentiality, integrity and availability. As security managers in the industry usually have to operate with limited budgets allocated to information security, they need to prioritize their investment efforts regarding the response mechanisms to the existing vulnerabilities. The utilization of quantitative security vulnerability assessment methods enables efficient prioritization of security efforts and investments to mitigate the discovered vulnerabilities and thus an opportunity to lower expected losses. State of the art approaches for vulnerability assessment such as the Common Vulnerability Scoring System (CVSS), which is the de facto standard quantifying the severity of vulnerabilities, do not consider the economic impact in case of a vulnerability exploit. To this end, our paper targets the quantitative understanding of vulnerability severity taking into account the potential economic damage a successful vulnerability exploit can cause. We propose a novel approach for a systematic consideration of the relevant cost units (associated costs) for the economic damage estimation of vulnerability exploits. Our approach utilizes Multiple Criteria Decision Analysis (MCDA) methods to perform a prioritization of the existing vulnerabilities within the target system. The evaluation results show the potential cost savings w.r.t. the mitigation costs using our approach. Our method supports managers and decision makers in the process of prioritizing security investments to mitigate the discovered vulnerabilities.