Premium
The Work‐Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures
Author(s) -
Allodi Luca,
Massacci Fabio,
Williams Julian
Publication year - 2022
Publication title -
risk analysis
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.972
H-Index - 130
eISSN - 1539-6924
pISSN - 0272-4332
DOI - 10.1111/risa.13732
Subject(s) - exploit , vulnerability (computing) , computer security , offensive , computer science , vulnerability management , software deployment , set (abstract data type) , security bug , work (physics) , risk analysis (engineering) , vulnerability assessment , information security , operations research , software security assurance , business , engineering , software engineering , security service , psychology , psychological resilience , psychotherapist , programming language , mechanical engineering
The assumption that a cyberattacker will potentially exploit all present vulnerabilities drives most modern cyber risk management practices and the corresponding security investments. We propose a new attacker model, based on dynamic optimization, where we demonstrate that large, initial, fixed costs of exploit development induce attackers to delay implementation and deployment of exploits of vulnerabilities. The theoretical model predicts that mass attackers will preferably (i) exploit only one vulnerability per software version, (ii) largely include only vulnerabilities requiring low attack complexity, and (iii) be slow at trying to weaponize new vulnerabilities . These predictions are empirically validated on a large data set of observed massed attacks launched against a large collection of information systems. Findings in this article allow cyber risk managers to better concentrate their efforts for vulnerability management, and set a new theoretical and empirical basis for further research defining attacker (offensive) processes.