{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,11]],"date-time":"2026-07-11T17:04:26Z","timestamp":1783789466149,"version":"3.55.0"},"reference-count":26,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2020,9,14]],"date-time":"2020-09-14T00:00:00Z","timestamp":1600041600000},"content-version":"vor","delay-in-days":257,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,1,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Despite significant innovations in IT security products and research over the past 20\u2009years, the information security field is still immature and struggling. Practitioners lack the ability to properly assess cyber risk, and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results. In order to cope, firms prioritize vulnerability remediation using crude heuristics and limited data, though they are still too often breached by known vulnerabilities for which patches have existed for months or years. And so, the key challenge firms face is trying to identify a remediation strategy that best balances two competing forces. On one hand, it could attempt to patch all vulnerabilities on its network. While this would provide the greatest \u2018coverage\u2019 of vulnerabilities patched, it would inefficiently consume resources by fixing low-risk vulnerabilities. On the other hand, patching a few high-risk vulnerabilities would be highly \u2018efficient\u2019, but may leave the firm exposed to many other high-risk vulnerabilities. Using a large collection of multiple datasets together with machine learning techniques, we construct a series of vulnerability remediation strategies and compare how each perform in regard to trading off coverage and efficiency. We expand and improve upon the small body of literature that uses predictions of \u2018published exploits\u2019, by instead using \u2018exploits in the wild\u2019 as our outcome variable. We implement the machine learning models by classifying vulnerabilities according to high- and low-risk, where we consider high-risk vulnerabilities to be those that have been exploited in actual firm networks.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaa015","type":"journal-article","created":{"date-parts":[[2020,9,14]],"date-time":"2020-09-14T16:24:18Z","timestamp":1600100658000},"source":"Crossref","is-referenced-by-count":84,"title":["Improving vulnerability remediation through better exploit prediction"],"prefix":"10.1093","volume":"6","author":[{"given":"Jay","family":"Jacobs","sequence":"first","affiliation":[{"name":"Cyentia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sasha","family":"Romanosky","sequence":"additional","affiliation":[{"name":"RAND Corporation"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Idris","family":"Adjerid","sequence":"additional","affiliation":[{"name":"Virginia Tech"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wade","family":"Baker","sequence":"additional","affiliation":[{"name":"Virginia Tech"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"286","published-online":{"date-parts":[[2020,9,14]]},"reference":[{"key":"2020091412240844400_tyaa015-B1","doi-asserted-by":"crossref","first-page":"462","DOI":"10.1287\/ijoc.2014.0638","article-title":"Optimal policies for security patch management","volume":"27","author":"Dey","year":"2015","journal-title":"INFORMS J Comput"},{"key":"2020091412240844400_tyaa015-B2","first-page":"233","article-title":"Timing the application of security patches for optimal uptime","volume":"2","author":"Beattie","year":"2002","journal-title":"In LISA"},{"key":"2020091412240844400_tyaa015-B3","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2630069","article-title":"Comparing vulnerability severity and exploits using case-control studies","volume":"17","author":"Allodi","year":"2014","journal-title":"ACM Trans Informat Syst Security"},{"key":"2020091412240844400_tyaa015-B4","author":"Mehran","year":"2010"},{"key":"2020091412240844400_tyaa015-B5","first-page":"1041","author":"Sabottke","year":"2015"},{"key":"2020091412240844400_tyaa015-B6","doi-asserted-by":"crossref","first-page":"726","DOI":"10.1287\/mnsc.1040.0357","article-title":"Market for software vulnerabilities? Think again","volume":"51","author":"Kannan","year":"2005","journal-title":"Manag Sci"},{"key":"2020091412240844400_tyaa015-B7","doi-asserted-by":"crossref","first-page":"43","DOI":"10.2307\/41410405","article-title":"Are markets for vulnerabilities effective?","volume":"36","author":"Ransbotham","year":"2012","journal-title":"Mis Quart"},{"key":"2020091412240844400_tyaa015-B8","doi-asserted-by":"crossref","first-page":"171","DOI":"10.1109\/TSE.2007.26","article-title":"Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge","volume":"33","author":"Cavusoglu","year":"2007","journal-title":"IEEE Trans Software Eng"},{"key":"2020091412240844400_tyaa015-B9","doi-asserted-by":"crossref","first-page":"642","DOI":"10.1287\/mnsc.1070.0771","article-title":"Optimal policy for software vulnerability disclosure","volume":"54","author":"Arora","year":"2008","journal-title":"Manag Sci"},{"key":"2020091412240844400_tyaa015-B10","doi-asserted-by":"crossref","DOI":"10.1287\/mnsc.2018.3153","article-title":"Market segmentation and software security: pricing patching rights","author":"August","year":"2019","journal-title":"Manag Sci"},{"key":"2020091412240844400_tyaa015-B11","doi-asserted-by":"crossref","first-page":"934","DOI":"10.1287\/mnsc.1100.1304","article-title":"Who should be responsible for software security? A comparative analysis of liability policies in network environments","volume":"57","author":"August","year":"2011","journal-title":"Manag Sci"},{"key":"2020091412240844400_tyaa015-B12","doi-asserted-by":"crossref","first-page":"657","DOI":"10.1287\/mnsc.1070.0794","article-title":"Security patch management: share the burden or share the damage?","volume":"54","author":"Cavusoglu","year":"2008","journal-title":"Manag Sci"},{"key":"2020091412240844400_tyaa015-B13","first-page":"13","author":"M\u00fcnz","year":"2007"},{"key":"2020091412240844400_tyaa015-B14","doi-asserted-by":"crossref","first-page":"219","DOI":"10.1145\/1030194.1015492","article-title":"Diagnosing network-wide traffic anomalies","volume":"34","author":"Lakhina","year":"2004","journal-title":"ACM SIGCOMM Computer Commun Rev"},{"key":"2020091412240844400_tyaa015-B15","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","article-title":"Anomaly-based network intrusion detection: techniques, systems and challenges","volume":"28","author":"Garcia-Teodoro","year":"2009","journal-title":"Computers & Security"},{"key":"2020091412240844400_tyaa015-B16","first-page":"1","author":"MICHEL","year":"2015"},{"key":"2020091412240844400_tyaa015-B17","author":"Bullough","year":"2017"},{"key":"2020091412240844400_tyaa015-B18","first-page":"1","author":"Rose","year":"2010"},{"key":"2020091412240844400_tyaa015-B19","author":"NIST","year":"2012"},{"key":"2020091412240844400_tyaa015-B20","author":"Chen","year":"2016"},{"key":"2020091412240844400_tyaa015-B21","doi-asserted-by":"crossref","first-page":"1189","DOI":"10.1214\/aos\/1013203451","article-title":"Greedy function approximation: a gradient boosting machine","author":"Friedman","year":"2001","journal-title":"Annals Stat"},{"key":"2020091412240844400_tyaa015-B22","author":"Kubat","year":"2000"},{"key":"2020091412240844400_tyaa015-B23","author":"Chinchor","year":"1992"},{"key":"2020091412240844400_tyaa015-B24","author":"PCI","year":"2018"},{"key":"2020091412240844400_tyaa015-B25","author":"Metcalf","year":"2019"},{"key":"2020091412240844400_tyaa015-B26","author":"Romanosky","year":"2019"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa015\/33746021\/tyaa015.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa015\/33746021\/tyaa015.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,9,14]],"date-time":"2020-09-14T16:24:23Z","timestamp":1600100663000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaa015\/5905457"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,1]]},"references-count":26,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,1,1]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaa015","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2020]]},"published":{"date-parts":[[2020,1,1]]},"article-number":"tyaa015"}}