{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,3]],"date-time":"2025-11-03T13:31:56Z","timestamp":1762176716336,"version":"3.41.2"},"reference-count":27,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2012,6,1]],"date-time":"2012-06-01T00:00:00Z","timestamp":1338508800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012,6,1]]},"abstract":"Purpose<\/jats:title>The purpose of this paper is to identify the importance of the factors that influence the success rate of remote arbitrary code execution attacks. In other words, attacks which use software vulnerabilities to execute the attacker's own code on targeted machines. Both attacks against servers and attacks against clients are studied.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The success rates of attacks are assessed for 24 scenarios: 16 scenarios for server\u2010side attacks and eight for client\u2010side attacks. The assessment is made through domain experts and is synthesized using Cooke's classical method, an established method for weighting experts' judgments. The variables included in the study were selected based on the literature, a pilot study, and interviews with domain experts.<\/jats:p><\/jats:sec>Findings<\/jats:title>Depending on the scenario in question, the expected success rate varies between 15 and 67 percent for server\u2010side attacks and between 43 and 67 percent for client\u2010side attacks. Based on these scenarios, the influence of different protective measures is identified.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>The results of this study offer guidance to decision makers on how to best secure their assets against remote code execution attacks. These results also indicate the overall risk posed by this type of attack.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>Attacks that use software vulnerabilities to execute code on targeted machines are common and pose a serious risk to most enterprises. However, there are no quantitative data on how difficult such attacks are to execute or on how effective security measures are against them. The paper provides such data using a structured technique to combine expert judgments.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685221211235625","type":"journal-article","created":{"date-parts":[[2014,1,23]],"date-time":"2014-01-23T11:06:51Z","timestamp":1390475211000},"page":"107-122","source":"Crossref","is-referenced-by-count":13,"title":["Estimates of success rates of remote arbitrary code execution attacks"],"prefix":"10.1108","volume":"20","author":[{"given":"Teodor","family":"Sommestad","sequence":"first","affiliation":[]},{"given":"Hannes","family":"Holm","sequence":"additional","affiliation":[]},{"given":"Mathias","family":"Ekstedt","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2022021720143929900_b1","doi-asserted-by":"crossref","unstructured":"Abdolmohammadi, M.J. and Shanteau, J. (1992), \u201cPersonal attributes of expert auditors\u201d, Organizational Behavior and Human Decision Processes, Vol. 53 No. 2, pp. 158\u201072.","DOI":"10.1016\/0749-5978(92)90060-K"},{"key":"key2022021720143929900_b2","unstructured":"Ashton, A.H. (1985), \u201cDoes consensus imply accuracy in accounting studies of decision making?\u201d, The Accounting Review, Vol. 60 No. 2, pp. 173\u201085."},{"key":"key2022021720143929900_b3","doi-asserted-by":"crossref","unstructured":"Bolger, F. and Wright, G. (1994), \u201cAssessing the quality of expert judgment: issues and analysis\u201d, Decision Support Systems, Vol. 11 No. 1, pp. 1\u201024.","DOI":"10.1016\/0167-9236(94)90061-2"},{"key":"key2022021720143929900_b4","doi-asserted-by":"crossref","unstructured":"Cavusgil, S.T. and Elvey\u2010Kirk, L.A. (1998), \u201cMail survey response behavior: a conceptualization of motivating factors and an empirical study\u201d, European Journal of Marketing, Vol. 32 Nos 11\/12, pp. 1165\u201092.","DOI":"10.1108\/03090569810243776"},{"key":"key2022021720143929900_b5","doi-asserted-by":"crossref","unstructured":"Clemen, R.T. and Winkler, R.L. (1999), \u201cCombining probability distributions from experts in risk analysis\u201d, Risk Analysis, Vol. 19 No. 187, pp. 187\u2010204.","DOI":"10.1111\/j.1539-6924.1999.tb00399.x"},{"key":"key2022021720143929900_b7","doi-asserted-by":"crossref","unstructured":"Cooke, R.M. (1991), Experts in Uncertainty: Opinion and Subjective Probability in Science, Oxford University Press, Oxford.","DOI":"10.1093\/oso\/9780195064650.001.0001"},{"key":"key2022021720143929900_b6","doi-asserted-by":"crossref","unstructured":"Cooke, R.M. (2008), \u201cTU Delft expert judgment data base\u201d, Reliability Engineering & System Safety, Vol. 93 No. 5, pp. 657\u201074.","DOI":"10.1016\/j.ress.2007.03.005"},{"key":"key2022021720143929900_b8","doi-asserted-by":"crossref","unstructured":"Cooke, R.M. and Goossens, L. (2004), \u201cExpert judgement elicitation for risk assessments of critical infrastructures\u201d, Journal of Risk Research, Vol. 7 No. 6, pp. 643\u201056.","DOI":"10.1080\/1366987042000192237"},{"key":"key2022021720143929900_b9","unstructured":"Cowan, C., Wagle, P., Pu, C., Beattie, S. and Walpole, J. (2003), \u201cBuffer overflows: attacks and defenses for the vulnerability of the decade\u201d, Foundations of Intrusion Tolerant Systems, 2003 Organically Assured and Survivable Information Systems, pp. 227\u201037."},{"key":"key2022021720143929900_b10","doi-asserted-by":"crossref","unstructured":"Cronbach, L.J. (1951), \u201cCoefficient alpha and the internal structure of tests\u201d, Psychometrika, Vol. 16 No. 3, pp. 297\u2010334.","DOI":"10.1007\/BF02310555"},{"key":"key2022021720143929900_b11","doi-asserted-by":"crossref","unstructured":"Cronbach, L.J. and Shavelson, R.J. (2004), \u201cMy current thoughts on coefficient alpha and successor procedures\u201d, Educational and Psychological Measurement, Vol. 64 No. 3, pp. 391\u2010418.","DOI":"10.1177\/0013164404266386"},{"key":"key2022021720143929900_b12","unstructured":"Elsevier B.V. (2011), Scopus, available at: www.scopus.com\/."},{"key":"key2022021720143929900_b13","doi-asserted-by":"crossref","unstructured":"Fink, A., Kosecoff, J., Chassin, M. and Brook, R.H. (1984), \u201cConsensus methods: characteristics and guidelines for use\u201d, American Journal of Public Health, Vol. 74 No. 9, pp. 979\u201083.","DOI":"10.2105\/AJPH.74.9.979"},{"key":"key2022021720143929900_b14","doi-asserted-by":"crossref","unstructured":"Garthwaite, P.H., Kadane, J.B. and O'Hagan, A. (2005), \u201cStatistical methods for eliciting probability distributions\u201d, Journal of the American Statistical Association, Vol. 100 No. 470, pp. 680\u2010701.","DOI":"10.1198\/016214505000000105"},{"key":"key2022021720143929900_b15","unstructured":"Holm, H., Sommestad, T., Franke, U. and Ekstedt, M. (2011), \u201cExpert assessment on the probability of successful remote code execution attacks\u201d, Proceedings of 8th International Workshop on Security in Information Systems \u2013 WOSIS 2011, Beijing."},{"key":"key2022021720143929900_b16","unstructured":"Homer, J., Manhattan, K., Ou, X. and Schmidt, D. (2010), \u201cA sound and practical approach to quantifying security risk in enterprise networks\u201d, Technical Report, Kansas State University, Computing and Information Sciences Department, August 2009."},{"key":"key2022021720143929900_b17","doi-asserted-by":"crossref","unstructured":"Mell, P., Scarfone, K. and Romanosky, S. (2007), A Complete Guide to the Common Vulnerability Scoring System Version 2.0, System, June, pp. 1\u201023.","DOI":"10.1049\/iet-ifs:20060055"},{"key":"key2022021720143929900_b18","unstructured":"NIST CSRC (2011), \u201cNational vulnerability database\u201d, U.S.D. of C., NIST Computer Security Resource Center, available at: www.nvd.nist.org (accessed 28 April)."},{"key":"key2022021720143929900_b19","doi-asserted-by":"crossref","unstructured":"Patsos, D., Mitropoulos, S. and Douligeris, C. (2010), \u201cExpanding topological vulnerability analysis to intrusion detection through the incident response intelligence system\u201d, Information Management & Computer Security, Vol. 18 No. 4, pp. 291\u2010309.","DOI":"10.1108\/09685221011079207"},{"key":"key2022021720143929900_b20","doi-asserted-by":"crossref","unstructured":"Ryan, J.J.C.H., Mazzuchi, T.A., Ryan, D.J., Lopez de la Cruz, J. and Cooke, R. (2012), \u201cQuantifying information security risks using expert judgment elicitation\u201d, Computers & Operations Research, Vol. 39 No. 4, pp. 774\u201084.","DOI":"10.1016\/j.cor.2010.11.013"},{"key":"key2022021720143929900_b21","doi-asserted-by":"crossref","unstructured":"Sawilla, R. and Ou, X. (2008), \u201cIdentifying critical attack assets in dependency attack graphs\u201d, Processing of the 13th European Symposium on Research in Computer Security (ESORICS), Springer, New York, NY, pp. 18\u201034.","DOI":"10.1007\/978-3-540-88313-5_2"},{"key":"key2022021720143929900_b22","doi-asserted-by":"crossref","unstructured":"Scarfone, K. and Mell, P. (2007), Guide to Intrusion Detection and Prevention Systems, NIST Special Publication 800\u201094, NIST, Gaithersburg, MD.","DOI":"10.6028\/NIST.SP.800-94"},{"key":"key2022021720143929900_b23","doi-asserted-by":"crossref","unstructured":"Shacham, H., Page, M., Pfaff, B. and Goh, E. (2004), \u201cOn the effectiveness of address\u2010space randomization\u201d, ACM Conference on Computer and Communications Security, ACM Press, New York, NY, p. 298.","DOI":"10.1145\/1030083.1030124"},{"key":"key2022021720143929900_b25","doi-asserted-by":"crossref","unstructured":"Sommestad, T., Ekstedt, M. and Johnson, P. (2010), \u201cA probabilistic relational model for security risk analysis\u201d, Computers & Security, Vol. 29 No. 6, pp. 659\u201079.","DOI":"10.1016\/j.cose.2010.02.002"},{"key":"key2022021720143929900_b24","doi-asserted-by":"crossref","unstructured":"Weiss, D.J. and Shanteau, J. (2003), \u201cEmpirical assessment of expertise\u201d, Human Factors: The Journal of the Human Factors and Ergonomics Society, Vol. 45 No. 1, p. 104.","DOI":"10.1518\/hfes.45.1.104.27233"},{"key":"key2022021720143929900_b26","unstructured":"Wilander, J. and Kamkar, M. (2003), \u201cA comparison of publicly available tools for dynamic buffer overflow prevention\u201d, Proceedings of the 10th Network and Distributed System Security Symposium, San Diego, CA, pp. 149\u201062."},{"key":"key2022021720143929900_b27","unstructured":"Younan, Y. (2008), \u201cEfficient countermeasures for software vulnerabilities due to memory management errors\u201d, PhD thesis, Katholieke Universiteit Leuven, Leuven."}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685221211235625","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221211235625\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221211235625\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:24Z","timestamp":1753402164000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/20\/2\/107-122\/179736"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012,6,1]]},"references-count":27,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2012,6,1]]}},"alternative-id":["10.1108\/09685221211235625"],"URL":"https:\/\/doi.org\/10.1108\/09685221211235625","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2012,6,1]]}}}