{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T16:32:18Z","timestamp":1772641938705,"version":"3.50.1"},"reference-count":30,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2018,6,12]],"date-time":"2018-06-12T00:00:00Z","timestamp":1528761600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000183","name":"Army Research Office","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100000183","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100014036","name":"MURI","doi-asserted-by":"crossref","award":["W911NF-13-1-0421"],"award-info":[{"award-number":["W911NF-13-1-0421"]}],"id":[{"id":"10.13039\/100014036","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2018,11,30]]},"abstract":"Vulnerability remediation is a critical task in operational software and network security management. In this article, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: (1) time-to-vulnerability remediation (TVR) and (2) total vulnerability exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed-integer multiobjective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a cyber-security operations center (CSOC). Results indicate an overall TVE reduction of 8.97% when VULCON optimizes a realistic security analyst workforce\u2019s effort. Additionally, VULCON demonstrates that it can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.<\/jats:p>","DOI":"10.1145\/3196884","type":"journal-article","created":{"date-parts":[[2018,6,15]],"date-time":"2018-06-15T14:14:38Z","timestamp":1529072078000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":61,"title":["VULCON"],"prefix":"10.1145","volume":"21","author":[{"given":"Katheryn A.","family":"Farris","sequence":"first","affiliation":[{"name":"Dartmouth College"}]},{"given":"Ankit","family":"Shah","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, VA"}]},{"given":"George","family":"Cybenko","sequence":"additional","affiliation":[{"name":"Dartmouth College"}]},{"given":"Rajesh","family":"Ganesan","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, VA"}]},{"given":"Sushil","family":"Jajodia","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, VA"}]}],"member":"320","published-online":{"date-parts":[[2018,6,12]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Accessed","year":"2017","unstructured":"2017. Microsoft Exploitability Index . Accessed September 29, 2017 . Retrieved from https:\/\/technet.microsoft.com\/en-us\/security\/cc998259. 2017. Microsoft Exploitability Index. Accessed September 29, 2017. Retrieved from https:\/\/technet.microsoft.com\/en-us\/security\/cc998259."},{"key":"e_1_2_1_2_1","volume-title":"Accessed","year":"2017","unstructured":"2017. Symantec Threat Severity Assessment . Accessed September 29, 2017 . Retrieved from https:\/\/www.symantec.com\/security_response\/severityassessment.jsp. 2017. Symantec Threat Severity Assessment. Accessed September 29, 2017. Retrieved from https:\/\/www.symantec.com\/security_response\/severityassessment.jsp."},{"key":"e_1_2_1_3_1","volume-title":"Accessed","year":"2017","unstructured":"2017. Tenable Network Security . Accessed September 29, 2017 . Retrieved from https:\/\/www.tenable.com\/blog\/new-nessus-feature-added-csv-export. 2017. Tenable Network Security. Accessed September 29, 2017. Retrieved from https:\/\/www.tenable.com\/blog\/new-nessus-feature-added-csv-export."},{"key":"e_1_2_1_4_1","volume-title":"Accessed","year":"2018","unstructured":"2018. Creating a Patch and Vulnerability Management Program, Recommendations of the National Institute of Standards and Technology (NIST) . Accessed March 21, 2018 . Retrieved from https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-40ver2.pdf. 2018. Creating a Patch and Vulnerability Management Program, Recommendations of the National Institute of Standards and Technology (NIST). Accessed March 21, 2018. Retrieved from https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-40ver2.pdf."},{"key":"e_1_2_1_5_1","volume-title":"Accessed","year":"2018","unstructured":"2018. Payment Card Industry (PCI) Data Security Standard . Accessed March 21, 2018 . Retrieved from https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3-2.pdf?agreement=true&time===1521778935419. 2018. Payment Card Industry (PCI) Data Security Standard. Accessed March 21, 2018. Retrieved from https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3-2.pdf?agreement=true&time===1521778935419."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1080\/00224065.2014.11917967"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1080\/08982112.2015.1125926"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2630069"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ejor.2013.09.040"},{"key":"e_1_2_1_10_1","volume-title":"An integrated systemic model for optimization of condition-based maintenance with human error. Reliability Engineering 8 System Safety 124","author":"Asadzadeh Seyed Mohammad","year":"2014","unstructured":"Seyed Mohammad Asadzadeh and Ali Azadeh . 2014. An integrated systemic model for optimization of condition-based maintenance with human error. Reliability Engineering 8 System Safety 124 ( 2014 ), 117--131. Seyed Mohammad Asadzadeh and Ali Azadeh. 2014. An integrated systemic model for optimization of condition-based maintenance with human error. Reliability Engineering 8 System Safety 124 (2014), 117--131."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1057\/gpp.2014.19"},{"key":"e_1_2_1_12_1","unstructured":"Jean Camp Lorrie Cranor Nick Feamster Joan Feigenbaum Stephanie Forrest David Kotz Wenke Lee Patrick Lincoln Vern Paxson Mike Reiter Ron Rivest William Sanders Stefan Savage Sean Smith Eugene Stafford and Sal Stolfo. 2009. Data for cybersecurity research: Process and \u201cWish List\u201d. Retrieved from http:\/\/www.ljean.com\/files\/data-wishlist.pdf. Jean Camp Lorrie Cranor Nick Feamster Joan Feigenbaum Stephanie Forrest David Kotz Wenke Lee Patrick Lincoln Vern Paxson Mike Reiter Ron Rivest William Sanders Stefan Savage Sean Smith Eugene Stafford and Sal Stolfo. 2009. Data for cybersecurity research: Process and \u201cWish List\u201d. Retrieved from http:\/\/www.ljean.com\/files\/data-wishlist.pdf."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.1070.0794"},{"key":"e_1_2_1_14_1","volume-title":"Arnold Johnson, Ronald Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and Kevin Stine.","author":"Dempsey Kelley","year":"2012","unstructured":"Kelley Dempsey , Nirali Shah Chawla , Arnold Johnson, Ronald Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and Kevin Stine. 2012 . Information security continuous monitoring (ISCM) for federal information systems and organizations. CreateSpace Independent Publishing Platform , National Institute of Standards and Technology Special Publication 800-137. Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson, Ronald Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and Kevin Stine. 2012. Information security continuous monitoring (ISCM) for federal information systems and organizations. CreateSpace Independent Publishing Platform, National Institute of Standards and Technology Special Publication 800-137."},{"key":"e_1_2_1_15_1","volume-title":"USENIX Security Symposium. 523--538","author":"Doup\u00e9 Adam","year":"2012","unstructured":"Adam Doup\u00e9 , Ludovico Cavedon , Christopher Kruegel , and Giovanni Vigna . 2012 . Enemy of the state: A state-aware black-box web vulnerability scanner . In USENIX Security Symposium. 523--538 . Adam Doup\u00e9, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security Symposium. 523--538."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1978672.1978683"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2914795"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2882969"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.annemergmed.2010.08.001"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2012.66"},{"key":"e_1_2_1_21_1","volume-title":"A quantitative evaluation of vulnerability scanning. Information Management 8 Computer Security 19, 4","author":"Holm Hannes","year":"2011","unstructured":"Hannes Holm , Teodor Sommestad , Jonas Almroth , and Mats Persson . 2011. A quantitative evaluation of vulnerability scanning. Information Management 8 Computer Security 19, 4 ( 2011 ), 231--247. Hannes Holm, Teodor Sommestad, Jonas Almroth, and Mats Persson. 2011. A quantitative evaluation of vulnerability scanning. Information Management 8 Computer Security 19, 4 (2011), 231--247."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.annemergmed.2009.07.023"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1016\/0305-0548(83)90003-5"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijpe.2013.10.005"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2009.186"},{"key":"e_1_2_1_26_1","unstructured":"Peter Mell Karen Scarfone and Sasha Romanosky. 2007. A complete guide to the common vulnerability scoring system version 2.0. In FIRST-Forum of Incident Response and Security Teams. 1--23. Peter Mell Karen Scarfone and Sasha Romanosky. 2007. A complete guide to the common vulnerability scoring system version 2.0. In FIRST-Forum of Incident Response and Security Teams. 1--23."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/322276.322287"},{"key":"e_1_2_1_28_1","volume-title":"Optimization in Operations Research","author":"Rardin Ronald L.","unstructured":"Ronald L. Rardin . 1998. Optimization in Operations Research . Prentice-Hall . Ronald L. Rardin. 1998. Optimization in Operations Research. Prentice-Hall."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-017-0365-1"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.annemergmed.2010.08.040"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3196884","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3196884","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T01:39:29Z","timestamp":1750210769000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3196884"}},"subtitle":["A System for Vulnerability Prioritization, Mitigation, and Management"],"short-title":[],"issued":{"date-parts":[[2018,6,12]]},"references-count":30,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2018,11,30]]}},"alternative-id":["10.1145\/3196884"],"URL":"https:\/\/doi.org\/10.1145\/3196884","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,6,12]]},"assertion":[{"value":"2017-05-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-03-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-06-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}