{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:24:12Z","timestamp":1750220652787,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":57,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,12,7]],"date-time":"2020-12-07T00:00:00Z","timestamp":1607299200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,12,7]]},"DOI":"10.1145\/3427228.3427271","type":"proceedings-article","created":{"date-parts":[[2020,12,9]],"date-time":"2020-12-09T22:20:18Z","timestamp":1607552418000},"page":"556-566","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Effect of Security Controls on Patching Window: A Causal Inference based Approach"],"prefix":"10.1145","author":[{"given":"Aditya","family":"Kuppa","sequence":"first","affiliation":[{"name":"University College Dublin, Ireland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lamine","family":"Aouad","sequence":"additional","affiliation":[{"name":"Tenable Network Security"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nhien-An","family":"Le-Khac","sequence":"additional","affiliation":[{"name":"University College Dublin, Ireland"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,12,8]]},"reference":[{"volume-title":"Are there too many Security Vendors?https:\/\/go.451research.com\/2019-mi-are-there-too-many-security-vendors.html. [Online","year":"2020","key":"e_1_3_2_1_1_1"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1257\/aer.p20171042"},{"key":"e_1_3_2_1_3_1","first-page":"19","article-title":"Security evaluation model based on the score of security mechanisms","volume":"6","author":"Breier Jakub","year":"2014","journal-title":"Information Sciences and Technologies"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2013.77"},{"volume-title":"Random forests. Machine learning 45, 1","year":"2001","author":"Breiman Leo","key":"e_1_3_2_1_5_1"},{"key":"e_1_3_2_1_6_1","unstructured":"Sunders Bruskin Polina Zilberman Rami Puzis and Shay Shwarz. 2020. SoK: A Survey of Open Source Threat Emulators. arXiv preprint arXiv:2003.01518(2020).  Sunders Bruskin Polina Zilberman Rami Puzis and Shay Shwarz. 2020. SoK: A Survey of Open Source Threat Emulators. arXiv preprint arXiv:2003.01518(2020)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Richard Caralli James\u00a0F Stevens Lisa\u00a0R Young and William\u00a0R Wilson. 2007. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. (2007).  Richard Caralli James\u00a0F Stevens Lisa\u00a0R Young and William\u00a0R Wilson. 2007. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. (2007).","DOI":"10.21236\/ADA470450"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"crossref","unstructured":"Diego Colombo Marloes\u00a0H Maathuis Markus Kalisch and Thomas\u00a0S Richardson. 2012. Learning high-dimensional directed acyclic graphs with latent and selection variables. The Annals of Statistics(2012) 294\u2013321.  Diego Colombo Marloes\u00a0H Maathuis Markus Kalisch and Thomas\u00a0S Richardson. 2012. Learning high-dimensional directed acyclic graphs with latent and selection variables. The Annals of Statistics(2012) 294\u2013321.","DOI":"10.1214\/11-AOS940"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"crossref","unstructured":"Daniel Dor and Yuval Elovici. 2016. A model of the information security investment decision-making process. Computers & security 63(2016) 1\u201313.  Daniel Dor and Yuval Elovici. 2016. A model of the information security investment decision-making process. Computers & security 63(2016) 1\u201313.","DOI":"10.1016\/j.cose.2016.09.006"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2010.07.001"},{"key":"e_1_3_2_1_11_1","unstructured":"Robert Feldt and Ana Magazinius. 2010. Validity threats in empirical software engineering research-an initial survey.. In Seke. 374\u2013379.  Robert Feldt and Ana Magazinius. 2010. Validity threats in empirical software engineering research-an initial survey.. In Seke. 374\u2013379."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"crossref","unstructured":"Stefan Fenz Andreas Ekelhart and Thomas Neubauer. 2011. Information security risk management: In which security solutions is it worth investing?Communications of the Association for Information Systems 28 1(2011) 22.  Stefan Fenz Andreas Ekelhart and Thomas Neubauer. 2011. Information security risk management: In which security solutions is it worth investing?Communications of the Association for Information Systems 28 1(2011) 22.","DOI":"10.17705\/1CAIS.02822"},{"volume-title":"Decision support approaches for cyber security investment. Decision support systems 86","year":"2016","author":"Fielder Andrew","key":"e_1_3_2_1_13_1"},{"volume-title":"IEC 27005: 2018 Information technology - Security techniques\u2013Information security risk management. ISO\/IEC","year":"2018","author":"International\u00a0Organization for Standardization. 2018.","key":"e_1_3_2_1_14_1"},{"key":"e_1_3_2_1_15_1","unstructured":"Joint\u00a0Task Force. 2012. Guide for Conducting Risk Assessments. (2012).  Joint\u00a0Task Force. 2012. Guide for Conducting Risk Assessments. (2012)."},{"volume-title":"Revision 4 Recommended Security Controls for Federal Information Systems and Organizations.","year":"2013","author":"Joint\u00a0Task Force","key":"e_1_3_2_1_16_1"},{"key":"e_1_3_2_1_17_1","unstructured":"Joint\u00a0Task Force. 2019. NIST Special Publication 800-37 Revision 2. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (2019).  Joint\u00a0Task Force. 2019. NIST Special Publication 800-37 Revision 2. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (2019)."},{"edition":"1","volume-title":"Measuring and Managing Information Risk: A FAIR Approach","author":"Freund Jack","key":"e_1_3_2_1_18_1"},{"volume-title":"Doubly robust estimation of causal effects. American journal of epidemiology 173, 7","year":"2011","author":"Funk Michele\u00a0Jonsson","key":"e_1_3_2_1_19_1"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.5555\/1148928.1700949"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1198\/jcgs.2010.08162"},{"volume-title":"International Conference on Machine Learning (ICML","year":"2016","author":"Johansson Fredrik","key":"e_1_3_2_1_22_1"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/s40070-016-0055-7"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2012.70"},{"volume-title":"Profit-maximizing firm investments in customer information security. Decision support systems 51, 4","year":"2011","author":"Lee Yong\u00a0Jick","key":"e_1_3_2_1_25_1"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1002\/int.21963"},{"volume-title":"Advances in Neural Information Processing Systems (NeurIPS","year":"2017","author":"Louizos Christos","key":"e_1_3_2_1_27_1"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSO.2011.43"},{"key":"e_1_3_2_1_29_1","unstructured":"Tomas Mikolov Ilya Sutskever Kai Chen Greg\u00a0S Corrado and Jeff Dean. 2013. Distributed representations of words and phrases and their compositionality. In Advances in neural information processing systems. 3111\u20133119.  Tomas Mikolov Ilya Sutskever Kai Chen Greg\u00a0S Corrado and Jeff Dean. 2013. Distributed representations of words and phrases and their compositionality. In Advances in neural information processing systems. 3111\u20133119."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.4018\/jsse.2013010102"},{"volume-title":"Modelling cyber-security experts","year":"2016","author":"Miller Simon","key":"e_1_3_2_1_31_1"},{"volume-title":"Identifying how firms manage cybersecurity investment","author":"Moore Tyler","key":"e_1_3_2_1_32_1"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2017.2781126"},{"key":"e_1_3_2_1_34_1","unstructured":"Angel\u00a0Rafael Otero. 2014. An Information Security Control Assessment Methodology for Organizations. (2014).  Angel\u00a0Rafael Otero. 2014. An Information Security Control Assessment Methodology for Organizations. (2014)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-12601-2_15"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2459976.2459999"},{"volume-title":"Causality: models, reasoning and inference. Vol.\u00a029","author":"Pearl Judea","key":"e_1_3_2_1_37_1","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511803161"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511803161"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/s41060-016-0032-z"},{"key":"e_1_3_2_1_40_1","unstructured":"Matthew Rosenquist and Timothy Casey. 2009. Prioritizing Information Security Risks with Threat Agent Risk Assessment (TARA). (2009).  Matthew Rosenquist and Timothy Casey. 2009. Prioritizing Information Security Risks with Threat Agent Risk Assessment (TARA). (2009)."},{"volume-title":"Estimating causal effects of treatments in randomized and nonrandomized studies.Journal of educational Psychology 66, 5","year":"1974","author":"Rubin B","key":"e_1_3_2_1_41_1"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1198\/016214504000001880"},{"volume-title":"Inferring causation from time series in Earth system sciences. Nature communications 10, 1","year":"2019","author":"Runge Jakob","key":"e_1_3_2_1_43_1"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-81-322-2674-1_33"},{"key":"e_1_3_2_1_45_1","unstructured":"Patrick Schwab Lorenz Linhardt Stefan Bauer Joachim\u00a0M Buhmann and Walter Karlen. 2019. Learning Counterfactual Representations for Estimating Individual Dose-Response Curves. arXiv preprint arXiv:1902.00981(2019).  Patrick Schwab Lorenz Linhardt Stefan Bauer Joachim\u00a0M Buhmann and Walter Karlen. 2019. Learning Counterfactual Representations for Estimating Individual Dose-Response Curves. arXiv preprint arXiv:1902.00981(2019)."},{"volume-title":"Seyed Alireza\u00a0Hashemi Golpaygani, and Hoda Ghavamipoor","year":"2015","author":"Shahpasand Maryam","key":"e_1_3_2_1_46_1"},{"volume-title":"Proceedings of the 34th International Conference on Machine Learning-Volume 70","year":"2017","author":"Shalit Uri","key":"e_1_3_2_1_47_1"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2017.10.006"},{"volume-title":"An algorithm for fast recovery of sparse causal graphs. Social science computer review 9, 1","year":"1991","author":"Spirtes Peter","key":"e_1_3_2_1_49_1"},{"volume-title":"prediction, and search","author":"Spirtes Peter","key":"e_1_3_2_1_50_1"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"crossref","unstructured":"Jerzy Splawa-Neyman Dorota\u00a0M Dabrowska and TP Speed. 1990. On the application of probability theory to agricultural experiments. Essay on principles. Section 9.Statist. Sci. (1990) 465\u2013472.  Jerzy Splawa-Neyman Dorota\u00a0M Dabrowska and TP Speed. 1990. On the application of probability theory to agricultural experiments. Essay on principles. Section 9.Statist. Sci. (1990) 465\u2013472.","DOI":"10.1214\/ss\/1177012031"},{"volume-title":"Judgment under uncertainty: Heuristics and biases. science 185, 4157","year":"1974","author":"Tversky Amos","key":"e_1_3_2_1_53_1"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2012.04.001"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1080\/01621459.2017.1319839"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOMAN.2016.7477542"},{"volume-title":"The blessings of multiple causes. J. Amer. Statist. Assoc.just-accepted","year":"2019","author":"Wang Yixin","key":"e_1_3_2_1_57_1"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/21.87068"}],"event":{"name":"ACSAC '20: Annual Computer Security Applications Conference","acronym":"ACSAC '20","location":"Austin USA"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427271","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3427228.3427271","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:24Z","timestamp":1750197744000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427271"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,7]]},"references-count":57,"alternative-id":["10.1145\/3427228.3427271","10.1145\/3427228"],"URL":"https:\/\/doi.org\/10.1145\/3427228.3427271","relation":{},"subject":[],"published":{"date-parts":[[2020,12,7]]},"assertion":[{"value":"2020-12-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}