Allodi, Luca and Massacci, Fabio and Williams, Julian (2021) 'The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures.', Risk Analysis: An International Journal .
The assumption that a cyber attacker will potentially exploit all present vulnerabilities drives most modern cyber risk management practices and the corresponding security investments. We propose a new attacker model, based on dynamic optimization, where we demonstrate that large, initial, fixed costs of exploit development induce attackers to delay implementation and deployment of exploits of vulnerabilities. The theoretical model predicts that mass attackers will preferably i) exploit only one vulnerability per software version, ii) largely include only vulnerabilities requiring low attack complexity, and iii) be slow at trying to weaponize new vulnerabilities. These predictions are empirically validated on a large dataset of observed massed attacks launched against a large collection of information systems. Findings in this paper allow cyber risk managers to better concentrate their efforts for vulnerability management, and set a new theoretical and empirical basis for further research defining attacker (offensive) processes.
|Full text:||Publisher-imposed embargo |
(AM) Accepted Manuscript
File format - PDF (709Kb)
|Full text:||(VoR) Version of Record|
Available under License - Creative Commons Attribution 4.0.
Download PDF (697Kb)
|Publisher Web site:||https://doi.org/10.1111/risa.13732|
|Publisher statement:||© 2021 The Authors. Risk Analysis published by Wiley Periodicals LLC on behalf of Society for Risk Analysis This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.|
|Date accepted:||03 February 2021|
|Date deposited:||05 February 2021|
|Date of first online publication:||07 May 2021|
|Date first made open access:||20 December 2021|
Save or Share this output
|Look up in GoogleScholar|