Two-phase methodology for prioritization and utility assessment of software vulnerabilities

There seems to be a system or piece of software for everything nowadays—from an application that lets you explore internet browsers to virtual reality software. This growth in the online domain is pushing the software developers to create safer products and enhance the protection of sensitive user information. This security issue is becoming even more critical due to the rise of cyber-attacks; the industry hence is giving foremost attention to the testing and development phase. Since there can be several flaws or weaknesses in the software or an operating system, that could allow an attacker to compromise the integrity, availability, or confidentiality of a product, commonly termed as software vulnerabilities. Thus, the first step is to understand which type of vulnerability is the most crucial to minimize the losses. Multi-criteria decision-making techniques, therefore, help to prioritize these vulnerabilities. In this paper, we apply two-phase methodology, comprising of the analytic hierarchy process (AHP) and best–worst method (BWM) in the first phase followed by the two-way assessment technique in the second phase, which helps in assessing the vulnerabilities in terms of their utility. The model is validated using real-life data of a software testing and development company situated in the northern part of India. The results show that the BWM performed significantly better as compared to the AHP approach in terms of utility.

[1]  Thong Ngee Goh,et al.  A study of the connectionist models for software reliability prediction , 2003 .

[2]  D. S. Brown,et al.  Responding to computer security incidents: Guidelines for incident handling , 1990 .

[3]  T. Saaty,et al.  The Analytic Hierarchy Process , 1985 .

[4]  Yuqing Zhang,et al.  Improving VRSS-based vulnerability prioritization using analytic hierarchy process , 2012, J. Syst. Softw..

[5]  Kannan Govindan,et al.  Multi criteria decision making approaches for green supplier evaluation and selection: a literature review , 2015 .

[6]  Yuqing Zhang,et al.  VRSS: A new system for rating and scoring vulnerabilities , 2011, Comput. Commun..

[7]  Lefteris Angelis,et al.  WIVSS: a new methodology for scoring information systems vulnerabilities , 2013, PCI '13.

[8]  Xiaozhan Xu,et al.  The SIR method: A superiority and inferiority ranking method for multiple criteria decision making , 2001, Eur. J. Oper. Res..

[9]  Yeali S. Sun,et al.  A novel approach to evaluate software vulnerability prioritization , 2013, J. Syst. Softw..

[10]  W. W. Koczkodaj Testing the accuracy enhancement of pairwise comparisons by a Monte Carlo experiment , 1998 .

[11]  David L. Olson,et al.  Comparison of weights in TOPSIS models , 2004, Math. Comput. Model..

[12]  Gwo-Hshiung Tzeng,et al.  Compromise solution by MCDM methods: A comparative analysis of VIKOR and TOPSIS , 2004, Eur. J. Oper. Res..

[13]  P. K. Kapur,et al.  User-dependent vulnerability discovery model and its interdisciplinary nature , 2017, INFOCOM 2017.

[14]  P. K. Kapur,et al.  Measuring software testing efficiency using two-way assessment technique , 2014, Proceedings of 3rd International Conference on Reliability, Infocom Technologies and Optimization.

[15]  L. Thurstone A law of comparative judgment. , 1994 .

[16]  P. K. Kapur,et al.  Critical success factor utility based tool for ERP health assessment: a general framework , 2014, Int. J. Syst. Assur. Eng. Manag..

[17]  Hoang Pham,et al.  A software reliability model with time-dependent fault detection and fault removal , 2016, Vietnam Journal of Computer Science.

[18]  J. Rezaei Best-worst multi-criteria decision-making method , 2015 .

[19]  B. Roy THE OUTRANKING APPROACH AND THE FOUNDATIONS OF ELECTRE METHODS , 1991 .

[20]  Ritu Sibal,et al.  Prioritizing software vulnerability types using multi-criteria decision-making techniques , 2017 .

[21]  Jean Pierre Brans,et al.  HOW TO SELECT AND HOW TO RANK PROJECTS: THE PROMETHEE METHOD , 1986 .

[22]  P. C. Jha,et al.  Software Reliability Assessment with OR Applications , 2011 .

[23]  Min Xie,et al.  A Study of the Effect of Imperfect Debugging on Software Development Cost , 2003, IEEE Trans. Software Eng..

[24]  D. Damodaran,et al.  Severity measure of issues creating vulnerabilities in websites using two way assessment technique , 2017, 2017 International Conference on Infocom Technologies and Unmanned Systems (Trends and Future Directions) (ICTUS).

[25]  Lefteris Angelis,et al.  Impact Metrics of Security Vulnerabilities: Analysis and Weighing , 2015, Inf. Secur. J. A Glob. Perspect..

[26]  Alan Jessop,et al.  IMP: A decision aid for multiattribute evaluation using imprecise weight estimates , 2014 .

[27]  Zenonas Turskis,et al.  Integrated Fuzzy Multiple Criteria Decision Making Model for Architect Selection , 2012 .

[28]  T. Saaty How to Make a Decision: The Analytic Hierarchy Process , 1990 .

[29]  Ritu Sibal,et al.  Software Vulnerability Prioritization: A Comparative Study Using TOPSIS and VIKOR Techniques , 2018, System Performance and Management Analytics.

[30]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[31]  Thomas L. Saaty,et al.  Decision making with dependence and feedback : the analytic network process : the organization and prioritization of complexity , 1996 .