A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits

ContextSoftware vulnerabilities in general, and software vulnerabilities with publicly available exploits in particular, are important to manage for both developers and users. This is however a difficult matter to address as time is limited and vulnerabilities are frequent.ObjectiveThis paper presents a Bayesian network based model that can be used by enterprise decision makers to estimate the likelihood that a professional penetration tester is able to obtain knowledge of critical vulnerabilities and exploits for these vulnerabilities for software under different circumstances.MethodData on the activities in the model are gathered from previous empirical studies, vulnerability databases and a survey with 58 individuals who all have been credited for the discovery of critical software vulnerabilities.ResultsThe proposed model describes 13 states related by 17 activities, and a total of 33 different datasets.ConclusionEstimates by the model can be used to support decisions regarding what software to acquire, or what measures to invest in during software development projects.