NotesFAQContact Us
Search Tips
ERIC Number: ED549118
Record Type: Non-Journal
Publication Date: 2012
Pages: 124
Abstractor: As Provided
Reference Count: N/A
ISBN: 978-1-2673-4777-0
Predicting Vulnerability Risks Using Software Characteristics
Roumani, Yaman
ProQuest LLC, Ph.D. Dissertation, Kent State University
Software vulnerabilities have been regarded as one of the key reasons for computer security breaches that have resulted in billions of dollars in losses per year (Telang and Wattal 2005). With the growth of the software industry and the Internet, the number of vulnerability attacks and the ease with which an attack can be made have increased. From a software developer's perspective, releasing a perfectly secure product is not feasible and vulnerabilities will inevitably be discovered after the software is released to the market. While there is no guarantee to deliver vulnerability-free software, it is critical to improve vulnerability prediction and prevention measures. Most of the studies concerning software vulnerabilities have been exploratory in nature, with the majority dedicated to vulnerability detection and prevention and a few devoted to vulnerability predictions and forecasting. The research undertaken in this dissertation will take on a new dimension and propose novel vulnerability prediction models based on software characteristics. The prediction capabilities of the proposed model will be examined to predict the severity, frequency and diversity of vulnerabilities. The prediction capabilities will be examined through data analysis of publicly available vulnerability information and through a survey of IT practitioners. The survey will be designed to gain an insight on how IT practitioners predict vulnerability risks using software characteristics. The predictive capabilities obtained from the proposed models combined with the survey results will provide researchers and practitioners with a richer understanding of vulnerability risks and how software characteristics can be used as predictive measures. Based on vulnerability data collected from the National Vulnerability Database (NVD), this study empirically examined the effects of software characteristics on vulnerability risks. The results showed that each of Software Type and the Number of Compatible Operating Systems can be used to predict the severity level and frequency of vulnerabilities. More importantly, this research provided specific information on which type of software products is more susceptible to vulnerabilities. Results obtained through the survey data of 187 IT practitioners were also found to be the same. In terms of implications for academic research, this study offers new insights into the area of vulnerability prediction and software security. A research implication of this study is the discovery of the significant role of software characteristics in predicting vulnerability risks. The other research implication is the creation of two vulnerability prediction models. Such models answered the call of Alhazmi and Malaiya (2006) for the need for more quantitative vulnerability predictive models. Moreover, this study has several practical implications for IT practitioners and software vendors. By identifying software characteristics that can affect vulnerability risks, software vendors and IT practitioners who are keen on security can use them as guidelines for predicting the severity level and frequency of future vulnerabilities. Moreover, software vendors and IT companies may wish to establish a security guideline based on the results for developing/adopting software. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page:]
ProQuest LLC. 789 East Eisenhower Parkway, P.O. Box 1346, Ann Arbor, MI 48106. Tel: 800-521-0600; Web site:
Publication Type: Dissertations/Theses - Doctoral Dissertations
Education Level: N/A
Audience: N/A
Language: English
Sponsor: N/A
Authoring Institution: N/A