{"language":[{"iso":"eng"}],"article_type":"original","type":"journal_article","date_updated":"2022-10-19T15:27:51Z","publication":"Computers & Security","author":[{"first_name":"Emrah","full_name":"Yasasin, Emrah","last_name":"Yasasin"},{"first_name":"Julian","full_name":"Prester, Julian","last_name":"Prester"},{"full_name":"Wagner, Gerit","last_name":"Wagner","first_name":"Gerit"},{"first_name":"Guido","full_name":"Schryen, Guido","id":"72850","last_name":"Schryen"}],"status":"public","intvolume":"        88","year":"2020","user_id":"72850","citation":{"ama":"Yasasin E, Prester J, Wagner G, Schryen G. Forecasting IT Security Vulnerabilities - An Empirical Analysis. <i>Computers &#38; Security</i>. 2020;88(January).","mla":"Yasasin, Emrah, et al. “Forecasting IT Security Vulnerabilities - An Empirical Analysis.” <i>Computers &#38; Security</i>, vol. 88, no. January, 2020.","bibtex":"@article{Yasasin_Prester_Wagner_Schryen_2020, title={Forecasting IT Security Vulnerabilities - An Empirical Analysis}, volume={88}, number={January}, journal={Computers &#38; Security}, author={Yasasin, Emrah and Prester, Julian and Wagner, Gerit and Schryen, Guido}, year={2020} }","ieee":"E. Yasasin, J. Prester, G. Wagner, and G. Schryen, “Forecasting IT Security Vulnerabilities - An Empirical Analysis,” <i>Computers &#38; Security</i>, vol. 88, no. January, 2020.","short":"E. Yasasin, J. Prester, G. Wagner, G. Schryen, Computers &#38; Security 88 (2020).","apa":"Yasasin, E., Prester, J., Wagner, G., &#38; Schryen, G. (2020). Forecasting IT Security Vulnerabilities - An Empirical Analysis. <i>Computers &#38; Security</i>, <i>88</i>(January).","chicago":"Yasasin, Emrah, Julian Prester, Gerit Wagner, and Guido Schryen. “Forecasting IT Security Vulnerabilities - An Empirical Analysis.” <i>Computers &#38; Security</i> 88, no. January (2020)."},"title":"Forecasting IT Security Vulnerabilities - An Empirical Analysis","_id":"13175","department":[{"_id":"195"},{"_id":"277"}],"publication_identifier":{"issn":["0167-4048"]},"volume":88,"publication_status":"published","issue":"January","ddc":["000"],"file":[{"access_level":"open_access","content_type":"application/pdf","relation":"main_file","date_updated":"2019-09-09T18:24:35Z","date_created":"2019-09-09T18:24:35Z","creator":"schryen","file_size":894663,"file_id":"13176","file_name":"Forecasting_IT_Security_Vulnerabilities.pdf"}],"oa":"1","abstract":[{"text":"Today, organizations must deal with a plethora of IT security threats and to ensure smooth and\r\nuninterrupted business operations, firms are challenged to predict the volume of IT security vulnerabilities\r\nand allocate resources for fixing them. This challenge requires decision makers to assess\r\nwhich system or software packages are prone to vulnerabilities, how many post-release vulnerabilities\r\ncan be expected to occur during a certain period of time, and what impact exploits might have.\r\nSubstantial research has been dedicated to techniques that analyze source code and detect security\r\nvulnerabilities. However, only limited research has focused on forecasting security vulnerabilities\r\nthat are detected and reported after the release of software. To address this shortcoming, we apply\r\nestablished methodologies which are capable of forecasting events exhibiting specific time series\r\ncharacteristics of security vulnerabilities, i.e., rareness of occurrence, volatility, non-stationarity,\r\nand seasonality. Based on a dataset taken from the National Vulnerability Database (NVD), we use\r\nthe Mean Absolute Error (MAE) and Root Mean Square Error (RMSE) to measure the forecasting\r\naccuracy of single, double, and triple exponential smoothing methodologies, Croston's methodology,\r\nARIMA, and a neural network-based approach. We analyze the impact of the applied forecasting\r\nmethodology on the prediction accuracy with regard to its robustness along the dimensions of the\r\nexamined system and software package \"operating systems\", \"browsers\" and \"office solutions\" and\r\nthe applied metrics. To the best of our knowledge, this study is the first to analyze the effect\r\nof forecasting methodologies and to apply metrics that are suitable in this context. Our results\r\nshow that the optimal forecasting methodology depends on the software or system package, as some\r\nmethodologies perform poorly in the context of IT security vulnerabilities, that absolute metrics\r\ncan cover the actual prediction error precisely, and that the prediction accuracy is robust within the\r\ntwo applied forecasting-error metrics.","lang":"eng"}],"has_accepted_license":"1","date_created":"2019-09-09T18:24:45Z","file_date_updated":"2019-09-09T18:24:35Z"}