Prioritizing software vulnerability types using multi-criteria decision-making techniques

作     者：Ritu Sibal Ruchi Sharma Sangeeta Sabharwal 

作者机构：Department of Computer Engineering Netaji Subhas Institute of Technology Delhi India 

出 版 物：《Life Cycle Reliability and Safety Engineering》 

年 卷 期：2017年第6卷第1期

页      面：57-67页

摘      要：Software vulnerabilities pose potential security threats to a software. Researchers have been working on the problem of scheduling vulnerabilities and their fixation to minimize the potential risk they present. Vulnerability prioritization is an important step in this direction. Current work in this area focusses on implicit properties of a vulnerability and does not take into account the relative importance and their degree of interdependence. These factors contribute effectively to the decision of vulnerability fixation. In this paper, we consider these factors and propose multi-criteria decision-making (MCDM) techniques as a means of vulnerability prioritization. We have used three methods, namely normalized criteria distance (NCD), analytic hierarchy process (AHP), and decision-making trial and evaluation laboratory (DEMATEL) methodology for performing the task of vulnerability prioritization while treating different vulnerability types independent of each other in the first two approaches and showing interdependence in the third approach suggesting a cause–effect theory. We find the priorities of various vulnerability types using these three methods and suggest that the third approach is a more practical solution towards prioritization.