Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem
• White Paper
Software Engineering Institute
This paper presents modeling and analysis of two critical foundational processes of the cybersecurity vulnerability management ecosystem using a combination of system dynamics and agent-based modeling techniques. The preliminary result from this analysis is that misapplication of either of these foundational processes could contribute to the fragility and risk associated with the many national infrastructures and organizational missions that rely on the Internet. We use data from the CERT Coordination Center that characterizes coordinated vulnerability disclosure for our previous and continuing calibration and validation efforts. Our to-date analysis has identified additional areas for future work: new questions to consider, alternate social cost measures to investigate, and new avenues for validation. While the results of our initial efforts should be viewed as preliminary due to limited calibration and validation, we believe that the approaches used and depth of the modeling and simulation are sufficient to begin to understand key implications of these processes and possible avenues for their improved application in the future.