Security Analytics: Analysis of Security Policies for Vulnerability Management

In this paper the author present a novel approach of using mathematical models and stochastic simulations to guide and inform security investment and policy change decisions. In particular, one investigate vulnerability management policies, and explore how effective standard patch management and emergency escalation based policies are, and how they can be combined with earlier, pre-patch mitigation measures to reduce the potential exposure window. To achieve that one have examined the current practices across several large organizations, and based on this one construct the model of external events and of internal decision points and security processes that the vulnerability management consist of.