|
Alhazmi, O.H., Malaiya, Y.K., 2008. Application of vulnerability discovery models to major operating systems. IEEE Transactions on Reliability 57 (1), 14-22. Alhazmi, O.H., Malaiya, Y.K., Ray, I., 2007. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers &; Security 26 (3), 219-228. Anderson, R., Moore, T., 2006. The economics of information security. Science 314 (5799), 610-613. Andrew, C., 2005. The five Ps of patch management: is there a simple way for businesses to develop and deploy an advanced security patch management strategy? Computers &; Security 24 (5), 362–363. Arbaugh, W.A., Fithen,W.L., McHugh, J., 2000. Windows of vulnerability: a case study analysis. Computer 33 (12), 52-59. Arora, A., Caulkins, J.P., Telang, R., 2006. Research note-sell first, fix later: impact of patching on software quality. Management Science 52 (3), 465-471. Arora, A., Krishnan, R., Telang, R., Yang, Y., 2010. An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure. Information System Research 21 (1), 115-132. Arora, A., Telang, R., 2005. Economics of software vulnerability disclosure. IEEE Security &; Privacy 3 (1), 20-25. Arora, A., Telang, R., Xu, H., 2008. Optimal policy for software vulnerability disclosure. Management Science 54 (4), 642-656. August, T., Tunca, T.I., 2006. Network software security and user incentives. Management Science 52 (11), 1703-1720. August, T., and Tunca, T.I., 2008. Let the pirates patch? an economic analysis of software security patch restrictions. Information Systems Research 19 (1), 48-70. Austin, R.D., Darby, C.A.R., 2003. The myth of secure computing. Harvard Business Review 81 (6), 120-126. Beres, Y., Griffin, J., Shiu, S., Heitman, M., Markle, D., Ventura, P., 2008. Analysing the performance of security solutions to reduce vulnerability exposure window. Proceedings of the 24th Annual Computer Security Applications Conference, pp. 33-42. Beres, Y., Griffin, J., 2012. Optimizing network patching policy decisions. Gritzalis, D., Furnell, S., and Theoharidou, M. (Eds.), Information Security and Privacy Research, Springer Berlin Heidelberg, IFIP Advances in Information and Communication Technology 376, 424-442. Bortolan, G., Degani, R., 1985. A review of some methods for ranking fuzzy subsets. Fuzzy Sets and Systems 15 (1), 1-19. Brykczynski, B., Small, R.A., 2003. Reducing internet-based intrusions: effective security patch management. IEEE Software 20 (1), 50-57. Buckley, J.J., 1985a. Ranking alternatives using fuzzy numbers. Fuzzy Sets and Systems 15 (1), 21-31. Buckley, J.J., 1985b. Fuzzy hierarchical analysis. Fuzzy Sets and Systems 17 (3), 233-247. Buckley, J.J., 2004. Fuzzy Statistics. First edition, Springer, Birmingham, AL, USA. Carr, N.G., 2003. IT doesn’t matter. Harvard Business Review 81 (5), 41-49. Cavusoglu, H., Cavusoglu, H., Raghunathan, S., 2007. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering 33 (3), 171-185. Cavusoglu, H., Cavusoglu, H., Zhang, J., 2008. Security patch management: share the burden or share the damage. Management Science 54 (4), 657-670. Cavusoglu, H., Mishra, B., Raghunathan, S., 2004. The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9 (1), 69-104. Chen, S.J., Hwang, C.L., 1992. Fuzzy Multiple Attribute Decision Making: Methods and Applications – A State-of-the-art Survey. Springer-Verlag, New York, NY, USA, pp. 465-486. Chen, T.Y., Wang, J.C., 2001. Identification of λ-fuzzy measures using sampling design and genetic algorithms. Fuzzy Sets and Systems 123 (3), 321-341. Choquet, G., 1953. Theory of capacities. Annales de l''institut Fourier 5, 131-295. Crampton, J., 2011. Practical and efficient cryptographic enforcement of interval-based access control policies. ACM Transactions on Information and System Security 14 (1), Article no. 14. Delgado, M., Verdegay, J.L., Vila, M.A., 1988. A Procedure for Ranking Fuzzy Numbers Using Fuzzy Relations. Fuzzy Sets and Systems 26 (1), 49-62. Farash, M.S., Bayat, M., Attari, M.A., 2011. Vulnerability of two multiple-key agreement protocols. Computers &; Electrical Engineering 37 (2), 199-204. Fisher, M.L., 1981. The Lagrangean relaxation method for solving integer programming problems. Management Science 27 (1), 1-18. Fisher, M.L., 1985. An applications oriented guide to Lagrangean relaxation. Interfaces 15 (2), 10-21. Forcht, K.A., 1994. Computer Security Management. Boyd &; Fraser, Danvers, MA, USA. Geoffrion, A.M., 1974, Lagrangean relaxation and its use in integer programming. Mathematical Programming Study 2, 82-114. Gerace, T., Cavusoglu, H., 2009. The critical elements of the patch management process. Communications of the ACM 52 (8), 117-121. Goel, S., Shawky, H.A., 2009. Estimating the market impact of security breach announcements on firm values. Information &; Management 46 (7), 404-410. Gordon, L.A., Loeb, M.P., 2002. The economics of information security investment. ACM Transactions on Information and System Security 5 (4), 438-457. Gordon, L.A., Loeb, M.P., Sohail, T., 2010. Market value of voluntary disclosures concerning information security. MIS Quarterly 34 (3), 567-594. Gupta, M., Rees, J., Chaturvedi, A., Chi, J., 2006. Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decision Support Systems 41 (3), 592-603. Hellendoorn, H., Thomas, C., 1995. On quality defuzzification – theory and an application example. Bien, Z. and Min K.C. (Eds.), Fuzzy Logic and Its Applications to Engineering, Information Sciences, and Intelligent Systems 16, 167-176, 1995. Houmb, S.H., Franqueira, V.N.L., Engum E.A., 2010. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software 83 (9), 1622-1634. Hovav, A., D’Arcy, J., 2003. The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6 (2), 97-121. Ioannidis, C., Pym, D., Williams, J., 2012. Information security trade-offs and optimal patching policies. European Journal of Operational Research 216 (2), 434-444. Ishikawa, A., Amagasa, M., Shiga, T., Tomizawa, G., Tatsuta, R., Mieno, H., 1993. The max–min Delphi method and fuzzy Delphi method via fuzzy integration. Fuzzy Sets and Systems, 55 (3), 241-253. Johnson, C., 2007. Implementation of commonly accepted security configurations for windows operating systems. OMB (Office of Management and Budget) Memo M-07-11. Kannan, K., Telang, R., 2005. Market for software vulnerabilities? think again. Management Science 51 (5), 726-740. Kaufmann, A., Gupta, M.M., 1988. Fuzzy Mathematical Models in Engineering and Management Science. Elsevier, New York, NY, USA. Lai, Y.P., Hsia, P.L., 2007. Using the vulnerability information of computer systems to improve the network security. Computer Communications 30 (9), 2032-2047. Lee, K.M., Leekwang, H., 1995. Identification of λ-fuzzy measure by genetic algorithms. Fuzzy Sets and Systems 75 (3), 301-309. Lesk, M., 2011. Cybersecurity and economics. IEEE Security &; Privacy 9 (6), 76-79. Likert, R., 1932. A technique for the measurement of attitudes. Archives of Psychology 22 (140), 1-55. Liu, P., Zang, W., Yu, M., 2005. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security 8 (1), 78-118. Liu, Q., Zhang, Y., 2011. VRSS: a new system for rating and scoring vulnerabilities. Computer Communications 34 (3), 264-273. Liu, Q., Zhang, Y., Kong, Y., Wu, Q., 2012. Improving VRSS-based vulnerability prioritization using analytic hierarchy process. Journal of Systems and Software 85 (8), 1699-1708. Martin, J., 1973. Security, Accuracy, and Privacy in Computer Systems. Prentice Hall, Upper Saddle River, NJ, USA. Martin, R.A., 2008. Making security measurable and manageable. In: Proceedings of the 2008 IEEE Military Communications Conference. Mell, P., Scarfone, K., Romanosky, S., 2006. Common vulnerability scoring system. IEEE Security &; Privacy 4 (6), 85-89. Mell, P., Scarfone, K., 2007. Improving the common vulnerability scoring system. IET Information Security 1 (3), 119-127. Mell, P., Scarfone, K., Romanosky, S., 2007. A complete guide to the common vulnerability scoring system (CVSS), Version 2.0. Forum of Incident Response and Security Teams (FIRST). Microsoft, 2010. Statement of health for network access protection (NAP) protocol specification. Microsoft Corporation. Milian, M., 2011. Sony: hacker stole PlayStation users’ personal info. Cable News Network (CNN), April 26, 2011. MITRE, 2010a. Common vulnerabilities and exposures (CVE). MITRE, 2010b, Common weakness enumeration (CWE). Mookerjee, V., Mookerjee, R., Bensoussan, A., 2011. When hackers talk: managing information security under variable attack rates and knowledge dissemination. Information Systems Research 22 (3), 606-623. Murofushi, T., Sugeno, M., 1989. An interpretation of fuzzy measures and the Choquet integral as an integral with respect to a fuzzy measure. Fuzzy Sets and Systems 29 (2), 201-227. NIST, 2009. Recommended security controls for federal information systems and organizations. NIST Special Publication 800-53 Revision 3. NIST, 2010a. National vulnerability database (NVD), Version 2.2. NIST, 2010b. National checklist program repository. NIST, 2010c. Federal desktop core configuration (FDCC). OWASP, 2010. OWASP top 10-2010. The ten most critical web application security risk. Parker, D.B., 1981. Computer Security Management. Prentice Hall, Reston, VA, USA. Patton, R., 2005. Software Testing. Second edition, Sams, Indianapolis, IN, USA. Pavlou, P.A., Liang, H., Xue, Y., 2007. Understanding and mitigating uncertainty in online exchange relationships: a principal-agent perspective. MIS Quarterly 31 (1), 105-136. Quinn, S.D., Souppaya, M., Cook, M., Scarfone, K., 2011. National checklist program for IT products - guidelines for checklist users and developers. NIST Special Publication 800-70 Revision 2. Rahimi, S., Zargham, M., 2013. Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database. IEEE Transactions on Reliability 62 (2), 395-407. Ramakrishnan, C.R., Sekar, R., 2002. Model based analysis of configuration vulnerabilities. Journal of Computer Security 10 (1-2), 189-209. Ransbotham, S., Mitra, S., Ramsey, J., 2012. Are markets for vulnerabilities effective? MIS Quarterly 36 (1), 43-64. Rescorla, E., 2005. Is finding security holes a good idea? IEEE Security &; Privacy 3 (1), 14-19. Rogers, R.W., 1975. A protection motivation theory of fear appeals and attitude change. Journal of Psychology 91, 93-114. Rogers, R.W., 1983. Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation. Social Psychophysiology, 153-176. Ryu, Y.U., Rhee, H., 2008. Evaluation of intrusion detection systems under a resource constraint. ACM Transactions on Information and System Security 11 (4), Article no. 20. Saaty, T.L., 1980. The Analytic Hierarchical Process. MicGraw-Hill, New York, NY, USA. SANS Institute, 2009. Top cyber security risks - vulnerability exploitation trends. Scarfone, K., Mell, P., 2009. An analysis of CVSS version 2 vulnerability scoring. In: Proceedings of the Third International Symposium on Empirical Software Engineering and Measurement, pp. 516-525. Shahriari, H.R., Makarem, M.S., Sirjani, M., Jalili, R., Movaghar, A., 2010. Vulnerability analysis of networks to detect multiphase attacks using the actor-based language Rebeca. Computers &; Electrical Engineering 36 (5), 874-885. Stiemerling, M., Quittek, J., Eggert, L., 2008. NAT and firewall traversal issues of host identity protocol (HIP) communication. RFC (Request for Comments) 5207, IETF (The Internet Engineering Task Force). Straub, D.W., 1990. Effective IS security: an empirical study. Information Systems Research 1 (3), 255-276. Straub, D.W., Welke, R.J., 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441-469. Sugeno, M., Terano, T., 1977. A model of learning based on fuzzy information. Kybernetes 6 (3), 157-166. Takeda, E., 1995. Fuzzy Evaluation. in: Asai, K. (Ed.), Fuzzy Systems for Management, First edition, IOS Press, Amsterdam, Netherlands, pp. 43-55. Telang, R., Wattal, S., 2007. An empirical analysis of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering 33 (8), 544-557. Teng, J.Y., Tzeng, G.H., 1993, Transportation investment project selection with fuzzy multi-objective. Transportation Planning and Technology 17(2), 91-112. The White House, 1998. The clinton administration’s policy on critical infrastructure protection. Presidential Decision Directive 63, White Paper. The White House, 2000a. National plan for information systems protection, Version 1.0. The White House, 2000b. Cyber Security Research and Development Act. The White House, 2002. E-government act of 2002, title 3 – information security. Trusted Computing Group, 2009. TCG trusted network connect TNC architecture for interoperability. Specification Version 1.4, Revision 4. Viduto, V., Maple, C., Huang, W., Lopez-Perez, D., 2012. A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems 53 (3), 599-610. Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R., 2011. Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems 51 (3), 576–586. Waltermire, D., Quinn, S.D., Scarfone, K., Halbardier, A., 2011. The technical specification for the security content automation protocol (SCAP): SCAP Version 1.2. NIST Special Publication 800-126 Revision 2. Wang, X., Golle, P, Jakobsson, M., Tsow, A., 2010a. Deterring voluntary trace disclosure in re-encryption mix-networks. ACM Transactions on Information and System Security 13 (2), Article no. 18. Wang, J., Xiao, N., Rao, H.R., 2010b. Drivers of information security search behavior: an investigation of network attacks and vulnerability disclosures. ACM Transactions on Management Information Systems 1 (1), Article no. 3. Weck, M., Klocke, F., Schell, H., Ruenauver, E., 1997. Evaluating alternative production cycles using the extended fuzzy AHP method. European Journal of Operational Research 100 (2), 351-366. Winston, W.L., 2004. Operations Research: Application and Algorithms. Fourth edition, Brooks/Cole, Belmont, CA, USA. Woo, S.W., Joh, H.C., Alhazmi, O.H., Malaiya, Y.K., 2011. Modeling vulnerability discovery process in Apache and IIS HTTP servers. Computers &; Security 30 (1), 50-62. Yayla, A.A., Hu, Q., 2011. The impact of information security events on the stock value of firms: the effect of contingency factors. Journal of Information Technology 26, 60-77.
|