A software security vulnerability, which has been discovered but not patched, could threaten the security of an entire organization. That is because frequently an equipment is controlled by a software system connected to the Internet which is a playground for malicious users. Fortunately, finding out characteristics of the vulnerability related to its lifecycle helps us for prioritizing patch developments and optimal resource allocations. Until now, researchers mainly consider a lifecycle for a single vulnerability due to its simplicity. In reality, however, multiple vulnerabilities could be acting simultaneously. In order to understand risk and flow of the security vulnerabilities more accurately, we need to investigate lifecycle based on multiple vulnerabilities. In this paper, we try to build up a multi-vulnerability lifecycle. We also try to come up with a risk evaluation formula for a given software system. The proposed approach could allow comparison of alternative software systems and optimization of risk mitigation strategies.
Copyright © 2016 Praise Worthy Prize - All rights reserved.

R. L. V. Scoy, Software development risk: Opportunity, not problem (cmu/sei-92-tr-030), (1992) Software Engineering Institute at Carnegie Mellon University, Pittsburgh, Pennsylvania, Tech. Rep.

M. Cukier, S. Panjwani, Prioritizing vulnerability remediation by determining attacker targeted vulnerabilities, (2009) IEEE Security and Privacy, vol.7, pp.42–48.
http://dx.doi.org/10.1109/msp.2009.13

S. Kondakci, Dependency Analysis of Risks in Information Security, (2013) International Journal on Information Technology (IREIT), 1 (1), pp. 22-30.

K. Otwell, B. Aldridge, The role of vulnerability in risk management, (1989) Computer Security Applications Conference, Fifth Annual, 4-8 1989, pp.32–38.
http://dx.doi.org/10.1109/csac.1989.81022

V. Akhoondzade-Noghabi, K. Bargi, Comparison Between Different Bearing Devices for Cable-Stayed Bridge Using Financial - Comparative Approach, (2015) International Journal of Earthquake Engineering and Hazard Mitigation (IREHM), 3 (1), pp. 10-17.

S. Kaplan, The words of risk analysis, (1997) Risk Analysis, 17(4), pp.407–417.
http://dx.doi.org/10.1111/j.1539-6924.1997.tb00881.x

D. Verdon, G. McGraw, Risk analysis in software design, (2004) IEEE Security and Privacy, 2(4), pp.79–84.
http://dx.doi.org/10.1109/msp.2004.55

C. P. Pfleeger, S. L. Pfleeger, Security in Computing (3rd ed. Prentice Hall PTR, 2003).

R. B. Jones, 20% Chance of Rain: Exploring the Concept of Risk (1st ed. John Wiley & Sons, Inc., 2012).

G. Stoneburner, A. Goguen, A. Feringa, Risk management guide for information technology systems, (2001) National Institute of Standards and Technology (NIST), special Publication 800-30, Tech. Rep.
http://dx.doi.org/10.6028/nist.sp.800-30

P. Tint, K. Reinhold, The Flexible Method for Risk Assessment of Chemicals in Manufacturing, (2014) International Journal of Management - Theory and Applications (IREMAN), 2 (6), pp. 187-193.

Mahmood, F., Rizk, M.E.M., Sabiha, N.A., Lehtonen, M., Flashover probability distribution and volt-time curves of medium voltage overhead line insulation under combined AC and lightning impulse voltages, (2015) International Review of Electrical Engineering (IREE), 10 (5), pp. 625-632.
http://dx.doi.org/10.15866/iree.v10i5.7150

L. A. T. Cox, Some limitations of “risk = threat × vulnerability × consequence” for risk analysis of terrorist attacks, (2008) Risk Analysis, 28(6), pp.1749–1761.
http://dx.doi.org/10.1111/j.1539-6924.2008.01142.x

B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, D. Gollmann, Towards operational measures of computer security, (1993) Journal of Computer Security, 2, nos. 2/3, pp.211–229.
http://dx.doi.org/10.1007/978-3-642-79789-7_30

X. Kuang, Y. Wen, F. Xu, X. Li, A multi-dimension vulnerability analysis framework for large-scale distributed system, (2012) International Conference on Systems and Informatics (ICSAI), 19-20 May 2012, pp.843-848.
http://dx.doi.org/10.1109/icsai.2012.6223141

S. Al-Fedaghi, System-based Approach to Software Vulnerability, (2010) IEEE Second International Conference on Social Computing (SocialCom), 20-22 Aug. 2010, pp.1072-1079.
http://dx.doi.org/10.1109/socialcom.2010.159

W. A. Arbaugh, W. L. Fithen, J. McHugh, Windows of vulnerability: a case study analysis, (2000) Computer, 33(12), pp.52-59.
http://dx.doi.org/10.1109/2.889093

S. Frei, Security Econometrics - The Dynamics of (In)Security, Eth zurich, Ph.d. dissertation 18197, ETH Zurich, Switzerland, 2009.

Zaitar, Y., Risk assessment in ERP projects life cycle: The application of FMEA approach, (2014) International Review on Computers and Software (IRECOS), 9 (11), pp. 1888-1895.
http://dx.doi.org/10.15866/irecos.v9i11.4466

H. Joh, Measuring Software Risk Based on Multi-Vulnerability Lifecycle, (2016) the 4th international conference on smart media and applications, Danang Vietnam, Jan 2016, pp.279-282.

D. S. D. White, Limiting vulnerability exposure through effective patch management: threat mitigation through vulnerability remediation, Master’s thesis, Department of Computer Science, Rhodes University, South Africa, 2006.

H. Joh and Y. K. Malaiya, Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics, (2011) International Conference on Security and Management (SAM), pp.10-16.

O. H. Alhazmi and Y. K. Malaiya, Application of Vulnerability Discovery Models to Major Operating Systems, (2008) IEEE Transactions on Reliability, 57(1), pp.14-22.
http://dx.doi.org/10.1109/tr.2008.916872

A. Arora, R. Krishnan, R. Telang, Y. Yang, An Empirical Analysis of Software Vendors’ Patch Release Behavior: Impact of Vulnerability Disclosure, (2010) Information Systems Research, 21(1), pp.115-132.
http://dx.doi.org/10.1287/isre.1080.0226

R. Ayoub, An analysis of vulnerability discovery and disclosure: Keeping one step ahead of the enemy, (2007) Frost & Sullivan, Tech. Rep.

S. Beattie, S. Arnold, C. Cowan, P. Wagle, C. Wright, Timing the application of security patches for optimal uptime, (2002) Proceedings of the 16th USENIX conference on System administration, Berkeley, CA, pp.233-242.

Abu-Khadrah, A., Zakaria, Z., Othman, M., Zin, M.S.I.M., Using Markov chain model to evaluate the performance of EDCA protocol under saturation and non-saturation conditions, (2015) International Review on Computers and Software (IRECOS), 10 (3), pp. 315-323.
http://dx.doi.org/10.15866/irecos.v10i3.5700

Sathiracheewin, S., Surapatana, V., Rerkpreedapong, D., Land-use change prediction by CA-Markov method for electric load density map, (2015) International Review on Modelling and Simulations (IREMOS), 8 (4), pp. 436-445.
http://dx.doi.org/10.15866/iremos.v8i4.6557

Abroshan, M., Mahdi Mousavi Sangdehi, S., Torabi, K., Goodarzi, M., Individual Particle Optimization algorithm for linear forecasting of wind speed, (2013) International Review of Electrical Engineering (IREE), 8 (1), pp. 297-304.

S. Gokhale, T. Philip, P. Marinos, A non-homogeneous markov software reliability model with imperfect repair, (1996) Proceedings of IEEE International Computer Performance and Dependability Symposium, pp.262–270.
http://dx.doi.org/10.1109/ipds.1996.540227