Communications of the Association for Information Systems


With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities.