In this paper we present and validate a novel attacker model based on the \ economic notion that the attacker has limited resources to forge a new \ attack. We focus on the vulnerability exploitation case, whereby the \ attacker has to choose whether to exploit a new vulnerability or keep an old \ one. We postulate that most vulnerabilities remain unattacked, and that the \ exploit development cycle relates to software updates rather than to the \ disclosure of new vulnerabilities. We develop a simple mathematical model to \ show the mechanisms underlying our observations and name it ``The Work-Averse Attacker Model''. \ We then leverage Symantec's data sharing \ platform WINE to validate our model by analysing records of attacks against \ more than 1M real systems. We find the `Model of the Work-Averse Attacker' \ to be strongly supported by the data and, in particular, that: (a) the great \ majority of attacks per software version is driven by one vulnerability \ only; (b) an exploit lives two years before being substituted by a new one; \ (c) the exploit arrival rate depends on the software's update rate rather \ than on time or knowledge of the vulnerability.
Allodi, Luca and Massacci, Fabio, "The Work-Averse Attacker Model" (2015). ECIS 2015 Completed Research Papers. Paper 7.