A recently released study by the National Bureau of Economic Research (NBER) has analyzed 18 years of data from medium to large organizations on the prevalence, of serious software vulnerabilities, and how organizations have responded. Utilizing the largest dataset ever assembled on user updates, the study tracked server software updates by over 150,000 medium and large U.S. organizations from 2000 to 2018. The results show that despite ever increasing cyber threats, patching or remediating known vulnerabilities is an Achilles’ Heel for many organizations. Following is a summary of the report along with some recommendations from AppSOC on how vulnerability management can be improved.

Study Overview

Over the past twenty years, the incidence of disruptive cyberattacks on companies has increased significantly. Many of these attacks exploit known vulnerabilities in the software running on companies' servers, even when updates to fix these vulnerabilities are available. High-profile cases like the 2017 cyberattack on the UK’s National Health Service and the Equifax data breach highlighted the severe consequences of such vulnerabilities. These incidents led to increased calls for better cybersecurity measures and policies to manage software vulnerabilities effectively.

The NBER is a leading nonprofit organization dedicated to conducting economic research and disseminating research findings among academics, public policy makers, and business professionals. In a recent study, NBER investigated the prevalence of severe software vulnerabilities, user response times to secure version availability, and factors influencing the variance in update installation. 

The findings revealed widespread usage of server software with known vulnerabilities, with 57% of organizations using software with severe security vulnerabilities despite the availability of secure versions. Factors such as the cost of updating, whether the software is hosted on a cloud-based platform, and whether the update is incremental or a major overhaul, significantly influenced responsiveness. The study's findings suggest that integrating organizations' attentiveness to software updates into cybersecurity policy design could yield high returns.

Key Research Questions

The study investigates three main questions:

1. How prevalent are severe software vulnerabilities among medium and large U.S. organizations?
2. How quickly do these organizations respond to the availability of secure software versions?
3. What factors determine the variance in the installation of software updates?

Data and Methodology

The research uses the largest dataset ever assembled on user updates, tracking server software updates by over 150,000 medium and large U.S. organizations from 2000 to 2018. This dataset includes information on server software usage, update installations, and vulnerability disclosures.

Key Findings

1. Prevalence of Vulnerabilities
   The study finds widespread usage of server software with known vulnerabilities. Approximately 57% of organizations used software with severe security vulnerabilities, even when secure versions were available. This highlights a significant risk as these vulnerabilities are exploitable by malicious actors.
   
   AppSOC recommendations: The first challenge for many organizations is creating consistent and centralized visibility over where vulnerabilities exist, and how and when they will be remediated. These decisions are often made in silos without understanding business context or the potential impact of a vulnerability organization wide. The AppSOC ASPM platform consolidates data from all vulnerability detection tools and combines it with threat intelligence on potential exploitability.

2. Response to Updates
   Organizations do not uniformly respond to vulnerability disclosures and updates. While some organizations quickly install updates, others delay, increasing their risk of cyberattacks. Factors such as the cost of updating and whether the software is hosted on a cloud-based platform significantly influence the speed of updates. 
   
   AppSOC recommendations: The sheer volume of vulnerabilities can be daunting for many organizations. It’s critical that the data be consolidated, deduplicated, normalized, and prioritized. The AppSOC platform can eliminate over 90% of vulnerability noise from redundant and low-priority findings, and prioritizes all issues based on actual business risk, to make this process much more manageable and effective.

3. Determinants of Update Installation
   The analysis reveals that the cost of updating is a more significant determinant of update installation than the perceived value of security. This suggests that organizations prioritize cost considerations over security, leading to a high prevalence of vulnerabilities. 
   
   AppSOC recommendations: It’s not practical or necessary to patch everything. The cost of patching vulnerabilities needs to be weighed against an accurate assessment of the impact, exploitability, and relevance of any vulnerability to a specific organization. AppSOC provides this level of context so that businesses can make smart decisions on where to apply their limited IT resources.

4. Variability in Update Practices
   There is considerable variability in how organizations manage updates. Some organizations are proactive and regularly update their software, while others are slower and more inconsistent. Persistent, unobservable organizational characteristics, such as routines and culture, explain much of this variability.
   
   AppSOC recommendations: Managing vulnerabilities shouldn’t be left to chance. Organizations need a structured, practical, and consistent approach to consolidating, prioritizing, and remediating vulnerabilities. This is precisely what AppSOC provides with its ASPM platform.

Policy Implications

The study's findings have important implications for cybersecurity policy:

1. Disclosure Policies
   Full disclosure of software vulnerabilities may not be optimal. While disclosing severe vulnerabilities can prompt faster updates, disclosing minor vulnerabilities may lead to unnecessary costs and complexity, deterring timely updates.
   
   AppSOC recommendations: Decisions on whether to patch, delay, or ignore vulnerabilities need to be based on data, context, and intelligent scoring and prioritizing. Taking a zero-vulnerability approach is not practical or necessary if you have tools like AppSOC to manage the process.

2. Cost Sensitivity
   Organizations' sensitivity to the costs of updating suggests that policies aimed at reducing these costs, such as subsidies for updates or incentives for using cloud-based services, could be more effective than those highlighting the risks of vulnerabilities.
   
   AppSOC recommendations: Updating vulnerable software should be based on a structured and consistent cost-benefit analysis. This analysis needs to go beyond basic CVSS scores which can provide a flood of “critical” alerts. AppSOC provides a framework and the tools to accurately prioritize and pinpoint the most critical vulnerabilities to remediate first.

3. Organizational Culture
   Improving organizational routines and culture around cybersecurity could enhance responsiveness to updates. Regular update schedules and better awareness of the importance of timely updates could reduce vulnerability prevalence.
   
   AppSOC recommendations: The first step to improving security culture is to make sure critical data does not get stuck in silos, and there is consistent visibility for all stakeholders. AppSOC provides this along with granular SLA and Security Maturity tracking to facilitate continuous improvement.

4. Incremental Updates
   Simplifying updates by separating critical security fixes from feature improvements could encourage more timely installation. Complex updates that bundle multiple changes are less likely to be adopted quickly.
   
   AppSOC recommendations: This is a sensible best-practice, but it also needs to be combined with a DevSecOps approach that finds software flaws early in the SDLC so that they can be remediated before any risk is accrued.

Conclusion

The study underscores the need for a nuanced approach to cybersecurity policy that considers the economic and behavioral factors influencing organizations' update practices. By addressing the cost barriers and fostering a culture of regular updates, policymakers can improve the overall security posture of medium and large U.S. organizations.