A dissertation submitted to the ETH Zurich


Stefan Frei


Global Internet penetration and e-commerce have grown explosively over the past years. Today, information technology has become a backbone of our industry and everyday life. We would intuitively expect such an important technology to be well- monitored and protected. However, no one would dispute that the constant discovery of new vulnerabilities drives the security risks we are constantly exposed to. As risk awareness is an essential factor in human decision making, we are in need of metrics to measure and monitor the risk exposure of our networked economy and society. Research on the economic consequences of cyber attacks has dealt primarily with microanalysis of specific events, technologies or targeted organizations. The measurement of the cumulated number of disclosed vulnerabilities over time is an interesting and often cited indicator of the increasing risk exposure. However, this measure alone is not sufficient for an analysis or understanding of the processes driving risk exposure. Accurate knowledge of the vulnerability discovery-, exploit-, disclosure-, and patch-time (the lifecycle of a vulnerability) allows one to identify different types of risk and to quantify the risk exposure and evolution thereof at global scale. A metric based on the vulnerability lifecycle is vital to better understand the security ecosystem. We build a comprehensive dataset of 30,000 vulnerabilities publicly disclosed since 1996 to reconstruct the vulnerability lifecycle. Based on this data we analyze the risk exposure and evolution thereof from a macroeconomic perspective.