PriMera Scientific Engineering (ISSN: 2834-2550)

Research Article

Volume 5 Issue 5

Synergizing Human Expertise, Automation, and Artificial Intelligence for Vulnerability Management

Mehdi Saadallah*, Abbas Shahim, and Svetlana Khapova

October 18, 2024

View PDF

Abstract

Fast-growing digital trends have driven growth in the threat landscape of cyber-attacks, pushing unprecedented burdens on organizations to manage vulnerabilities effectively. This study investigated two years of complex relationships between human expertise and technological solutions in the domain of cybersecurity vulnerability management (VM) for a leading fast-moving consumer goods (FMCG) company operating internationally in multiple countries, leveraging both on-premises and cloud infrastructure. This study introduces the tensions arising from this duality, and an innovative AI-driven scoring methodology designed to streamline the end-to-end vulnerability management process to offer a more dynamic and contextualized risk assessment that the current traditional scoring methods such as the Common Vulnerability Scoring System (CVSS) lacks. Rooted in sociotechnical systems theory (STS), actor-network theory (ANT), and resource-based view (RBV), this research bridges the gap between technological reliance and human interpretative skills, which are two dominant but often disconnected aspects of VM. This paper highlights the benefit of VM that results from a symbiotic relationship between humans and technology, emphasizing how artificial intelligence (AI) and automation can mitigate the limitations of human-centric approaches and how humans can address the technological contextual limitations, resulting in a win-win approach. The findings set the orientation for a nascent stream of academic research on the relationship between humans and AI in vulnerability management and practical applications for scoring vulnerabilities in cybersecurity.

Keywords: Vulnerability management; Artificial intelligence; Automation; Human aspects of security; technology vs human expertise; Vulnerability scoring; CVSS

References

  1. Haber MJ and B Hibbert. “The Vulnerability Management Program, in Haber 2018 emphasizes the role of vulnerability and compliance management initiatives in securing critical information and demonstrating regulatory compliance”. Apress (2018): 111-118.
  2. Riggs H., et al. “Impact, Vulnerabilities, and Mitigation Strategies for Cyber-Secure Critical Infrastructure”. Sensors 23.8 (2023): 4060.
  3. Craigen D, N Diakun-Thibault and R Purse. “Defining cybersecurity”. Technology innovation management review 4.10 (2014).
  4. Syed R. “Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system”. Information & Management 57.6 (2020): 103334.
  5. Hazar D. 2020 Vulnerability Management Survey. SANS Institute (2020).
  6. Ahmadi Mehri V, P Arlos and E Casalicchio. “Automated Context-Aware Vulnerability Risk Management for Patch Prioritization”. Electronics 11.21 (2022): 3580.
  7. Khan S and S Parkinson. “Review into State of the Art of Vulnerability Assessment using Artificial Intelligence”. Springer International Publishing (2018): 3-32.
  8. Hillman DJ. “Artificial Intelligence”. Human Factors: The Journal of Human Factors and Ergonomics Society 27 (1985): 21-31.
  9. Sadiku MNO, O Fagbohungbe and SM Musa. “Artificial Intelligence in Cyber Security”. International Journal for Research in Applied Science and Engineering Technology (2020).
  10. Yoon YE, S Kim and H-J Chang. “Artificial Intelligence and Echocardiography”. Journal of Cardiovascular Imaging 29.3 (2021): 193-204.
  11. Gioia DA, KG Corley and AL Hamilton. “Seeking qualitative rigor in inductive research: Notes on the Gioia methodology”. Organizational research methods 16.1 (2013): 15-31.
  12. Pollini A., et al. “Leveraging human factors in cybersecurity: an integrated methodological approach”. Cognition, Technology & Work 24.2 (2022): 371-390.
  13. van der Kleij R and R Leukfeldt. “Cyber resilient behavior: integrating human behavioral models and resilience engineering capabilities into cyber security”. in Advances in Human Factors in Cybersecurity: Proceedings of the AHFE 2019 International Conference on Human Factors in Cybersecurity, July 24-28, 2019, Washington DC, USA 10. 2020. Springer (2020).
  14. Malatji M, SV Solms and AL Marnewick. “Socio-technical systems cybersecurity framework”. Inf. Comput. Secur 27 (2019): 233-272.
  15. Balzacq T and MD Cavelty. “A theory of actor-network for cyber-security”. European Journal of International Security 1.2 (2016): 176-198.
  16. Fernandez de Arroyabe JC., et al. “Cybersecurity Resilience in SMEs. A Machine Learning Approach”. Journal of Computer Information Systems (2023): 1-17.
  17. Yoo Y and H-S Park. “Qualitative Risk Assessment of Cybersecurity and Development of Vulnerability Enhancement Plans in Consideration of Digitalized Ship”. Journal of Marine Science and Engineering 9 (2021): 565.
  18. Crotty J and E Daniel. “Cyber threat: its origins and consequence and the use of qualitative and quantitative methods in cyber risk assessment”. Applied Computing and Informatics (2022) (ahead-of-print).
  19. Balmer DF and BF Richards. “Conducting qualitative research through time: how might theory be useful in longitudinal qualitative research?”. Advances in Health Sciences Education 27.1 (2022): 277-288.
  20. Aguinis H, NS Hill and JR Bailey. “Best Practices in Data Collection and Preparation: Recommendations for Reviewers, Editors, and Authors”. Organizational Research Methods 24.4 (2021): 678-693.
  21. Young JC., et al. “A methodological guide to using and reporting on interviews in conservation science research”. Methods in Ecology and Evolution 9.1 (2018): 10-19.
  22. Carter N. “The use of triangulation in qualitative research”. Oncol Nurs Forum (2014): 545-7.
  23. Triplett WJ. “Addressing Human Factors in Cybersecurity Leadership”. J. Cybersecur. Priv 2 (2022): 573-586.
  24. Webb J. “687C42Rethinking the Governance of Technology in the Digital Age”. The Oxford Handbook of Cyber Security, P. Cornish, Editor. Oxford University Press (2021).
  25. Dalal RS., et al. “Organizational science and cybersecurity: abundant opportunities for research at the interface”. Journal of Business and Psychology 37 (2021): 1-29.
  26. Direction S. “Investing in cybersecurity: Gaining a competitive advantage through cybersecurity”. J. bus. strat 37 (2021): 19-21.
  27. Cowley J and FL Greitzer. “Organizational Impacts to Cybersecurity Expertise Development and Maintenance”. Proceedings of the Human Factors and Ergonomics Society Annual Meeting 59 (2015): 1187-1191.
  28. Russell MG and NV Smorodinskaya. “Leveraging complexity for ecosystemic innovation”. Technological Forecasting and Social Change (2018).
  29. Ishikawa E., et al. “Modeling a Cyber Defense Business Ecosystem of Ecosystems”. Handbook of Research on Cyber Crime and Information Privacy (2021).
  30. Walkowski M, J Oko and S Sujecki. “Vulnerability Management Models Using a Common Vulnerability Scoring System”. Applied Sciences 11.18 (2021): 8735.
  31. Jung B, Y Li and T Bechor. “CAVP: A context-aware vulnerability prioritization model”. Computers & Security 116 (2022): 102639.