Summary: 0018-9162/00/$10.00 © 2000 IEEE52 Computer
A Case Study
omplex information and communication
systems give rise to design, implementation,
and management errors. These errors can
lead to a vulnerability--a flaw in an infor-
mation technology product that could allow
violations of security policy.
Anecdotal evidence alone suggests that known and
patchable vulnerabilities cause the majority of system
intrusions. Although no empirical study has substanti-
ated this anecdotal evidence, none has refuted it either.
Nor have studies conducted to determine the number
of computers at risk for security breaches focused on
the intrusion trends of specific vulnerabilities.1,2
Here we propose a life-cycle model that describes