The efficiency of ICT suppliers' product security incident response teams in reducing the risk of exploitation of vulnerabilities in the wild

Exploitation of vulnerabilities in digital products is among the key components of cyberattacks. Suppliers of digital products use different security-by-design practices, such as a product security incident response team (PSIRT), to respond to discovered vulnerabilities and minimise the cybersecurity risk. However, the efficiency of such practices, including PSIRT, remains underexplored. This paper evaluates the efficiency of PSIRT in reducing risks of exploitation of vulnerabilities ’in the wild’ (i. e. their active use in real-world cyberattacks) using a customised model based on randomised matched casecontrol design with data from authoritative public sources. Results show that PSIRT reduces the likelihood of exploitation by 17 % (absolute risk reduction). Additionally, factors like the availability of proof of concept for vulnerability exploitation, type of supplier’s industry, and the open-source nature of its products influence the risk altering the absolute risk reduction by 10 %, 3.6 % and 2.2 % respectively. The study confirms PSIRT as a good practice that cybersecurity practitioners – particularly large suppliers and suppliers to critical infrastructure – should consider in order to reduce risk of vulnerability exploitation in the wild. It recommends coupling PSIRT with other security-by-design practices to maximise risk reduction. The proposed model allows researchers and practitioners to assess the efficiency of similar practices in reducing the risk of vulnerability exploitation.