The Impact of Good Practices on the Security of Digital Products and the Limitation of Offensive Cyber Operations

Vulnerabilities in digital products are a critical enabler of offensive cyber operations. States increasingly procure and exploit vulnerabilities, contributing to cyber armament and systemic insecurity in cyberspace. Alongside diplomatic, normative, and regulatory initiatives, an important pathway to constraining this trend is reducing vulnerabilities through security-bydesign and vulnerability management practices. While leading technology suppliers have developed a range of such practices – including Product Security Incident Response Teams (PSIRT) as a unit responsible for managing vulnerabilities – there remains a lack of empirical methodologies for assessing whether these practices measurably reduce vulnerability exploitation in real-world scenarios. This thesis investigates the effectiveness of industry security-by-design practices – with a focus on PSIRT – in reducing the likelihood of active vulnerability exploitation and explores the implications for offensive cyber operations. Drawing on a structured review of academic literature, standards, political and regulatory approaches, and industry practices, it discusses the reality of cyber armament and the related role of vulnerability exploitation, analyses industry practices for vulnerability management, and identifies gaps in existing assessment methods for their real-world impact. In response, it proposes a novel and reusable methodology for evaluating the effectiveness of security-by-design practices, based on a randomised matched case-control design. Applying this methodology to publicly available data demonstrates that the presence of a PSIRT within a supplier is associated with a statistically significant absolute risk reduction of 17% in exploitation likelihood. Through a broader interpretation of results, the study concludes that PSIRT constitutes a meaningful security-by-design practice that measurably reduces the likelihood of active vulnerability exploitation and, when embedded within a broader ecosystem of secure development, regulatory and political measures, increases the cost, uncertainty, and operational risk of exploit-based attacks. It thereby supports – but does not alone determine – the potential of industry practices to constrain sophisticated offensive cyber operations. The proposed methodology enables future empirical research on security practices and evidencebased evaluation of their security and geopolitical impact.