Firms and organizations are increasingly facing security issues related to vulnerabilities in their information systems. Firms, especially small and medium-sized enterprises, usually have very limited security resources and thus have difficulty understanding vulnerabilities and fixing them accordingly. This study aims to build a general framework that can help firms understand the characteristics of vulnerabilities in information systems: for instance, what category a specific vulnerability belongs to, what potential risks it poses, and what the key clues are to addressing it. To this end, we collect data on real vulnerabilities that have emerged in firms’ information systems from a popular vulnerability report platform. Features are extracted at four different levels, namely, the word, phrase, topic, and record levels. The experimental results show that the general framework helps characterize the modes and patterns of various types of vulnerabilities. This study contributes to the security literature by providing a deeper understanding of the characteristics of vulnerabilities and their related suggested solutions. Firms can apply this framework to ensure information security.
Bibliographical noteThis work was supported in part by grants from the National Natural Science Foundation of China (Grant No. 71801014), the Beijing Social Science Foundation (Grant No. 17GLC069), and the Ministry of Finance of the People's Republic of China (Grant CJ  No. 281).
- information security
- risk-level prediction
- topic analysis