Organizational Security Resource Estimation via Vulnerability Queueing

TL;DR

This paper introduces a queueing-based model to estimate an organization's cyber resources from vulnerability data, capturing attack-defense dynamics more accurately than static metrics.

Contribution

It presents a novel non-stationary queueing framework with segmentation and GMM fitting to estimate resources from vulnerability timestamps, improving dynamic attack surface analysis.

Findings

Achieves 91-96% accuracy in resource estimation.

Effectively models attack surface dynamics using queueing abstractions.

Exposes resource bottlenecks for proactive cyber-risk management.

Abstract

We provide an approach that closely estimates an organization's cyber resources directly from vulnerability timestamps, using a non-stationary queueing framework. Traditional attack-surface metrics operate on static snapshots, ignoring the core attack-defense dynamics within information systems, which exhibit bursty, heavy-tailed, and capacity-constrained behavior. Our approach to modeling such dynamics is based on a queueing abstraction of attack surfaces. We utilize a segmentation method to identify piecewise-stationary regimes via Gaussian mixture modeling (GMM) of queue length distributions. We fit segment-specific arrival, service, and resource parameters through the minimization of Kullback--Leibler divergence (KL) between the empirical and estimated distributions. Applied to both large-scale software supply chain data and multi-year private logistics enterprise cyber-ticket workflows, the model estimates organizational resources, measured in the time-varying active personnel and output rate per personnel, solely from bug report and fix timings for software supply chains, and discovery and patch timestamps in the enterprise setting. Our results provide 91--96\% accuracy in resource estimation, making the dynamic queueing framework a compelling approach for understanding attack surface dynamics. Further, our framework exposes resource bottlenecks, establishing a foundation for predictive workforce planning, patch-race modeling, and proactive cyber-risk management.