Organizational Security Resource Estimation via… — Plain-Language Explanation

✨

This is an AI-generated explanation of the paper below. It is not written or endorsed by the authors. For technical accuracy, refer to the original paper. Read full disclaimer

Imagine a massive, chaotic fire station.

Every day, new fires (vulnerabilities) break out in a city (the organization's computer systems). Some are small kitchen fires; some are massive warehouse blazes. The fire department has a team of firefighters (the IT security team) who rush to put them out.

The Problem:
Traditional security managers look at a photo of the fire station taken once a month. They count how many fires are currently burning and say, "We have 50 fires, so we need 50 firefighters."

But this is wrong. Why?

Fires don't start evenly: Sometimes, a whole neighborhood catches fire at once (a "burst"). Other times, it's quiet.
The team changes: The number of firefighters on duty changes. Sometimes they are tired, sometimes they have new equipment, sometimes they are sick.
The backlog: If fires start faster than they can be put out, a "line" of burning buildings grows. This line is the Attack Surface.

The old way of measuring security ignores the line. It doesn't tell you if the fire station is overwhelmed or if they are just waiting for the next fire.

The New Solution: The "Queueing" Detective
This paper introduces a new way to look at the fire station. Instead of taking a photo, the authors treat the fire station like a queue (a line at a coffee shop) that is constantly moving.

They use a clever trick to figure out how many firefighters are actually working and how fast they are working, even if no one ever told them the numbers. They do this by watching the timestamps of when fires start and when they are put out.

Here is how their method works, broken down into simple steps:

1. The "Traffic Jam" Analogy

Think of the unpatched vulnerabilities as cars stuck in traffic.

Arrivals: New cars entering the highway (new bugs found).
Service: Cars exiting the highway (bugs being fixed).
The Queue: The line of cars waiting to exit.

The authors realized that traffic doesn't flow smoothly. It comes in waves. Sometimes the highway is empty; sometimes it's a gridlock.

2. Cutting the Movie into Scenes

Because the traffic flow changes so much, you can't describe the whole day with one rule. So, the authors cut the timeline into scenes (segments).

Scene A: Maybe it's a rainy Tuesday morning; traffic is heavy and slow.
Scene B: Maybe it's a sunny Friday afternoon; traffic is light and fast.

They use a mathematical tool (called a Gaussian Mixture Model) to automatically find these scenes. It's like a smart editor who watches the traffic camera and says, "Okay, the rules changed at 9:00 AM. Let's treat 9:00 AM to 11:00 AM as one scene, and 11:00 AM to 1:00 PM as another."

3. The "Reverse Engineering" Magic

Once they have the scenes, they play a guessing game.

They know how many cars were in the line at every second.
They know when cars arrived and left.
The Question: "How many firefighters (servers) and how fast were they working to create exactly this line of traffic?"

They run thousands of computer simulations, tweaking the number of firefighters and their speed until the simulated traffic line looks exactly like the real one. When the lines match, they know they've found the "secret recipe" of the organization's resources.

4. What They Found

They tested this on two real-world "fire stations":

Open Source Software: Like a giant, public library of code where anyone can find bugs.
A Huge Logistics Company: A private company with thousands of employees and complex IT systems.

The Results were amazing:

They could predict the number of people working on security with 91-96% accuracy, just by looking at the timestamps of bug reports.
They discovered that while the number of people stayed mostly the same, their speed (productivity) changed wildly depending on the time of year or specific events (like a pandemic or a new software update).
They found "bottlenecks"—times when the line was growing not because there were too many fires, but because the firefighters were working slower than usual.

Why Does This Matter?

This is like having a crystal ball for security managers.

No more guessing: You don't need to ask, "How many people do we have?" The data tells you.
Better planning: If you see the "line" growing in the simulation, you know you need to hire more people before the system crashes.
Understanding the "Why": It helps leaders see if a backlog is due to too many attacks or a lack of resources.

In short: This paper turns a messy, chaotic list of bug reports into a clear story about how many heroes are fighting the fire, how fast they are running, and when the fire station is about to get overwhelmed. It turns "security data" into "security intelligence."

1. Problem Statement

Traditional cybersecurity metrics (e.g., mean patch time, average open tickets) rely on static snapshots of an organization's attack surface. These metrics fail to capture the inherent non-stationary, bursty, and heavy-tailed dynamics of vulnerability discovery and patching.

The Gap: Existing models do not account for the temporal evolution of backlogs, resource constraints, or the fluctuating capacity of defensive teams. Consequently, they are insufficient for predictive workforce planning and dynamic risk assessment.
The Challenge: Organizations need a method to reconstruct latent operational parameters (specifically, the effective number of security personnel and their throughput capacity) solely from event logs (vulnerability discovery and patch timestamps), without access to internal HR or staffing data.

2. Methodology

The authors propose a non-stationary dynamic queueing framework that models the attack surface as a stochastic system where vulnerabilities are "jobs" and patches are "services."

A. System Model: G/G/m-b Queue

The attack surface is abstracted as a G/G/m-b queueing system:

Arrivals ( $V(t)$ ): Vulnerabilities arrive stochastically (bursty, heavy-tailed).
Departures ( $N_d(t)$ ): Vulnerabilities are removed via defensive actions (patching) or exploitation.
Servers ( $m$ ): Represents the effective number of active defensive agents (personnel).
Capacity ( $b$ ): Represents the aggregate service rate (total throughput of the organization).
State ( $N(t)$ ): The instantaneous queue length (number of unpatched vulnerabilities).
Equation: $N(t + 1) = [N(t) + V(t) - N_d(t)]_+$ , where $[x]_+$ ensures non-negativity.

B. Segmented Non-Stationary Framework

Since the system is non-stationary (parameters change over time), the authors employ a multi-stage segmentation approach:

Empirical QLD Construction: Construct a time-averaged Queue Length Distribution (QLD) from event logs.
Gaussian Mixture Modeling (GMM): Fit a GMM to the empirical QLD to identify distinct quasi-stationary regimes (modes representing different load conditions).
Segmentation: Partition the timeline into contiguous intervals where the system behaves quasi-stationarily, aligning these intervals with the GMM components.
Parameter Estimation via KL Minimization: For each segment, estimate the parameters $\theta = \{m, b, F_{IA}, F_{ST}\}$ $θ = {m, b, F_{I A}, F_{S T}}$ (servers, capacity, inter-arrival distribution, service time distribution) by minimizing the Kullback-Leibler (KL) divergence between the empirical QLD and a simulated QLD generated by the candidate model.
- Optimization: $\theta^* = \arg \min_{\theta} D_{KL}(\hat{P} \parallel P(\cdot, \theta))$

C. Data Sources

The framework was validated on two distinct datasets:

ARVO (Software Supply Chain): Public data from Google's OSS-Fuzz (2017–2024) containing ~4,000 reproducible C/C++ vulnerabilities.
Logistics Enterprise (Private): Multi-year (2019–2025) internal ticketing data from a global logistics company, including discovery and resolution timestamps.

3. Key Contributions

Dynamic Queueing Abstraction: A novel framework modeling the attack surface as a capacity-constrained, non-stationary queueing system (G/G/m-b) rather than a static risk graph.
Segmented Modeling: Introduction of a data-driven algorithm that uses GMM and KL divergence to identify quasi-stationary regimes and reconstruct time-varying resource parameters ( $m(t)$ and $b(t)$ ) directly from event logs.
Latent Resource Inference: Demonstration that the model can accurately infer effective workforce size and throughput capacity without explicit staffing data, achieving high fidelity with ground truth in the enterprise dataset.
Heavy-Tailed Characterization: Empirical validation that vulnerability arrivals and service times exhibit heavy-tailed behavior, necessitating complex distribution fitting (e.g., Log-Logistic, Generalized Pareto) over simple exponential models.

4. Results

The framework was rigorously tested against empirical data and ground truth where available.

Model Fidelity:
- ARVO Dataset: The segmented G/G/m-b model achieved a KL divergence of 0.109 against the empirical QLD, closely matching the bootstrap baseline (0.106) and significantly outperforming stationary assumptions.
- Enterprise Dataset: The model achieved a KL divergence of 0.05355, demonstrating high distributional fidelity.
Resource Estimation Accuracy:
- Workforce Size ( $m$ ): In the enterprise dataset, the inferred number of active personnel was within 1–5% of the actual observed staffing levels across different time segments.
- Throughput ( $b$ ): The estimated aggregate capacity (jobs/day) tracked observed throughput with a relative error of approximately 9%.
- Dynamic Tracking: The model successfully detected shifts in organizational capacity, such as a drop in throughput from ~33 jobs/day to ~14 jobs/day in the enterprise dataset, correlating with observed operational changes.
Distributional Insights:
- Inter-arrival times (IA) and Service Times (ST) were found to be heavy-tailed.
- The model identified that while the number of servers ( $m$ ) remained relatively stable in the enterprise dataset, the aggregate capacity ( $b$ ) fluctuated significantly, indicating changes in efficiency or intensity rather than just headcount.

5. Significance and Impact

Predictive Workforce Planning: The framework provides a quantitative tool for security leaders to estimate current staffing levels and predict future resource needs based on projected attack intensities.
Proactive Risk Management: By identifying resource bottlenecks and regime shifts (e.g., sudden spikes in backlog due to new tools or events), organizations can proactively adjust resource allocation before critical vulnerabilities are exploited.
Patch-Race Modeling: The model offers a foundation for simulating "patch races" (the competition between attackers exploiting vulnerabilities and defenders patching them) under dynamic resource constraints.
Data Efficiency: It proves that deep operational insights can be derived from standard event logs (timestamps) without requiring access to sensitive HR or internal workflow data, making it applicable to both public supply chains and private enterprises.

In conclusion, this paper moves beyond static risk metrics to provide a dynamic, physics-based understanding of cyber defense operations, enabling organizations to treat their attack surface as a manageable, evolving dynamical system.

Organizational Security Resource Estimation via Vulnerability Queueing