{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:37:40Z","timestamp":1775745460399,"version":"3.50.1"},"reference-count":28,"publisher":"Elsevier BV","issue":"3","license":[{"start":{"date-parts":[[2007,5,1]],"date-time":"2007-05-01T00:00:00Z","timestamp":1177977600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2007,5]]},"DOI":"10.1016\/j.cose.2006.10.002","type":"journal-article","created":{"date-parts":[[2006,11,30]],"date-time":"2006-11-30T14:34:49Z","timestamp":1164897289000},"page":"219-228","source":"Crossref","is-referenced-by-count":176,"title":["Measuring, analyzing and predicting security vulnerabilities in software systems"],"prefix":"10.1016","volume":"26","author":[{"given":"O.H.","family":"Alhazmi","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Y.K.","family":"Malaiya","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"I.","family":"Ray","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2006.10.002_bib18","unstructured":"Alhazmi OH, Malaiya YK. Quantitative vulnerability assessment of systems software. In: Proceedings of 51st annual reliability and maintainability symposium, Alexandria, VA; January 2005. p. 615\u201320."},{"key":"10.1016\/j.cose.2006.10.002_bib20","unstructured":"Alhazmi OH, Malaiya YK. Modeling the vulnerability discovery process. In: International Symposium on Software Reliability Engineering; November 2005."},{"key":"10.1016\/j.cose.2006.10.002_bib19","doi-asserted-by":"crossref","unstructured":"Alhazmi OH, Malaiya YK, Ray I. Security vulnerabilities in software systems: a quantitative perspective. In: Proceedings of IFIP WG 11.3 working conference on data and applications security; August 2005. p. 281\u201394.","DOI":"10.1007\/11535706_21"},{"issue":"3","key":"10.1016\/j.cose.2006.10.002_bib11","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1145\/206826.206829","article-title":"Assessing computer security vulnerability","volume":"29","author":"Alves-Foss","year":"1995","journal-title":"Operating Systems Review"},{"key":"10.1016\/j.cose.2006.10.002_bib17","unstructured":"Anderson Ross. Security in open versus closed systems\u2014the dance of Boltzmann, Coase and Moore. In: Conference on open source software: economics, law and policy, Toulouse, France; June 2002. p. 1\u201315, http:\/\/www.ftp.cl.cam.ac.uk\/ftp\/users\/rja14\/toulouse.pdf."},{"issue":"12","key":"10.1016\/j.cose.2006.10.002_bib12","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1109\/2.889093","article-title":"Windows of vulnerability: a case study analysis","volume":"33","author":"Arbaugh","year":"2000","journal-title":"IEEE Computer"},{"key":"10.1016\/j.cose.2006.10.002_bib10","series-title":"Proceedings of the 9th annual IEEE conference on computer assurance","first-page":"257","article-title":"On measurement of operational security","author":"Brocklehurst","year":"1994"},{"key":"10.1016\/j.cose.2006.10.002_bib13","doi-asserted-by":"crossref","unstructured":"Browne HK, Arbaugh WA, McHugh J, Fithen WL. A trend analysis of exploitation. In: Proceedings of the IEEE Symposium on Security and Privacy; May 2001. p. 214\u201329.","DOI":"10.1109\/SECPRI.2001.924300"},{"issue":"1","key":"10.1016\/j.cose.2006.10.002_bib22","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1109\/MS.2003.1159029","article-title":"Reducing internet-based intrusions: effective security patch management","volume":"20","author":"Brykczynski","year":"2003","journal-title":"IEEE Software"},{"key":"10.1016\/j.cose.2006.10.002_bib3","article-title":"Handbook of software reliability engineering","year":"1995"},{"issue":"3","key":"10.1016\/j.cose.2006.10.002_bib14","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1109\/32.588541","article-title":"A quantitative model of the security intrusion process based on attacker behavior","volume":"24","author":"Jonsson","year":"1997","journal-title":"IEEE Transactions on Software Engineering"},{"issue":"2\/3","key":"10.1016\/j.cose.2006.10.002_bib9","doi-asserted-by":"crossref","first-page":"211","DOI":"10.3233\/JCS-1993-22-308","article-title":"Towards operational measures of computer security","volume":"2","author":"Littlewood","year":"1993","journal-title":"Journal of Computer Security"},{"key":"10.1016\/j.cose.2006.10.002_bib29","series-title":"CERT experience with security problems in software","author":"Longstaff","year":"2003"},{"key":"10.1016\/j.cose.2006.10.002_bib15","unstructured":"Madan BB, Goseva-Popstojanova K, Vaidyanathan K, Trivedi KS. Modeling and quantification of security attributes of software systems. In: Proceedings of the IEEE international performance and dependability symposium (IPDS 2002); June\u00a02002."},{"key":"10.1016\/j.cose.2006.10.002_bib5","doi-asserted-by":"crossref","unstructured":"Malaiya YK, Denton J. What do the software reliability growth model parameters represent? In: International symposium on software reliability engineering; 1997. p. 124\u201335.","DOI":"10.1109\/ISSRE.1997.630857"},{"key":"10.1016\/j.cose.2006.10.002_bib6","doi-asserted-by":"crossref","unstructured":"Malaiya YK, Denton J. Module size distribution and defect density. In: Proceedings of the IEEE international symposium on software reliability engineering; October 2000. p. 62\u201371.","DOI":"10.1109\/ISSRE.2000.885861"},{"issue":"2","key":"10.1016\/j.cose.2006.10.002_bib24","doi-asserted-by":"crossref","first-page":"59","DOI":"10.1109\/MSECP.2003.1193213","article-title":"From the ground up: the DIMACS software security\u00a0workshop","volume":"1","author":"McGraw","year":"2003","journal-title":"IEEE Security & Privacy"},{"issue":"3","key":"10.1016\/j.cose.2006.10.002_bib8","doi-asserted-by":"crossref","first-page":"309","DOI":"10.1145\/567793.567795","article-title":"Two case studies of open source software development: Apache and Mozilla","volume":"11","author":"Mockus","year":"2002","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"key":"10.1016\/j.cose.2006.10.002_bib7","doi-asserted-by":"crossref","unstructured":"Mohagheghi P, Conradi R, Killi OM, Schwarz H. An empirical study of software reuse vs. defect-density. In: Proceedings of the 26th international conference on software engineering; May 2004. p. 282\u201391.","DOI":"10.1109\/ICSE.2004.1317450"},{"key":"10.1016\/j.cose.2006.10.002_bib4","series-title":"Software reliability measurement prediction application","author":"Musa","year":"1987"},{"key":"10.1016\/j.cose.2006.10.002_bib23","unstructured":"National Vulnerability Database; February 2005. <http:\/\/nvd.nist.gov>."},{"key":"10.1016\/j.cose.2006.10.002_bib21","author":"Ounce Labs"},{"key":"10.1016\/j.cose.2006.10.002_bib2","series-title":"Security in computing","author":"Pfleeger","year":"1997"},{"key":"10.1016\/j.cose.2006.10.002_bib28","author":"Red Hat Bugzilla"},{"issue":"1","key":"10.1016\/j.cose.2006.10.002_bib16","first-page":"14","article-title":"Is finding security holes a good idea?","volume":"3","author":"Rescorla","year":"2005","journal-title":"Economics of Information Security"},{"key":"10.1016\/j.cose.2006.10.002_bib25","author":"Rodrigues"},{"key":"10.1016\/j.cose.2006.10.002_bib1","series-title":"Responding to computer security incidents","author":"Schultz","year":"1990"},{"key":"10.1016\/j.cose.2006.10.002_bib27","author":"The MITRE Corporation"}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404806001520?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404806001520?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,1,12]],"date-time":"2025-01-12T06:06:35Z","timestamp":1736661995000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404806001520"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,5]]},"references-count":28,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2007,5]]}},"alternative-id":["S0167404806001520"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2006.10.002","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2007,5]]}}}