Threats to cyber security are now evolving so rapidly that organisations are struggling to keep on top of them – but two researchers at Glasgow Caledonian University believe they have found a solution.

Dr Mehdi Yousefi and Riccardo Lazzarini, of GCU’s School of Computing, Engineering and Built Environment, have developed a tool which helps organisations triage cyber threats and focus their resources on the most critical.

The researchers said the rate at which software vulnerabilities are discovered is growing. The National Vulnerability Database includes hundreds of thousands of vulnerabilities, and 10% of these entries were added in the past year alone.

Their tool uses artificial intelligence to scan an organisation’s network infrastructure and services to find vulnerabilities. It then monitors several factors: how easy each vulnerability is to exploit, the time it takes to exploit each vulnerability and the current availability of code that is able to exploit the vulnerability. Once these factors are established, the tool ranks the threats in order of which the organisation should focus on tackling them. 

Dr Yousefi said: “With so many vulnerabilities, how do companies’ cyber security analysts decide which ones to deal with first, given they cannot deal with them all? Our main objective was to help them prioritise which vulnerabilities to mitigate first.”

Mr Lazzarini added: “As security threats continue to evolve, the need to protect intellectual property, supply chains, brands, shareholder value and other digital assets has never been more critical.

“Advances in cyber security need to keep pace with today’s cyber risks. Organisations therefore find themselves in a position where most off-the-shelf solutions are no longer sufficient to address the risk. That is where we believe our tool could play a vital role.”

The researchers’ Vulnerability Prioritisation Tool was backed by Innovate UK’s Cyber Security Academic Startup Accelerator Programme. The researchers are now looking to take the product to market, aiming at medium-sized organisations which may not have the resources to invest in a dedicated full-time cyber-security team.