Saved in:
Bibliographic Details
Main Authors: Etcibasi, Abdullah Y., Dobos, Zachary, Koksal, C. Emre
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.10250
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918440764178432
author Etcibasi, Abdullah Y.
Dobos, Zachary
Koksal, C. Emre
author_facet Etcibasi, Abdullah Y.
Dobos, Zachary
Koksal, C. Emre
contents We provide an approach that closely estimates an organization's cyber resources directly from vulnerability timestamps, using a non-stationary queueing framework. Traditional attack-surface metrics operate on static snapshots, ignoring the core attack-defense dynamics within information systems, which exhibit bursty, heavy-tailed, and capacity-constrained behavior. Our approach to modeling such dynamics is based on a queueing abstraction of attack surfaces. We utilize a segmentation method to identify piecewise-stationary regimes via Gaussian mixture modeling (GMM) of queue length distributions. We fit segment-specific arrival, service, and resource parameters through the minimization of Kullback--Leibler divergence (KL) between the empirical and estimated distributions. Applied to both large-scale software supply chain data and multi-year private logistics enterprise cyber-ticket workflows, the model estimates organizational resources, measured in the time-varying active personnel and output rate per personnel, solely from bug report and fix timings for software supply chains, and discovery and patch timestamps in the enterprise setting. Our results provide 91--96\% accuracy in resource estimation, making the dynamic queueing framework a compelling approach for understanding attack surface dynamics. Further, our framework exposes resource bottlenecks, establishing a foundation for predictive workforce planning, patch-race modeling, and proactive cyber-risk management.
format Preprint
id arxiv_https___arxiv_org_abs_2604_10250
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Organizational Security Resource Estimation via Vulnerability Queueing
Etcibasi, Abdullah Y.
Dobos, Zachary
Koksal, C. Emre
Cryptography and Security
Software Engineering
Signal Processing
We provide an approach that closely estimates an organization's cyber resources directly from vulnerability timestamps, using a non-stationary queueing framework. Traditional attack-surface metrics operate on static snapshots, ignoring the core attack-defense dynamics within information systems, which exhibit bursty, heavy-tailed, and capacity-constrained behavior. Our approach to modeling such dynamics is based on a queueing abstraction of attack surfaces. We utilize a segmentation method to identify piecewise-stationary regimes via Gaussian mixture modeling (GMM) of queue length distributions. We fit segment-specific arrival, service, and resource parameters through the minimization of Kullback--Leibler divergence (KL) between the empirical and estimated distributions. Applied to both large-scale software supply chain data and multi-year private logistics enterprise cyber-ticket workflows, the model estimates organizational resources, measured in the time-varying active personnel and output rate per personnel, solely from bug report and fix timings for software supply chains, and discovery and patch timestamps in the enterprise setting. Our results provide 91--96\% accuracy in resource estimation, making the dynamic queueing framework a compelling approach for understanding attack surface dynamics. Further, our framework exposes resource bottlenecks, establishing a foundation for predictive workforce planning, patch-race modeling, and proactive cyber-risk management.
title Organizational Security Resource Estimation via Vulnerability Queueing
topic Cryptography and Security
Software Engineering
Signal Processing
url https://arxiv.org/abs/2604.10250