Scoring Cyber Vulnerabilities based on Their Impact on Organizational Goals*

Abstract

Vulnerability Management, which is a vital part of risk and resiliency management efforts, is a continuous process of identifying, classifying, prioritizing, and removing vulnerabilities on devices that are likely to be used by attackers to compromise a network component. For effective and efficient vulnerability management, which requires extensive resources– such as time and personnel, vulnerabilities should be prioritized based on their criticality. One of the most common methods to prioritize vulnerabilities is the Common Vulnerability Scoring System (CVSS). However, in its severity score, the National Institute of Standards and Technology (NIST) only provides the base metric values that include exploitability and impact information for the known vulnerabilities and acknowledges the importance of temporal and environmental characteristics to have a more accurate vulnerability assessment. There is no established method to conduct the integration of these metrics. In this study, we created a testbed to assess the vulnerabilities by considering the functional dependencies between vulnerable assets, other assets, and business processes. The experiment results revealed that a vulnerability’s severity significantly changes from its CVSS base score when the vulnerable asset’s characteristics and role inside the organization are considered.