Prioritizing Vulnerability Response: A Stakeholder Specific Vulnerability Categorization

Abstract

This report is the second part of a research agenda about prioritizing actions during vulnerability management. Many organizations use the Common Vulnerability Scoring System (CVSS) for this purpose today. For problems with CVSS as it is, see the first part of our research agenda: Towards Improving CVSS. This report presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with CVSS. Our informed hypothesis takes the form of decision trees for different vulnerability management communities. We welcome others to test and improve it. This report proposes a functional system to make our proposal concrete, as well as preliminary tests of its usefulness. However, our proposal is a detailed hypothesis to test, or a conversation starter, not a final proposal. In so far as is practical, we aim to avoid one-size-fits-all solutions. The stakeholders in vulnerability management are diverse, and that diversity needs to be accommodated in the main functionality, rather than squeezed into hard-to-use optional features.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Nov 01, 2019
Accession Number
AD1088910

Entities

People

  • Allen Householder
  • Art Manion
  • Deana Shick
  • Eric Hatleback
  • Jonathan M. Spring

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber
  • Human Systems

DTIC Thesaurus Topics

  • Commerce
  • Computer Network Security
  • Computer Networks
  • Computer Programming
  • Computer Programs
  • Computers
  • Department Of Homeland Security
  • Emergency Response
  • Information Systems
  • Mobile Devices
  • Mobile Operating Systems
  • Mobile Phones
  • Operating Systems
  • Pilot Studies
  • Public Policy
  • Software Development
  • Word Processors

Readers

  • Instructional Design and Training Evaluation.
  • Military Logistics and Supply Chain Management
  • Systems Analysis and Design