A Stakeholder-Specific Vulnerability Categorization

Abstract

I think vulnerability management actually means a few different things to a few different people. In our situation, we really talk about it as the thing that happens at the vendor, who produces the software and needs to fix something. They need to analyze reports that they receive and triage them and do things, make decisions about how they are going to prioritize their efforts. Then they release patches. There are folks who have that software deployed in their networks, and they need to deploy that. They also probably need to make prioritization decisions about what they are doing, what they should do next, and how quickly they should patch things because it is not always possible to patch everything. There are also some aspects of scanning for vulnerabilities and doing penetration tests and whatever to find out what is wrong in your network and going and remediating those things as well.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2021
Accession Number
AD1146956

Entities

People

  • Allen Householder
  • Eric Hatleback
  • Jonathan Spring

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Biomedical
  • Cyber
  • Energy and Power Technologies
  • Human Systems

DTIC Thesaurus Topics

  • Computers
  • Computing Devices
  • Control Systems
  • Data Leakages
  • Department Of Defense
  • Directories
  • Electronic Mail
  • Engineering
  • Feedback
  • Industrial Control Systems
  • Information Security
  • Internet
  • Internet Of Things
  • Networks
  • Online Communications
  • Risk
  • Security
  • Social Media
  • Software Development
  • Vulnerability

Readers

  • Cybersecurity.
  • Educational Psychology