Fix What First? Using SSVC to Prioritize Vulnerability Response

Abstract

We propose a Stakeholder-Specific Vulnerability Categorization (SSVC) as an improvement. Focus is on decisions, not technical severity Transparent, role-specific recommendations Experiment design-to-test process consistency- Thanks to my co-authors, conference attendees, and GitHub contributors who have helped improve SSVC so far. Communication between analysts and risk managers- Analysts know what the risk manager chooses.- Risk managers know what analysts will decide on vuls consistently.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Apr 28, 2023
Accession Number
AD1199673

Entities

People

  • Leigh Metcalf

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Human Systems

DTIC Thesaurus Topics

  • Computer Network Security
  • Consistency
  • Contracts
  • Copyrights
  • Department Of Defense
  • Engineering
  • Governments
  • Guarantees
  • Materials
  • Patents
  • Software Development
  • Trademarks
  • Universities
  • Vulnerability

Readers

  • Aviation Safety Risk Assessment.
  • Cybersecurity.
  • Team-Based Human-Centered Cognitive Task Decision Making and Information Performance.