Open Access
Models and Methods for Prioritizing Software Vulnerabilities Based on Business-Criticality Indicators and Probability of Exploitation
4
CEO and Founder of Swordfish Security and Mobix Dubai, United Arab Emirates
Abstract
This article examines existing models and methods for vulnerability prioritization, including CVSS v3.1/v4.0, the EPSS v4 exploit prediction system, the SSVC v2 framework, as well as their integration with asset business-criticality indicators and information on real-world exploitation based on CISA’s Known Exploited Vulnerabilities Catalog (KEV). The study methodology is grounded in a systematic review of the academic literature, a content analysis of technical documentation, and a comparative assessment of methods on a representative CVE dataset. Based on the findings, a composite prioritization model proposed by the author is introduced; it combines four signals – severity, probability, KEV status, and business criticality – into a single index with configurable weighting coefficients. It is shown that the application of the Composite Vulnerability Priority Score (CVPS) reduces the volume of vulnerabilities requiring immediate response by approximately sevenfold while preserving a high level of coverage of genuinely exploited threats. The results are of practical value for vulnerability-management specialists, chief information security officers, and those responsible for patch-management policy design.
Keywords
vulnerability prioritization,
CVSS,
EPSS,
SSVC,
business criticality,
vulnerability management,
KEV,
machine learning,
cybersecurity,
risk-based approach,
patch management.
References
Jacobs, J., Romanosky, S., Adjerid, I., & Baker, W. (2021). Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice, 2(3), 1–17. https://doi.org/10.1145/3436242.
Spring, J. M., Householder, A. D., Hatleback, E., Manion, A., Oliver, M., Sarvepalli, V. S., Tyzenhaus, L., & Yarbrough, C. G. (2021). Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (Version 2.0). Carnegie Mellon University, Software Engineering Institute. https://doi.org/10.1184/R1/14527779.
FIRST.org. (2023). CVSS v4.0 specification document. Retrieved from: https://www.first.org/cvss/specification-document (date accessed: November 12, 2025).
FIRST.org. (2024). EPSS user guide. Retrieved from: https://www.first.org/epss/user-guide (date accessed: November 19, 2025).
Cybersecurity and Infrastructure Security Agency. (2024). CISA stakeholder-specific vulnerability categorization guide. Retrieved from: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf (date accessed: November 27, 2025).
National Institute of Standards and Technology. (2022). Vulnerability metrics: CVSS. Retrieved from: https://nvd.nist.gov/vuln-metrics/cvss (date accessed: December 4, 2025).
Sabetta, A., & Bezzi, M. (2018). A practical approach to the automatic classification of security-relevant commits. In Proceedings of the 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME) (pp. 579–582). IEEE. https://doi.org/10.1109/ICSME.2018.00058.
Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 105–114). ACM. https://doi.org/10.1145/1835804.1835821.
Allodi, L., & Massacci, F. (2014). Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security, 17(1), 1–20. https://doi.org/10.1145/2630069.
Holm, H. (2014). Signature based intrusion detection for zero-day attacks. In Proceedings of the 47th Hawaii International Conference on System Sciences (pp. 4895–4904). IEEE. https://doi.org/10.1109/HICSS.2014.601.
Nappa, A., Johnson, R., Bilge, L., Caballero, J., & Dumitras, T. (2015). The attack of the clones: A study of the impact of shared code on vulnerability patching. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (pp. 692–708). IEEE. https://doi.org/10.1109/SP.2015.48.
Khera, Y., Kumar, D., Garg, N., & Rana, P. S. (2019). Analysis and impact of vulnerability assessment and penetration testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525–530). IEEE. https://doi.org/10.1109/COMITCon.2019.8862195.
Cheng, P., Wang, L., Jajodia, S., & Singhal, A. (2012). Aggregating CVSS base scores for semantics-rich network security metrics. In Proceedings of the 2012 IEEE 31st Symposium on Reliable Distributed Systems (pp. 31–40). IEEE. https://doi.org/10.1109/SRDS.2012.37.
Cybersecurity and Infrastructure Security Agency. (2026). Known exploited vulnerabilities catalog. Retrieved from: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (date accessed: February 12, 2026).
National Institute of Standards and Technology. (2024). National vulnerability database statistics. Retrieved from: https://nvd.nist.gov/general/nvd-dashboard (date accessed: December 21, 2025).
Google Cloud & Mandiant. (2024). M-Trends 2024 special report. Retrieved from: https://services.google.com/fh/files/misc/m-trends-2024.pdf (date accessed: January 6, 2026).
Microsoft. (2024). Microsoft Digital Defense Report 2024. Retrieved from: https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf (date accessed: January 18, 2026).
Cybersecurity and Infrastructure Security Agency. (2021). BOD 22-01: Reducing the significant risk of known exploited vulnerabilities. Retrieved from: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities (date accessed: February 2, 2026).
Carnegie Mellon University, Software Engineering Institute. (2023). Modern vulnerability management. Retrieved from: https://www.sei.cmu.edu/documents/5770/DSOC_DC_-_Modern_Vulnerability_Management.pdf (date accessed: February 14, 2026).
Jacobs, J., Romanosky, S., Halloran, B., Adjerid, I., & Baker, W. (2020). Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity, 6(1), tyaa015. https://doi.org/10.1093/cybsec/tyaa015.
Similar Articles
- Hakim Bin Abdullah, Marcus Tanaka, The Fusion of Enterprise Resource Planning and Artificial Intelligence: Leveraging SAP Systems for Predictive Supply Chain Resilience and Performance , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 07 (2025): Volume 02 Issue 07
- Dr. Jonathan Miller, Dr. Emily Carter, A Deep Learning-Based Biometric Authentication Architecture for Banking Fraud Prevention Using Google Teachable Machine and Facial Recognition Analytics , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 05 (2026): Volume 03 Issue 05
- Dr. Elena Marković, Hyperautomation as a Socio-Technical Paradigm: Integrating Robotic Process Automation, Artificial Intelligence, and Workforce Analytics for the Future Digital Enterprise , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 01 (2026): Volume 03 Issue 01
- Dr. Leila Mansouri, Cloud Computing AsInfrastructural ESG Capital: Strategic Implications For Corporate Sustainability , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 11 (2025): Volume 02 Issue 11
- Rahul van Dijk, Advancing Circular Business Models through Big Data and Technological Integration: Pathways for Sustainable Value Creation , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 12 (2025): Volume 02 Issue 12
- Dr. Rohan S. Whitaker, Predictive and Intelligent HVAC Systems: Integrative Frameworks for Performance, Maintenance, and Energy Optimization , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Victor E. Halden, Integrating AI-Driven Automation into Modern DevOps: Advancements, Challenges, and Strategic Implications in Software Engineering , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 02 (2026): Volume 03 Issue 02
- Dr. Lukas Weber, Dr. Anna Schmidt, An Optimized Convolutional Neural Network Architecture for Accurate Skin Lesion Analysis and Intelligent Skin Cancer Prediction System , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 05 (2026): Volume 03 Issue 05
- Prof. Elise Vandermark, INTEGRATING LAKEHOUSE ARCHITECTURES AND CLOUD DATA WAREHOUSING FOR NEXT-GENERATION ENTERPRISE ANALYTICS , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 12 (2025): Volume 02 Issue 12
- Rina Kobayashi, Algorithmic Decision Engines and The Regulatory Frontier: A Multi-Dimensional Analysis of Machine Learning Architectures and Governance in Global Financial Ecosystems , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 02 (2026): Volume 03 Issue 02
1-10 of 59
Next
You may also start an advanced similarity search for this article.