Open Access
Models and Methods for Prioritizing Software Vulnerabilities Based on Business-Criticality Indicators and Probability of Exploitation
4
CEO and Founder of Swordfish Security and Mobix Dubai, United Arab Emirates
Abstract
This article examines existing models and methods for vulnerability prioritization, including CVSS v3.1/v4.0, the EPSS v4 exploit prediction system, the SSVC v2 framework, as well as their integration with asset business-criticality indicators and information on real-world exploitation based on CISA’s Known Exploited Vulnerabilities Catalog (KEV). The study methodology is grounded in a systematic review of the academic literature, a content analysis of technical documentation, and a comparative assessment of methods on a representative CVE dataset. Based on the findings, a composite prioritization model proposed by the author is introduced; it combines four signals – severity, probability, KEV status, and business criticality – into a single index with configurable weighting coefficients. It is shown that the application of the Composite Vulnerability Priority Score (CVPS) reduces the volume of vulnerabilities requiring immediate response by approximately sevenfold while preserving a high level of coverage of genuinely exploited threats. The results are of practical value for vulnerability-management specialists, chief information security officers, and those responsible for patch-management policy design.
Keywords
vulnerability prioritization,
CVSS,
EPSS,
SSVC,
business criticality,
vulnerability management,
KEV,
machine learning,
cybersecurity,
risk-based approach,
patch management.
References
Jacobs, J., Romanosky, S., Adjerid, I., & Baker, W. (2021). Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice, 2(3), 1–17. https://doi.org/10.1145/3436242.
Spring, J. M., Householder, A. D., Hatleback, E., Manion, A., Oliver, M., Sarvepalli, V. S., Tyzenhaus, L., & Yarbrough, C. G. (2021). Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (Version 2.0). Carnegie Mellon University, Software Engineering Institute. https://doi.org/10.1184/R1/14527779.
FIRST.org. (2023). CVSS v4.0 specification document. Retrieved from: https://www.first.org/cvss/specification-document (date accessed: November 12, 2025).
FIRST.org. (2024). EPSS user guide. Retrieved from: https://www.first.org/epss/user-guide (date accessed: November 19, 2025).
Cybersecurity and Infrastructure Security Agency. (2024). CISA stakeholder-specific vulnerability categorization guide. Retrieved from: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf (date accessed: November 27, 2025).
National Institute of Standards and Technology. (2022). Vulnerability metrics: CVSS. Retrieved from: https://nvd.nist.gov/vuln-metrics/cvss (date accessed: December 4, 2025).
Sabetta, A., & Bezzi, M. (2018). A practical approach to the automatic classification of security-relevant commits. In Proceedings of the 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME) (pp. 579–582). IEEE. https://doi.org/10.1109/ICSME.2018.00058.
Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 105–114). ACM. https://doi.org/10.1145/1835804.1835821.
Allodi, L., & Massacci, F. (2014). Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security, 17(1), 1–20. https://doi.org/10.1145/2630069.
Holm, H. (2014). Signature based intrusion detection for zero-day attacks. In Proceedings of the 47th Hawaii International Conference on System Sciences (pp. 4895–4904). IEEE. https://doi.org/10.1109/HICSS.2014.601.
Nappa, A., Johnson, R., Bilge, L., Caballero, J., & Dumitras, T. (2015). The attack of the clones: A study of the impact of shared code on vulnerability patching. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (pp. 692–708). IEEE. https://doi.org/10.1109/SP.2015.48.
Khera, Y., Kumar, D., Garg, N., & Rana, P. S. (2019). Analysis and impact of vulnerability assessment and penetration testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525–530). IEEE. https://doi.org/10.1109/COMITCon.2019.8862195.
Cheng, P., Wang, L., Jajodia, S., & Singhal, A. (2012). Aggregating CVSS base scores for semantics-rich network security metrics. In Proceedings of the 2012 IEEE 31st Symposium on Reliable Distributed Systems (pp. 31–40). IEEE. https://doi.org/10.1109/SRDS.2012.37.
Cybersecurity and Infrastructure Security Agency. (2026). Known exploited vulnerabilities catalog. Retrieved from: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (date accessed: February 12, 2026).
National Institute of Standards and Technology. (2024). National vulnerability database statistics. Retrieved from: https://nvd.nist.gov/general/nvd-dashboard (date accessed: December 21, 2025).
Google Cloud & Mandiant. (2024). M-Trends 2024 special report. Retrieved from: https://services.google.com/fh/files/misc/m-trends-2024.pdf (date accessed: January 6, 2026).
Microsoft. (2024). Microsoft Digital Defense Report 2024. Retrieved from: https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf (date accessed: January 18, 2026).
Cybersecurity and Infrastructure Security Agency. (2021). BOD 22-01: Reducing the significant risk of known exploited vulnerabilities. Retrieved from: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities (date accessed: February 2, 2026).
Carnegie Mellon University, Software Engineering Institute. (2023). Modern vulnerability management. Retrieved from: https://www.sei.cmu.edu/documents/5770/DSOC_DC_-_Modern_Vulnerability_Management.pdf (date accessed: February 14, 2026).
Jacobs, J., Romanosky, S., Halloran, B., Adjerid, I., & Baker, W. (2020). Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity, 6(1), tyaa015. https://doi.org/10.1093/cybsec/tyaa015.
Similar Articles
- Dr. Rohan Verma, Dr. Sneha Kulkarni, Machine-Learning Architectures enabling Human Trait Verification Alternatives within Risk-Coverage Ecosystems: Resilient Identity Validation, Policy Adherence , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 02 (2026): Volume 03 Issue 02
- Jianhong Wei, Aaliyah M. Farouk, MITIGATING CONFIRMATION BIAS IN DEEP LEARNING WITH NOISY LABELS THROUGH COLLABORATIVE NETWORK TRAINING , International Journal of Modern Computer Science and IT Innovations: Vol. 1 No. 01 (2024): Volume 01 Issue 01
- Dr. Adrian K. Varela, Edge Intelligence-Driven Intrusion Detection for Internet of Things Networks in Next-Generation Communication Systems , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 03 (2026): Volume03 Issue03
- Dr. Eleanor Whitfield, Architecting Secure and Cost-Optimized Iot-Cloud Ecosystems: Integrating AI-Driven Intrusion Detection, Multi-Path Routing, And Intelligent Workload Scheduling in Distributed Systems , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 01 (2026): Volume 03 Issue 01
- Daniela Costa, Rafael Lima, Dynamic Deep Neural Network Partitioning For Low-Latency Edge-Assisted Video Analytics: A Learning-To-Partition Approach , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Svetlana Petrova, Beyond Hyperscale: The Socio-Technical Adaptation of Site Reliability Engineering for Enhanced Resilience in Critical Infrastructure , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 11 (2025): Volume 02 Issue 11
- Dr. Rahul Mehta, Enhancing Credit Initiation Processes through Customer Relationship Platforms for Agricultural Enterprise Efficiency , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Dr. Emiliano R. Vassalli, Event-Driven Architectures in Fintech Systems: A Comprehensive Theoretical, Methodological, and Resilience-Oriented Analysis of Kafka-Centric Microservices , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Sneha R. Patil, Dr. Liam O. Hughes, ENHANCED MALWARE DETECTION THROUGH FUNCTION PARAMETER ENCODING AND API DEPENDENCY MODELING , International Journal of Modern Computer Science and IT Innovations: Vol. 1 No. 01 (2024): Volume 01 Issue 01
- Dr. Ahmed R. Mostafa, Prof. Mahmoud A. Taha, AFFORDABLE VISION-BASED SYSTEMS FOR REAL-TIME CHESSBOARD DIGITIZATION , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 01 (2025): Volume 02 Issue 01
You may also start an advanced similarity search for this article.