Open Access
Models and Methods for Prioritizing Software Vulnerabilities Based on Business-Criticality Indicators and Probability of Exploitation
4
CEO and Founder of Swordfish Security and Mobix Dubai, United Arab Emirates
Abstract
This article examines existing models and methods for vulnerability prioritization, including CVSS v3.1/v4.0, the EPSS v4 exploit prediction system, the SSVC v2 framework, as well as their integration with asset business-criticality indicators and information on real-world exploitation based on CISA’s Known Exploited Vulnerabilities Catalog (KEV). The study methodology is grounded in a systematic review of the academic literature, a content analysis of technical documentation, and a comparative assessment of methods on a representative CVE dataset. Based on the findings, a composite prioritization model proposed by the author is introduced; it combines four signals – severity, probability, KEV status, and business criticality – into a single index with configurable weighting coefficients. It is shown that the application of the Composite Vulnerability Priority Score (CVPS) reduces the volume of vulnerabilities requiring immediate response by approximately sevenfold while preserving a high level of coverage of genuinely exploited threats. The results are of practical value for vulnerability-management specialists, chief information security officers, and those responsible for patch-management policy design.
Keywords
vulnerability prioritization,
CVSS,
EPSS,
SSVC,
business criticality,
vulnerability management,
KEV,
machine learning,
cybersecurity,
risk-based approach,
patch management.
References
Jacobs, J., Romanosky, S., Adjerid, I., & Baker, W. (2021). Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice, 2(3), 1–17. https://doi.org/10.1145/3436242.
Spring, J. M., Householder, A. D., Hatleback, E., Manion, A., Oliver, M., Sarvepalli, V. S., Tyzenhaus, L., & Yarbrough, C. G. (2021). Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (Version 2.0). Carnegie Mellon University, Software Engineering Institute. https://doi.org/10.1184/R1/14527779.
FIRST.org. (2023). CVSS v4.0 specification document. Retrieved from: https://www.first.org/cvss/specification-document (date accessed: November 12, 2025).
FIRST.org. (2024). EPSS user guide. Retrieved from: https://www.first.org/epss/user-guide (date accessed: November 19, 2025).
Cybersecurity and Infrastructure Security Agency. (2024). CISA stakeholder-specific vulnerability categorization guide. Retrieved from: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf (date accessed: November 27, 2025).
National Institute of Standards and Technology. (2022). Vulnerability metrics: CVSS. Retrieved from: https://nvd.nist.gov/vuln-metrics/cvss (date accessed: December 4, 2025).
Sabetta, A., & Bezzi, M. (2018). A practical approach to the automatic classification of security-relevant commits. In Proceedings of the 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME) (pp. 579–582). IEEE. https://doi.org/10.1109/ICSME.2018.00058.
Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 105–114). ACM. https://doi.org/10.1145/1835804.1835821.
Allodi, L., & Massacci, F. (2014). Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security, 17(1), 1–20. https://doi.org/10.1145/2630069.
Holm, H. (2014). Signature based intrusion detection for zero-day attacks. In Proceedings of the 47th Hawaii International Conference on System Sciences (pp. 4895–4904). IEEE. https://doi.org/10.1109/HICSS.2014.601.
Nappa, A., Johnson, R., Bilge, L., Caballero, J., & Dumitras, T. (2015). The attack of the clones: A study of the impact of shared code on vulnerability patching. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (pp. 692–708). IEEE. https://doi.org/10.1109/SP.2015.48.
Khera, Y., Kumar, D., Garg, N., & Rana, P. S. (2019). Analysis and impact of vulnerability assessment and penetration testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525–530). IEEE. https://doi.org/10.1109/COMITCon.2019.8862195.
Cheng, P., Wang, L., Jajodia, S., & Singhal, A. (2012). Aggregating CVSS base scores for semantics-rich network security metrics. In Proceedings of the 2012 IEEE 31st Symposium on Reliable Distributed Systems (pp. 31–40). IEEE. https://doi.org/10.1109/SRDS.2012.37.
Cybersecurity and Infrastructure Security Agency. (2026). Known exploited vulnerabilities catalog. Retrieved from: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (date accessed: February 12, 2026).
National Institute of Standards and Technology. (2024). National vulnerability database statistics. Retrieved from: https://nvd.nist.gov/general/nvd-dashboard (date accessed: December 21, 2025).
Google Cloud & Mandiant. (2024). M-Trends 2024 special report. Retrieved from: https://services.google.com/fh/files/misc/m-trends-2024.pdf (date accessed: January 6, 2026).
Microsoft. (2024). Microsoft Digital Defense Report 2024. Retrieved from: https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf (date accessed: January 18, 2026).
Cybersecurity and Infrastructure Security Agency. (2021). BOD 22-01: Reducing the significant risk of known exploited vulnerabilities. Retrieved from: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities (date accessed: February 2, 2026).
Carnegie Mellon University, Software Engineering Institute. (2023). Modern vulnerability management. Retrieved from: https://www.sei.cmu.edu/documents/5770/DSOC_DC_-_Modern_Vulnerability_Management.pdf (date accessed: February 14, 2026).
Jacobs, J., Romanosky, S., Halloran, B., Adjerid, I., & Baker, W. (2020). Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity, 6(1), tyaa015. https://doi.org/10.1093/cybsec/tyaa015.
Similar Articles
- Dr. Erik G. Johansson, Dr. Linnea K. Blomqvist, LEVERAGING PERSISTENCE AND GRAPH NEURAL NETWORKS FOR ENHANCED INFORMATION POPULARITY FORECASTING , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 04 (2025): Volume 02 Issue 04
- Dr. Isabella D. Ricci, Dr. Farah A. Rahman, OPTIMIZING WEB DEVELOPMENT THROUGH STRATEGIC WEB FRAMEWORK ADOPTION , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 05 (2025): Volume 02 Issue 05
- Martin Schneider, Diego Martínez, A Comparative Benchmark Analysis of Transactional and Analytical Performance in PostgreSQL and MySQL , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Paul Kovalenko, Resilient Embedded and Automotive Systems: Integrating Lockstep Architectures, Software-Based Fault Detection, And Cyber-Physical Safety Models for Next-Generation Reliability , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 12 (2025): Volume 02 Issue 12
- John A. Prescott, A Unified Framework for Time-Sensitive and Resilient In-Vehicle Communication: Integrating Automotive Ethernet, Wireless TSN, and IoTEnabled Vehicle Health Monitoring , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 08 (2025): Volume 02 Issue 08
- Prof. Dr. Matthias Reinhardt, Cloud-Orchestrated Ensemble Deep Learning Architectures for Predictive Modeling of Cryptocurrency Market Dynamics: A Theoretical, Empirical, and Cyber-Physical Systems Perspective , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 01 (2026): Volume 03 Issue 01
- John Doe, Transforming Supply Chain Management Through Artificial Intelligence: A Holistic Theoretical Analysis , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 09 (2025): Volume 02 Issue 09
- Puspita Sari, Nathanael Sianipar, A DESIGN SCIENCE APPROACH TO MITIGATING INTER-SERVICE INTEGRATION FAILURES IN MICROSERVICE ARCHITECTURES: THE CONSUMER-DRIVEN CONTRACT TESTING FRAMEWORK AND PILOT IMPLEMENTATION , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Dr. Alejandro Martínez, Explainable Artificial Intelligence As A Foundation For Trust, Sustainability, And Responsible Decision-Making Across Business And Healthcare Ecosystems , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 01 (2026): Volume 03 Issue 01
- Dr. Arjun S. Patel, Prof. Elena D. Petrovna, CONVERGENT DATABASE ARCHITECTURES: MULTI-MODEL DESIGN AND QUERY OPTIMIZATION IN NEWSQL SYSTEMS , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 02 (2025): Volume 02 Issue 02
You may also start an advanced similarity search for this article.