Open Access
Models and Methods for Prioritizing Software Vulnerabilities Based on Business-Criticality Indicators and Probability of Exploitation
4
CEO and Founder of Swordfish Security and Mobix Dubai, United Arab Emirates
Abstract
This article examines existing models and methods for vulnerability prioritization, including CVSS v3.1/v4.0, the EPSS v4 exploit prediction system, the SSVC v2 framework, as well as their integration with asset business-criticality indicators and information on real-world exploitation based on CISA’s Known Exploited Vulnerabilities Catalog (KEV). The study methodology is grounded in a systematic review of the academic literature, a content analysis of technical documentation, and a comparative assessment of methods on a representative CVE dataset. Based on the findings, a composite prioritization model proposed by the author is introduced; it combines four signals – severity, probability, KEV status, and business criticality – into a single index with configurable weighting coefficients. It is shown that the application of the Composite Vulnerability Priority Score (CVPS) reduces the volume of vulnerabilities requiring immediate response by approximately sevenfold while preserving a high level of coverage of genuinely exploited threats. The results are of practical value for vulnerability-management specialists, chief information security officers, and those responsible for patch-management policy design.
Keywords
vulnerability prioritization,
CVSS,
EPSS,
SSVC,
business criticality,
vulnerability management,
KEV,
machine learning,
cybersecurity,
risk-based approach,
patch management.
References
Jacobs, J., Romanosky, S., Adjerid, I., & Baker, W. (2021). Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice, 2(3), 1–17. https://doi.org/10.1145/3436242.
Spring, J. M., Householder, A. D., Hatleback, E., Manion, A., Oliver, M., Sarvepalli, V. S., Tyzenhaus, L., & Yarbrough, C. G. (2021). Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (Version 2.0). Carnegie Mellon University, Software Engineering Institute. https://doi.org/10.1184/R1/14527779.
FIRST.org. (2023). CVSS v4.0 specification document. Retrieved from: https://www.first.org/cvss/specification-document (date accessed: November 12, 2025).
FIRST.org. (2024). EPSS user guide. Retrieved from: https://www.first.org/epss/user-guide (date accessed: November 19, 2025).
Cybersecurity and Infrastructure Security Agency. (2024). CISA stakeholder-specific vulnerability categorization guide. Retrieved from: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf (date accessed: November 27, 2025).
National Institute of Standards and Technology. (2022). Vulnerability metrics: CVSS. Retrieved from: https://nvd.nist.gov/vuln-metrics/cvss (date accessed: December 4, 2025).
Sabetta, A., & Bezzi, M. (2018). A practical approach to the automatic classification of security-relevant commits. In Proceedings of the 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME) (pp. 579–582). IEEE. https://doi.org/10.1109/ICSME.2018.00058.
Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 105–114). ACM. https://doi.org/10.1145/1835804.1835821.
Allodi, L., & Massacci, F. (2014). Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security, 17(1), 1–20. https://doi.org/10.1145/2630069.
Holm, H. (2014). Signature based intrusion detection for zero-day attacks. In Proceedings of the 47th Hawaii International Conference on System Sciences (pp. 4895–4904). IEEE. https://doi.org/10.1109/HICSS.2014.601.
Nappa, A., Johnson, R., Bilge, L., Caballero, J., & Dumitras, T. (2015). The attack of the clones: A study of the impact of shared code on vulnerability patching. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (pp. 692–708). IEEE. https://doi.org/10.1109/SP.2015.48.
Khera, Y., Kumar, D., Garg, N., & Rana, P. S. (2019). Analysis and impact of vulnerability assessment and penetration testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525–530). IEEE. https://doi.org/10.1109/COMITCon.2019.8862195.
Cheng, P., Wang, L., Jajodia, S., & Singhal, A. (2012). Aggregating CVSS base scores for semantics-rich network security metrics. In Proceedings of the 2012 IEEE 31st Symposium on Reliable Distributed Systems (pp. 31–40). IEEE. https://doi.org/10.1109/SRDS.2012.37.
Cybersecurity and Infrastructure Security Agency. (2026). Known exploited vulnerabilities catalog. Retrieved from: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (date accessed: February 12, 2026).
National Institute of Standards and Technology. (2024). National vulnerability database statistics. Retrieved from: https://nvd.nist.gov/general/nvd-dashboard (date accessed: December 21, 2025).
Google Cloud & Mandiant. (2024). M-Trends 2024 special report. Retrieved from: https://services.google.com/fh/files/misc/m-trends-2024.pdf (date accessed: January 6, 2026).
Microsoft. (2024). Microsoft Digital Defense Report 2024. Retrieved from: https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf (date accessed: January 18, 2026).
Cybersecurity and Infrastructure Security Agency. (2021). BOD 22-01: Reducing the significant risk of known exploited vulnerabilities. Retrieved from: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities (date accessed: February 2, 2026).
Carnegie Mellon University, Software Engineering Institute. (2023). Modern vulnerability management. Retrieved from: https://www.sei.cmu.edu/documents/5770/DSOC_DC_-_Modern_Vulnerability_Management.pdf (date accessed: February 14, 2026).
Jacobs, J., Romanosky, S., Halloran, B., Adjerid, I., & Baker, W. (2020). Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity, 6(1), tyaa015. https://doi.org/10.1093/cybsec/tyaa015.
Similar Articles
- Alistair J. Finch, Integrating Jira, Jenkins, and Azure DevOps to Optimize Software Release Pipelines , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Ngozi Okafor, A Consumer-Driven Contract-Based Approach to Verifying User Interface Integration in Microservices Architectures , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Dr. Mateo Alvarez, SaaS-Driven Digital Transformation and Customer Retention in Hospitality Ecosystems: A Multitheoretical and Socio-Technical Reinterpretation of Service Value Creation , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 12 (2025): Volume 02 Issue 12
- Dr. Rakesh T. Sharma, Dr. Neha R. Kulkarni, GUIDING SEARCH-BASED SOFTWARE TESTING WITH DEFECT PREDICTION: AN EMPIRICAL INVESTIGATION , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 03 (2025): Volume 02 Issue 03
- Dr. Alistair Sterling, Architectural Evolution and Decomposition Strategies: A Comprehensive Analysis of Microservice Migration, Performance Optimization, And Machine Learning-Assisted Service Boundary Detection , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 12 (2025): Volume 02 Issue 12
- Dr. Alexei Morozov, Prof. Kevin J. Donovan, The Transformative Impact of Containerization on Modern Web Development: An In-depth Analysis of Docker and Kubernetes Ecosystems , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Anh N. Tran, Siew H. Lim, A Critical Analysis of Apache Kafka's Role in Advancing Microservices Architecture: Performance, Patterns, and Persistence , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 10 (2025): Volume 02 Issue 10
- Dr. Abdulrahman O. Nassar, Dr. Cheng-Hao Lin, CHARACTERIZING CORE-PERIPHERY STRUCTURES IN NETWORKS VIA PRINCIPAL COMPONENT ANALYSIS OF NEIGHBORHOOD-BASED BRIDGE NODE CENTRALITY , International Journal of Modern Computer Science and IT Innovations: Vol. 1 No. 01 (2024): Volume 01 Issue 01
- Prof. Isabella Rossi, Dr. Luis Fernando Páez, GEOSPATIAL ANOMALY DETECTION FOR ENHANCED SECURITY IN DELAY-TOLERANT NETWORKS , International Journal of Modern Computer Science and IT Innovations: Vol. 1 No. 01 (2024): Volume 01 Issue 01
- Dr. Elena Marovic, Hyperautomation-Driven Financial Workflow Transformation: Integrating Generative Artificial Intelligence, Process Mining, and Enterprise Digital Architectures , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 01 (2026): Volume 03 Issue 01
You may also start an advanced similarity search for this article.