Open Access
Models and Methods for Prioritizing Software Vulnerabilities Based on Business-Criticality Indicators and Probability of Exploitation
4
CEO and Founder of Swordfish Security and Mobix Dubai, United Arab Emirates
Abstract
This article examines existing models and methods for vulnerability prioritization, including CVSS v3.1/v4.0, the EPSS v4 exploit prediction system, the SSVC v2 framework, as well as their integration with asset business-criticality indicators and information on real-world exploitation based on CISA’s Known Exploited Vulnerabilities Catalog (KEV). The study methodology is grounded in a systematic review of the academic literature, a content analysis of technical documentation, and a comparative assessment of methods on a representative CVE dataset. Based on the findings, a composite prioritization model proposed by the author is introduced; it combines four signals – severity, probability, KEV status, and business criticality – into a single index with configurable weighting coefficients. It is shown that the application of the Composite Vulnerability Priority Score (CVPS) reduces the volume of vulnerabilities requiring immediate response by approximately sevenfold while preserving a high level of coverage of genuinely exploited threats. The results are of practical value for vulnerability-management specialists, chief information security officers, and those responsible for patch-management policy design.
Keywords
vulnerability prioritization,
CVSS,
EPSS,
SSVC,
business criticality,
vulnerability management,
KEV,
machine learning,
cybersecurity,
risk-based approach,
patch management.
References
Jacobs, J., Romanosky, S., Adjerid, I., & Baker, W. (2021). Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice, 2(3), 1–17. https://doi.org/10.1145/3436242.
Spring, J. M., Householder, A. D., Hatleback, E., Manion, A., Oliver, M., Sarvepalli, V. S., Tyzenhaus, L., & Yarbrough, C. G. (2021). Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (Version 2.0). Carnegie Mellon University, Software Engineering Institute. https://doi.org/10.1184/R1/14527779.
FIRST.org. (2023). CVSS v4.0 specification document. Retrieved from: https://www.first.org/cvss/specification-document (date accessed: November 12, 2025).
FIRST.org. (2024). EPSS user guide. Retrieved from: https://www.first.org/epss/user-guide (date accessed: November 19, 2025).
Cybersecurity and Infrastructure Security Agency. (2024). CISA stakeholder-specific vulnerability categorization guide. Retrieved from: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf (date accessed: November 27, 2025).
National Institute of Standards and Technology. (2022). Vulnerability metrics: CVSS. Retrieved from: https://nvd.nist.gov/vuln-metrics/cvss (date accessed: December 4, 2025).
Sabetta, A., & Bezzi, M. (2018). A practical approach to the automatic classification of security-relevant commits. In Proceedings of the 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME) (pp. 579–582). IEEE. https://doi.org/10.1109/ICSME.2018.00058.
Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 105–114). ACM. https://doi.org/10.1145/1835804.1835821.
Allodi, L., & Massacci, F. (2014). Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security, 17(1), 1–20. https://doi.org/10.1145/2630069.
Holm, H. (2014). Signature based intrusion detection for zero-day attacks. In Proceedings of the 47th Hawaii International Conference on System Sciences (pp. 4895–4904). IEEE. https://doi.org/10.1109/HICSS.2014.601.
Nappa, A., Johnson, R., Bilge, L., Caballero, J., & Dumitras, T. (2015). The attack of the clones: A study of the impact of shared code on vulnerability patching. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (pp. 692–708). IEEE. https://doi.org/10.1109/SP.2015.48.
Khera, Y., Kumar, D., Garg, N., & Rana, P. S. (2019). Analysis and impact of vulnerability assessment and penetration testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525–530). IEEE. https://doi.org/10.1109/COMITCon.2019.8862195.
Cheng, P., Wang, L., Jajodia, S., & Singhal, A. (2012). Aggregating CVSS base scores for semantics-rich network security metrics. In Proceedings of the 2012 IEEE 31st Symposium on Reliable Distributed Systems (pp. 31–40). IEEE. https://doi.org/10.1109/SRDS.2012.37.
Cybersecurity and Infrastructure Security Agency. (2026). Known exploited vulnerabilities catalog. Retrieved from: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (date accessed: February 12, 2026).
National Institute of Standards and Technology. (2024). National vulnerability database statistics. Retrieved from: https://nvd.nist.gov/general/nvd-dashboard (date accessed: December 21, 2025).
Google Cloud & Mandiant. (2024). M-Trends 2024 special report. Retrieved from: https://services.google.com/fh/files/misc/m-trends-2024.pdf (date accessed: January 6, 2026).
Microsoft. (2024). Microsoft Digital Defense Report 2024. Retrieved from: https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf (date accessed: January 18, 2026).
Cybersecurity and Infrastructure Security Agency. (2021). BOD 22-01: Reducing the significant risk of known exploited vulnerabilities. Retrieved from: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities (date accessed: February 2, 2026).
Carnegie Mellon University, Software Engineering Institute. (2023). Modern vulnerability management. Retrieved from: https://www.sei.cmu.edu/documents/5770/DSOC_DC_-_Modern_Vulnerability_Management.pdf (date accessed: February 14, 2026).
Jacobs, J., Romanosky, S., Halloran, B., Adjerid, I., & Baker, W. (2020). Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity, 6(1), tyaa015. https://doi.org/10.1093/cybsec/tyaa015.
Similar Articles
- Dr. Mingyu L. Chen, Muhammad Siddiqui, CODE-SWITCHED RELATION EXTRACTION: A NOVEL DATASET AND TRAINING METHODOLOGY , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 02 (2025): Volume 02 Issue 02
- Dr. Markus Vogel, Large Language Model–Driven Digital Twins for Lean-Aware Manufacturing Execution System Optimization in Industry 4.0 Environments , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 01 (2026): Volume 03 Issue 01
- Oliver P. Harrington, Reconceptualizing Enterprise Application Frameworks: ASP.NET Core and the Structural Foundations of Cross-Platform Development , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 12 (2025): Volume 02 Issue 12
- Prof. Lucas F. Oliveira, SM9-ENHANCED KEY-POLICY ATTRIBUTE-BASED ENCRYPTION: DESIGN, ANALYSIS, AND APPLICATIONS , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 06 (2025): Volume 02 Issue 06
- Anastasiia Livintseva, Re-coding Community: Designing AI-Native Platforms for Trust, Belonging, and Collective Agency , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 12 (2025): Volume 02 Issue 12
- Dr. Joshua Muller, Zero-Trust Transformation in Healthcare IT: Securing Legacy Medical Devices Through Windows 11 Modernization in Clinical Workstations , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 01 (2026): Volume 03 Issue 01
- Hiroshi Tanaka, Architectural Synergies: Integrating Blockchain, Fog Computing, And Generative Intelligence for Secure Digital Twin Ecosystems in Cyber-Physical Systems , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 02 (2026): Volume 03 Issue 02
- Mykola Nesvietaiev, Multisided Digital Platforms in the Sphere of Family Well-Being: Models for Balancing the Interests of Children, Parents, and Service Providers Under Regulatory Requirements for the Protection of Minors , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 03 (2025): Volume 02 Issue 03
- Alistair J. Finch, Sustainable Development and Mechanical Performance of Natural Fiber–Reinforced Polymer Composites: Comprehensive Analysis, Methodologies, and Future Directions , International Journal of Modern Computer Science and IT Innovations: Vol. 2 No. 05 (2025): Volume 02 Issue 05
- Serhii Svynarov, AI-Driven Automation in Cloud-Based Business Systems: A Practical Implementation Using Microservices Architecture , International Journal of Modern Computer Science and IT Innovations: Vol. 3 No. 05 (2026): Volume 03 Issue 05
Previous
51-60 of 60
You may also start an advanced similarity search for this article.