Prioritizing Vulnerability Response: A Stakeholder Specific Vulnerability Categorization

Spring, Jonathan M.; Hatleback, Eric; Householder, Allen; Manion, Art; Shick, Deana

Prioritizing Vulnerability Response: A Stakeholder Specific Vulnerability Categorization

Active / Technical Report | Accession Number: AD1088910 |

Open PDF

Abstract:

This report is the second part of a research agenda about prioritizing actions during vulnerability management. Many organizations use the Common Vulnerability Scoring System CVSS for this purpose today. For problems with CVSS as it is, see the first part of our research agenda Towards Improving CVSS. This report presents a testable Stakeholder-Specific Vulnerability Categorization SSVC that avoids some problems with CVSS. Our informed hypothesis takes the form of decision trees for different vulnerability management communities. We welcome others to test and improve it. This report proposes a functional system to make our proposal concrete, as well as preliminary tests of its usefulness. However, our proposal is a detailed hypothesis to test, or a conversation starter, not a final proposal. In so far as is practical, we aim to avoid one-size-fits-all solutions. The stakeholders in vulnerability management are diverse, and that diversity needs to be accommodated in the main functionality, rather than squeezed into hard-to-use optional features.

Author(s):

Spring, Jonathan M. ; Hatleback, Eric ; Householder, Allen ; Manion, Art ; Shick, Deana

Author Organization(s):

CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States

Descriptive Note:

Technical Report

Pagination:

0036

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release;

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

DM19-1222

Contract/Grant Number(s):

FA8702-15-D-0002

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_5.3_Planning; JCA_5.4_Decide; JCA_5.3.2_Apply Situational Understanding; JCA_4.7.2_Installation Services; JCA_4.7_Base and Installations Support; JCA_8_Building Partnerships; JCA_6_Net Centric; JCA_1_Force Support; JCA_1.2_Force Preparation; JCA_8.2_Shape; JCA_8.2.4_Leverage Capacities and Capabilities of Security Establishments; JCA_1.2.3_Educating; JCA_4.6_Engineering; JCA_6.4.1_Secure Information Exchange; JCA_6.4.2_Protect Data and Networks; JCA_6.4_Information Assurance; JCA_6.1.2_Wireless Transmission; JCA_3_Force Application; JCA_3.2_Engagement; JCA_6.1_Information Transport

Modernization Areas:

Cyber

Communities of Interest:

Human Systems

Descriptor(s):

Vulnerability, decision making, customer services, application software, cybersecurity

Field(s)/Group(s):

Computer Systems Management and Standards, Administration and Management

Keyword(s):

cvss(Common Vulnerability Scoring System), ssvc(Stakeholder Specific Vulnerability Categorization), decision trees, vulnerability management, technical severity, qualitative decisions, stakeholders, patch developers

Report Date:

2019 Nov 01

Creation Date:

2020 Jan 13