Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)

Spring, Jonathan M.; Householder, Allen; Hatleback, Eric; Manion, Art; Oliver, Madison; Sarvapalli, Vijay; Tyzenhaus, Laurie; Yarbrough, Charles

Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)

Active / Technical Report | Accesssion Number: AD1130852 |

Abstract:

This document defines a testable Stakeholder-Specific Vulnerability Categorization (SSVC) for prioritizing actions during vulnerability management. The stakeholders in vulnerability management are diverse. This diversity must be accommodated in the main functionality, rather than squeezed into hard-to-use optional features. Given this, we aim to avoid one-size-fits-all solutions as much as it is practical. We will improve vulnerability management by framing decisions better. The modeling framework determines what output types are possible, identifies the inputs, determines the aspects of vulnerability management that are in scope, defines the aspects of context that are incorporated, describes how the model handles context and different roles, and determines what those roles should be. As such, the modeling framework is important but difficult to pin down. We approach this problem as a satisficing process. We do not seek optimal formalisms, but an adequate formalism.

Author(s):

Spring, Jonathan M. ; Householder, Allen ; Hatleback, Eric ; Manion, Art ; Oliver, Madison ; Sarvapalli, Vijay ; Tyzenhaus, Laurie ; Yarbrough, Charles

Author Organization(s):

CARNEGIE-MELLON UNIV PITTSBURGH PA

Funding Organization(s):

AIR FORCE LIFE CYCLE MANAGEMENT CENTER HANSCOM AFB MA, HANSCOM AFB , MA

Document Type:

Technical Report/Technical Report

Publication Date:

2021 Apr 01

Pagination:

68

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution Code:

A - Approved For Public Release

Distribution Statement: Public Release

RECORD

Collection: TRECMS

Identifying Numbers

Contract Number(s):

FA8702-15-D-0002

Subject Terms

Modernization Areas:

Cyber

Communities of Interest:

Human Systems

Descriptor(s):

department of homeland security, cybersecurity, software development, information security, commerce, computer network security, computers, information exchange, information systems, machine learning, computer networks, mobile phones, risk analysis, failure mode and effect analysis, computer programming, emergency response, governments

Keyword(s):

ssvc(Stakeholder-Specific Vulnerability Categorization

Subject Categories:

Mathematical and Computer Sciences; Mathematical and Computer Sciences

Creation Date:

2021 Jun 01

Update Date:

2021 Jun 25