Beyond CVSS: New Frameworks for Vulnerability Risk Assessment

The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of hardware and software vulnerabilities. Its latest version, CVSS 4.0, was unveiled publicly by the Forum of Incident Response and Security Teams (FIRST) in July 2023.

While this new version solved many issues with version 3.1, CVSS continues to receive criticism from the cybersecurity community.

Some argue it oversimplifies the complex nature of vulnerabilities, others believe it can be inaccurate and misleading due to misuse of metrics.

A third criticism points to a lack of transparency from NIST’s National Vulnerability Database (NVD)  because it does not disclose the process it uses to attribute a CVSS score. This lack of transparency results in various CVE numbering authorities attributing different CVSS scores to the same vulnerability. 

To solve some of these problems, companies and industry bodies have developed competitive systems and alternative frameworks to replace and/or complement CVSS.

In this article, Infosecurity examines into some of these systems to understand how they could fix CVSS vulnerability prioritisation.

Read more: How to Disclose, Report and Patch a Software Vulnerability

CVSS, an open industry standard, is used to gauge the severity of security vulnerabilities in computer systems, guiding organisations in prioritising their vulnerability management efforts.

It offers a structured approach to identifying key aspects of a vulnerability, generating a numerical score that represents its level of risk.

The numerical score is also represented as a qualitative severity rating: low, medium, high and critical.

The penultimate version of CVSS, v3.1, faced many criticisms. It was seen as an overly complicated measurement tool but despite this it needed to provide more granularity. Also, CVSS 3.1 did not apply to industrial systems and Internet-of-Things (IoT) devices.

CVSS 4.0 aims to address these issues by introducing many changes. These included a finer granularity by adding new base metrics and values, enhanced disclosure of impact metrics and an additional focus on operational technology (OT), industrial control systems (ICS) and safety systems.

To learn more about CVSS 4.0, you can read the following articles:

• Navigating the Vulnerability Maze: Understanding CVE, CWE, and CVSS
• New CVSS Version Unveiled Amid Rising Cyber Threats

Despite CVSS 4.0 receiving positive feedback from the security community, some voices also pointed to the new system as more flawed than the previous ones. For instance, more vulnerabilities tend to be critical under CVSS 4.0 than under CVSS 3.1, making prioritisation difficult.

Additionally, many have raised issues with the CVSS approach altogether. In an academic paper published in 2024 during an IEEE Symposium on Security and Privacy, a team of researchers outlined some CVSS scoring inconsistencies after surveying 196 CVSS users. They concluded that CVSS scores often differ depending on who analyses the vulnerability and suggested areas of improvement.

Other criticisms of CVSS include:

• It is still an overly complicated system and open to interpretation
• It fails at providing context on exploitability
• It only provides limited environmental and business context
• It is a static scoring model, meaning it doesn’t account for changes in the threat landscape over time

At the core of the CVSS debate lies what some would call a misconception of CVSS. According to a 2018 paper from Carnegie Mellon University’s Software Engineering Institute researchers, CVSS was not initially intended to be used as a patch management prioritisation or risk assessment method but is used like that regardless.

To be successful, a comprehensive vulnerability prioritisation process should use CVSS alongside exploitability metrics, such as the US Cybersecurity and Infrastructure Security’s (CISA) Exploit Prediction Scoring System (EPSS), as well as risk management frameworks like CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC).

Some companies and industry bodies have developed alternative approaches that could encompass vulnerability severity, exploitability and risk assessment.

The CIS Risk Assessment Method (CIS RAM) is a cybersecurity framework created by the Center for Internet Security (CIS).

First released in 2018, it aims to help organisations assess and manage their security posture relative to the CIS Critical Security Controls, or CIS Safeguards. Its latest version, v2.1, was released in 2023.

CIS RAM core risk assessments involve the following activities:

• Developing the risk assessment criteria and risk acceptance criteria: establish and define the requirements for evaluating and accepting risk
• Modelling the risks: evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats
• Evaluating the risks: estimate the likelihood and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable
• Recommending CIS Safeguards: propose CIS Safeguards that would reduce unacceptable risks
• Evaluating recommended CIS Safeguards: risk-analyse the recommended CIS Safeguards to ensure that they pose acceptably low risks without creating an undue burden

The Vulnerability Risk Rating (VRR) is a risk-scoring framework developed in 2020 by RiskSense to prioritise vulnerabilities based on their risk level.

It is designed to provide organisations with a more actionable, context-based approach to vulnerability management, helping them prioritise vulnerabilities that pose the highest risk to their specific environment.

The VRR framework combines multiple factors, including data from real-world exploitations and situational awareness, to rating vulnerabilities on a scale from 0 to 10. This score represents the potential risk a vulnerability poses to an organisation based on both intrinsic vulnerability characteristics and external threat data.

To define such a score, VRR considers the following criteria:

• Vulnerability characteristics, such as CVSS scores, ease of exploitation and impact on system confidentiality, integrity, and availability
• Threat context, including threat intelligence data that encompasses potential publicly available exploit code, known exploitations and patterns from recent attack trends
• Criticality of the systems and assets affected by the vulnerability
• Environmental relevance, including network configuration, asset dependencies and previous threat activity in that environment

The Qualys TruRisk Framework is a cybersecurity risk assessment model developed by Qualys in 2022 to evaluate and prioritise vulnerabilities by contextualising them within an organisation’s specific risk environment.

Here’s how the TruRisk framework typically takes into account:

• Vulnerability characteristics, such as CVSS scores, ease of exploitation, impact on the system and complexity
• Threat intelligence and exploitability data
• Asset context and business impact
• Compensating security controls that may reduce the risk associated with specific vulnerabilities
• Machine learning and data analytics to dynamically update scores based on new threat data and attack trends

The Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) model was developed by Microsoft in 2022. DREAD measures risk and intends to capture the specific context of most potential weaknesses.

Each letter in DREAD represents a factor that helps estimate the potential impact of a security vulnerability:

• Damage Potential: How much damage could the vulnerability cause if exploited?
• Exploitability: How easy is it to exploit the vulnerability?
• Affected Users: How many users could be affected by the vulnerability?
• Discoverability: How easy is it to discover the vulnerability?

Read now: Beyond Disclosure: Transforming Vulnerability Data Into Actionable Security

ADVERTISEMENT

While CVSS remains the industry standard for assessing vulnerability severity, its limitations have become increasingly apparent as organisations seek more dynamic and context-sensitive approaches to risk management. 

CVSS 4.0 introduced meaningful improvements, however, the fundamental design of CVSS – focused on static severity scoring rather than exploitability and real-time relevance – means it still may not meet the needs for efficient vulnerability and patch management on its own.

This has driven the development and adoption of complementary frameworks prioritising vulnerabilities based on active threat data, exploit likelihood, and specific business impact, which CVSS alone cannot always capture.  

Enjoyed this article? Make sure to share it!

Looking for something else?