A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Research Challenges

TL;DR

This paper systematically reviews vulnerability prioritization research, proposing a taxonomy of metrics, identifying gaps, and emphasizing the need for dynamic, context-aware solutions to improve cybersecurity risk management.

Contribution

It introduces a comprehensive taxonomy of metrics and provides a research agenda to enhance vulnerability prioritization methods and their practical applicability.

Findings

Significant gaps in existing vulnerability prioritization approaches.

Challenges with multi-domain applicability of current metrics.

Need for dynamic, context-aware, scalable solutions.

Abstract

In the highly interconnected digital landscape of today, safeguarding complex infrastructures against cyber threats has become increasingly challenging due to the exponential growth in the number and complexity of vulnerabilities. Resource constraints necessitate effective vulnerability prioritization strategies, focusing efforts on the most critical risks. This paper presents a systematic literature review of 82 studies, introducing a novel taxonomy that categorizes metrics into severity, exploitability, contextual factors, predictive indicators, and aggregation methods. Our analysis reveals significant gaps in existing approaches and challenges with multi-domain applicability. By emphasizing the need for dynamic, context-aware metrics and scalable solutions, we provide actionable insights to bridge the gap between research and real-world applications. This work contributes to the field by offering a comprehensive framework for evaluating vulnerability prioritization methodologies and setting a research agenda to advance the state of practice.