Bridging the Gap Between Security Metrics and Key Risk Indicators: An Empirical Framework for Vulnerability Prioritization

TL;DR

This paper introduces an empirical framework for vulnerability prioritization that outperforms traditional CVSS scores by integrating threat, impact, and exposure dimensions, significantly improving risk-based remediation strategies.

Contribution

The paper presents a novel composite Key Risk Indicator (KRI) that effectively reorders vulnerabilities based on impact and exposure, demonstrating superior performance over existing metrics like CVSS and EPSS.

Findings

KRI achieves ROC-AUC 0.927 and AUPRC 0.223, outperforming CVSS.

EPSS alone has higher AUPRC (0.365) than full KRI, indicating different objectives.

KRI captures 92.3% of impact-weighted remediation value at k=500.

Abstract

Organisations overwhelmingly prioritize vulnerability remediation using Common Vulnerability Scoring System (CVSS) severity scores, yet CVSS classifiers achieve an Area Under the Precision-Recall Curve (AUPRC) of 0.011 on real-world exploitation data, near random chance. We propose a composite Key Risk Indicator grounded in expected-loss decomposition, integrating dimensions of threat, impact, and exposure. We evaluated the KRI framework against the Known Exploited Vulnerabilities (KEV) catalog using a comprehensive dataset of 280,694 Common Vulnerabilities and Exposures (CVEs). KRI achieves Receiver Operating Characteristic Area Under the Curve (ROC-AUC) 0.927 and AUPRC 0.223 versus 0.747 and 0.011 for CVSS (24 percents, 20). Ablation analysis shows Exploit Prediction Scoring System (EPSS) alone achieves AUPRC 0.365, higher than full KRI (0.223), confirming that EPSS and KRI serve distinct objectives: EPSS maximizes raw exploit detection, while KRI re-orders by impact and exposure, capturing 92.3 percents of impact-weighted remediation value at k=500 versus 82.6 percents for EPSS, and surfacing 1.75 more Critical-severity exploited CVEs. KRI's net benefit exceeds EPSS whenever the severity premium exceeds 2. While EPSS serves as a robust baseline for exploit detection, the KRI framework is the superior choice for organizations seeking to align remediation efforts with tangible risk reduction.