In cybersecurity, not all vulnerabilities carry the same risk. While severity ratings such as those provided by the Common Vulnerability Scoring System (CVSS) are critical for understanding a vulnerability's potential technical impact, they do not fully account for real-world threats. By integrating Known Vulnerability Exploitation (KVE) data, Vulnerability Priority Rating (VPR), and standard severity ratings, we can produce a more actionable, context-driven metric called the Real-World Risk Score (RWRS). This score helps organisations focus their efforts on the most pressing security risks, optimising remediation efforts and reducing the likelihood of successful attacks.
This article explains how KVE, VPR, and severity ratings are combined to create the Real-World Risk Score and how this integrated approach enhances vulnerability management.
1. Overview of the Components: KVE, VPR, and Vulnerability Severity Ratings
Before diving into how we calculate the Real-World Risk Score, it’s important to understand each component and its role in vulnerability assessment.
1.1. Known Vulnerability Exploitation (KVE)
KVE refers to vulnerabilities that have documented, real-world exploits. This data provides insight into which vulnerabilities attackers are currently targeting or could easily weaponise.
Sources of KVE data:
Exploit databases (e.g., Exploit-DB)
Security research reports
Threat intelligence feeds
Real-world incidents and attack campaigns
KVE is crucial because it shifts the focus from theoretical risks to active threats.
1.2. Vulnerability Priority Rating (VPR)
VPR, provided by tools like Tenable.io, builds on severity ratings by incorporating threat intelligence and exploitability data. VPR scores are dynamic, ranging from 0.1 to 10, and are influenced by:
Active exploitation activity
Public availability of exploits
Predictive analytics on future risk
VPR helps organisations prioritise vulnerabilities based on current and emerging threat conditions.
1.3. Standard Vulnerability Severity Ratings (CVSS)
The Common Vulnerability Scoring System (CVSS) provides a static, baseline assessment of a vulnerability's potential impact. It considers factors such as:
Attack vector (e.g., local vs. remote)
Exploit complexity (e.g., does it require advanced skills or special conditions?)
Impact on confidentiality, integrity, and availability (CIA triad)
CVSS scores range from 0 to 10 and are categorised as Critical, High, Medium, or Low.
2. The Need for a Real-World Risk Score
While severity ratings, KVE data, and VPR are valuable on their own, they each have limitations:
CVSS focuses on technical potential rather than active risk.
KVE highlights active threats but does not consider vulnerability complexity or organisational context.
VPR adds dynamic context but may not fully align with an organisation's unique risk priorities.
By integrating these elements, the Real-World Risk Score (RWRS) provides a more comprehensive view of vulnerability risk, tailored to both the global threat landscape and organisational needs.
3. How We Calculate the Real-World Risk Score (RWRS)
Our Real-World Risk Score calculation combines multiple weighted factors, including CVSS, KVE, and VPR, along with additional risk modifiers. This score reflects the true risk a vulnerability poses in the context of active threats and organisational priorities.
Here’s a breakdown of the calculation process.
3.1. Step 1: Baseline Severity Score (CVSS)
We start with the CVSS score to establish the potential technical impact of the vulnerability. This provides a static foundation based on the vulnerability's characteristics.
Example: A remote code execution (RCE) vulnerability might have a CVSS score of 9.0 (Critical) due to its ability to compromise an entire system remotely.
3.2. Step 2: Exploitability Assessment (KVE Integration)
Next, we integrate KVE data to determine whether the vulnerability is actively exploitable. The presence of a known exploit increases the risk level, and this factor is weighted heavily in the RWRS calculation.
Weights based on exploit status:
No known exploit: No adjustment
Exploit exists but is not widely used: Moderate increase
Exploit is actively used in the wild: Significant increase
Example: A vulnerability with a CVSS score of 6.5 might have a higher RWRS if there is active exploitation (e.g., a ransomware campaign), raising the effective risk level.
3.3. Step 3: Threat Intelligence Context (VPR Integration)
We incorporate the VPR, which dynamically adjusts the risk score based on real-time threat intelligence. Factors influencing the VPR include:
Active exploitation campaigns
Public exploit availability
Similar vulnerabilities with historical exploitation patterns
The VPR provides additional context for vulnerabilities that may not yet have direct KVE data but show signs of becoming high-priority risks.
3.4. Step 4: Environmental and Business Impact Modifiers
The final step involves applying custom modifiers based on the organisation’s specific context. These factors help tailor the RWRS to reflect the potential business impact of exploitation.
Modifiers include:
Asset criticality: Vulnerabilities affecting critical infrastructure or sensitive data systems receive a higher risk score.
Network exposure: Vulnerabilities on internet-facing systems are prioritised over those restricted to internal networks.
Existing mitigations: If security controls (e.g., firewalls, access restrictions) reduce the likelihood of exploitation, the risk score is adjusted downward.
4. RWRS Example Calculation
Let’s walk through an example of how the Real-World Risk Score is calculated.
Vulnerability: Remote code execution on a web server.
CVSS Score: 9.0 (Critical)
KVE Data:
A public exploit is available, and threat intelligence indicates active exploitation by attackers.
Modifier: +20% risk increase
VPR:
The VPR is dynamically assessed as 9.5, indicating that this vulnerability is currently a top priority due to active threats.
Environmental Context:
The web server hosts a business-critical application and is publicly accessible.
Modifier: +15% risk increase
Final RWRS:
The Real-World Risk Score is calculated by combining these factors, resulting in an RWRS of 9.8, signalling immediate remediation priority.
5. Benefits of the Real-World Risk Score
Integrating KVE, VPR, and severity ratings into the RWRS offers several key benefits:
5.1. Enhanced Prioritisation
RWRS helps organisations focus on vulnerabilities that pose the most immediate and severe risks, reducing the likelihood of exploitation.
5.2. Context-Aware Risk Assessment
Unlike static severity scores, RWRS reflects both global threat intelligence and local business context, providing a tailored view of risk.
5.3. Reduced Alert Fatigue
By filtering out low-risk vulnerabilities, RWRS reduces the volume of high-priority findings, enabling security teams to allocate resources more efficiently.
6. Best Practices for Implementing RWRS
To maximise the effectiveness of the Real-World Risk Score, organisations should follow these best practices:
Leverage Automation: Use vulnerability management tools that integrate CVSS, KVE, and VPR data to generate dynamic risk scores.
Update Regularly: Continuously monitor threat intelligence and vulnerability data to ensure the RWRS reflects current risks.
Align with Business Objectives: Collaborate with stakeholders to define asset criticality and impact modifiers.
7. Conclusion
The Real-World Risk Score (RWRS) combines the strengths of CVSS, KVE, and VPR to provide a comprehensive, actionable risk metric. By integrating real-world threat intelligence with technical severity data, organisations can make informed decisions about vulnerability remediation, reducing their overall security risk.
For assistance in implementing RWRS as part of your vulnerability management programme, contact our experts today.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article