Login
Register
Submit a Paper
Propose a Special lssue
Open Access
ARTICLE
An Open and Adaptable Approach to Vulnerability Risk Scoring
1 Kaze Technologies, Kaze Consulting, Bath, BA1 2HN, UK
2 School of Mathematics, University of Bristol, Bristol, BS8 1UG, UK
* Corresponding Author: Harri Renney. Email:
Journal of Cyber Security 2025, 7, 221-238. https://doi.org/10.32604/jcs.2025.064958
Received 28 February 2025; Accepted 28 June 2025; Issue published 14 July 2025
View Full Text
Download PDFAbstract
In recent years, the field of cybersecurity has expanded to encompass a deeper understanding of best practices, user behaviour, and the tactics, motivations, and targets of threat actors. At the same time, there is growing interest in how cyber data analytics can support informed decision-making at senior levels. Despite the broader advancements, the field still lacks a robust scientific foundation for accurately calculating cyber vulnerability risk. Consequently, vulnerabilities in hardware and software systems often remain unaddressed for extended periods, undermining the effectiveness of risk mitigation efforts. This paper seeks to address the gap in vulnerability risk prioritisation by defining a repeatable approach for building risk prioritisation formulae by detailing the building blocks necessary for practitioners to develop tailored vulnerability risk scoring systems. The approach leverages a two-layered system, where the global layer calculates vulnerability risk per CVE, and the local layer continues to enrich the global CVE risk with additional contextual components per organisational system(s). To demonstrate the approach, an exemplar system called the V-Score was developed and evaluated in a user study. During the study, a vulnerability management team transitioned from using the CVSS score to the V-Score. Results indicate that the V-Score delivered improved risk prioritisation distributions, enhanced user experience, and provided greater predictive accuracy. Specifically, when identifying high-risk vulnerabilities referenced by the CERT Coordination Center, the V-Score achieved 75% accuracy and 52% recall, compared to 39% accuracy and 18% recall for the CVSS score. Thus, this paper addresses the identified gap in scientifically grounded risk calculation methods and contributes to the advancement of knowledge across both academic and industry domains.Keywords
Vulnerability management; vulnerability risk; exploited vulnerability; CVSS; EPSS; V-Score
Cite This Article
APA Style
Renney, H., Chenchiah, I.V., Nethercott, M., Paligadu, R., Lang, J. (2025). An Open and Adaptable Approach to Vulnerability Risk Scoring. Journal of Cyber Security, 7(1), 221–238. https://doi.org/10.32604/jcs.2025.064958
Vancouver Style
Renney H, Chenchiah IV, Nethercott M, Paligadu R, Lang J. An Open and Adaptable Approach to Vulnerability Risk Scoring. J Cyber Secur. 2025;7(1):221–238. https://doi.org/10.32604/jcs.2025.064958
IEEE Style
H. Renney, I. V. Chenchiah, M. Nethercott, R. Paligadu, and J. Lang, “An Open and Adaptable Approach to Vulnerability Risk Scoring,” J. Cyber Secur., vol. 7, no. 1, pp. 221–238, 2025. https://doi.org/10.32604/jcs.2025.064958
Copyright © 2025 The Author(s). Published by Tech Science Press.This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Downloads
Citation Tools
