Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Research Challenges

Yuning Jiang, Nay Oo, Qiaoran Meng, Hoon Wei Lim, Biplab Sikdar

TL;DR

The paper addresses the challenge of prioritizing vulnerabilities in increasingly complex, interconnected systems by conducting a systematic literature review of 82 studies and introducing a novel taxonomy that organizes metrics into five classes: severity/impact, exploitability, contextual/environmental factors, predictive indicators, and aggregation. It analyzes methodologies (graph-based, ML/AI, multi-objective optimization, rule-based, statistical) and standards (CVSS, EPSS, CPE, CWE, SCAP), identifies gaps in dynamic, context-aware and scalable approaches, and emphasizes data quality and explainability as critical barriers to real-world adoption. The authors provide actionable insights and a research agenda aimed at bridging the gap between theory and practice, including adaptive metrics, threat-intelligence integration, and industrial applicability. Overall, the work offers a comprehensive framework for evaluating vulnerability prioritization methods and guiding future developments toward more dynamic, interpretable, and scalable solutions across domains and industries.

Abstract

In the highly interconnected digital landscape of today, safeguarding complex infrastructures against cyber threats has become increasingly challenging due to the exponential growth in the number and complexity of vulnerabilities. Resource constraints necessitate effective vulnerability prioritization strategies, focusing efforts on the most critical risks. This paper presents a systematic literature review of 82 studies, introducing a novel taxonomy that categorizes metrics into severity, exploitability, contextual factors, predictive indicators, and aggregation methods. Our analysis reveals significant gaps in existing approaches and challenges with multi-domain applicability. By emphasizing the need for dynamic, context-aware metrics and scalable solutions, we provide actionable insights to bridge the gap between research and real-world applications. This work contributes to the field by offering a comprehensive framework for evaluating vulnerability prioritization methodologies and setting a research agenda to advance the state of practice.

A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Research Challenges

TL;DR

The paper addresses the challenge of prioritizing vulnerabilities in increasingly complex, interconnected systems by conducting a systematic literature review of 82 studies and introducing a novel taxonomy that organizes metrics into five classes: severity/impact, exploitability, contextual/environmental factors, predictive indicators, and aggregation. It analyzes methodologies (graph-based, ML/AI, multi-objective optimization, rule-based, statistical) and standards (CVSS, EPSS, CPE, CWE, SCAP), identifies gaps in dynamic, context-aware and scalable approaches, and emphasizes data quality and explainability as critical barriers to real-world adoption. The authors provide actionable insights and a research agenda aimed at bridging the gap between theory and practice, including adaptive metrics, threat-intelligence integration, and industrial applicability. Overall, the work offers a comprehensive framework for evaluating vulnerability prioritization methods and guiding future developments toward more dynamic, interpretable, and scalable solutions across domains and industries.

Abstract

In the highly interconnected digital landscape of today, safeguarding complex infrastructures against cyber threats has become increasingly challenging due to the exponential growth in the number and complexity of vulnerabilities. Resource constraints necessitate effective vulnerability prioritization strategies, focusing efforts on the most critical risks. This paper presents a systematic literature review of 82 studies, introducing a novel taxonomy that categorizes metrics into severity, exploitability, contextual factors, predictive indicators, and aggregation methods. Our analysis reveals significant gaps in existing approaches and challenges with multi-domain applicability. By emphasizing the need for dynamic, context-aware metrics and scalable solutions, we provide actionable insights to bridge the gap between research and real-world applications. This work contributes to the field by offering a comprehensive framework for evaluating vulnerability prioritization methodologies and setting a research agenda to advance the state of practice.

Paper Structure

This paper contains 43 sections, 6 equations, 1 figure, 3 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Key Concepts in Vulnerability Prioritization
  4. System and Vulnerability Representation
  5. Risk Score Calculation
  6. Objective Function
  7. Metrics for Vulnerability Prioritization
  8. Methodologies for Vulnerability Prioritization
  9. Existing Standards and Frameworks
  10. Related Works
  11. Methodology
  12. Data Sources
  13. Selection Process
  14. Data Extraction and Analysis
  15. Impact Metrics
  16. ...and 28 more sections

Figures (1)

  • Figure 1: Taxonomy of Vulnerability Prioritization.