Measuring vs. Modeling

Andrea Bailiff-Gush    December 10, 2013

BaythreatThis month our data scientist Michael Roytman is featured in the USENIX Association’s Journal alongside Dan Geer. Their article harkens back to our long-running theme of focusing on remediating the vulnerabilities which _actually_ generate risk for your environment. Michael and Dan argue that using CVSS as a guide for remediation is not only ineffective at identifying vulnerabilities likely to be exploited, it is also a less cost-efficient way to run a security practice.

To quote from the article…

“Using CVSS to steer remediation is nuts, ineffective, deeply
diseconomic, and knee jerk; given the availability of data it is also
passé, which we will now demonstrate.”

Take a look at the article for yourself:

Leave a Reply

Your email address will not be published. Required fields are marked *