Measuring vs. Modeling

Andrea Bailiff-Gush    December 10, 2013

BaythreatThis month our data scientist Michael Roytman is featured in the USENIX Association’s Journal alongside Dan Geer. Their article harkens back to our long-running theme of focusing on remediating the vulnerabilities which _actually_ generate risk for your environment. Michael and Dan argue that using CVSS as a guide for remediation is not only ineffective at identifying vulnerabilities likely to be exploited, it is also a less cost-efficient way to run a security practice.

To quote from the article…

“Using CVSS to steer remediation is nuts, ineffective, deeply
diseconomic, and knee jerk; given the availability of data it is also
passé, which we will now demonstrate.”

Take a look at the article for yourself: https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *