What is Risk-Based Vulnerability Management?

Jul 9, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

Risk-based vulnerability management (RBVM) is a cybersecurity strategy in which organizations prioritize remediation of software vulnerabilities according to the risk they pose to the organization. A risk-based vulnerability management strategy has several components.

  1. They use threat intelligence to identify the vulnerabilities attackers are discussing, experimenting with, or using.
  2. Risk-based vulnerability management programs use this intelligence to generate risk scores based on the likelihood of exploitation.
  3. They take into account the business context of various assets because intrusion into some segments of a network may be more damaging or likely than others.
  4. By combining vulnerability risk assessment and asset criticality, risk-based vulnerability management programs focus patching efforts on the vulnerabilities that are most likely to be exploited and that reside on the most critical systems.


The need for risk-based vulnerability management


The need for risk-based vulnerability management is driven by the fact that large enterprise networks contain more vulnerabilities than their cybersecurity teams can fix.  Simply put, the scale of vulnerability management at large organizations makes the practice challenging. Cybersecurity executives at large organizations can manage, on average, 80,000 IT assets including laptops, servers, routers, and internet-connected printers. Combined, these assets may hold 40 million vulnerabilities. However, research by Kenna Security shows that companies have, on average, the capacity to remediate just one out of every ten vulnerabilities on their systems. 

Traditionally, organizations prioritized the vulnerabilities they needed to patch according to a mix of gut feeling, regulatory and compliance needs, and the theoretical damage a successful attack could do. For example, one common metric, the Common Vulnerability Scoring System (CVSS), scores vulnerabilities according to the damage it would do if exploited. But many vulnerabilities with high CVSS scores pose little or no risk of exploitation. Patching a vulnerability that is not likely to be exploited represents a waste of scarce resources.

Sounds pretty hopeless right? It certainly has been for many companies, but that’s where risk-based vulnerability management comes in. If you look at the behavior of real-world hackers, they attack only a small subset of security flaws. Our research indicates that only 5 percent of enterprise vulnerabilities have known exploitation events. Therefore, organizations can drastically improve their security and minimize their risk by identifying and remediating the small subset of vulnerabilities prone to exploitation. 


How to succeed with a risk-based vulnerability management program


The success of risk-based vulnerability management depends on the quality of the data used to predict exploitability. Since 2009, data scientists at Kenna Security have worked to identify the factors threat actors use when choosing which vulnerabilities to exploit and weaponize. Some examples of the factors that predict weaponization of an exploit include: 

  • Applications developed by some vendors are more likely to be exploited than others. 
  • Vulnerabilities that enable code execution, especially remotely, tend to be pursued by bad actors.
  • The publication of a proof-of-concept attack on websites tends to make full weaponization more likely.


With knowledge of which factors make a vulnerability more likely to be exploited, security teams can not only prioritize vulnerabilities that pose an immediate risk but also patch software flaws before an exploit is developed. 


The risk-based vulnerability management revolution


Risk-based vulnerability management is revolutionizing the way large organizations approach vulnerability management. By prioritizing vulnerabilities likely to be exploited, a risk-based system drives tremendous efficiency gains while improving risk posture. To be clear, a risk-based vulnerability strategy will leave some vulnerabilities unpatched but allows companies to do so with confidence that these weaknesses pose an acceptably low level of risk to the overall security of the company. It is this ability to delay work that opens up efficiency gains and reduces the risk of IT outages due to excessive change. At the same time, security risk is reduced. Risk-based vulnerability management really is a win-win for IT and Security.


Interested in learning more about how Kenna’s approach to RBVM works? Book a guided tour with one of our security experts now.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.