Re: The logical next step is the two-dimensional risk rating approach
I don't think the scoring is the real issue. The real issue is the way risk is determined.
Most security frameworks define risk as threat * vulnerability.
The trouble with that is that vulnerabilities are generally easier to identify than threats.
That's what I think this researcher is pointing out. I.e. you can have a couple of relatively low scoring vulnerabilities which wouldn't be prioritised if they aren't aligned with some sort of high scoring threat...thus providing a low risk rating in a risk assessment which in turn leads to the vulnerabilities not being dealt with or compensated for.
I think the vulnerability scoring system is...ok. Threat identification not so much. With threat identification being as woolly as it is, it makes risk assessment less accurate and prone to error.
Biting the hand that feeds IT
