Risk Prioritization: An Examination of Published Exploitability Ratings

Businesses struggle to prioritize the remediation of vulnerabilities in their environment. One tactic a business takes to prioritize the remediation of a vulnerability is identifying which vulnerability is likely to present the highest risk. To help customers evaluate the risk from a vulnerability, Microsoft’s Security Response Center (MSRC) classifies Common Vulnerabilities and Exposures (CVEs) with a Microsoft exploitability index rating. The rating is based on Microsoft’s experience and a community approach (Microsoft, n.d.). When using a source of information such as MSRC’s exploitability index rating to prioritize the risk to a business, it is essential for analysts to have confidence in the data. Confidence in data is likely to increase as multiple sources provide congruent information on CVEs. This research will focus on assessing the congruency of MSRC’s exploitability index rating with a threat intelligence feed to identify if an exploit is known for a CVEs and determine the likelihood a business can rely on the data provided by MSRC.