Thesis Is CVSS score enough for determine the company IT-security risk

Thesis Is CVSS score enough for determine the company IT-security risk


The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease and impact of an exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively. Security Operation Center and VM team often use CVSS score to determine the company IT-security risk. But how good is it to use CVSS score, does it really show the actual risk?

Short description of the thesis:
This is a literature study.
There are multiple remediation prioritization strategies that can be examined and evaluated. Below is a list of common strategies that can act as inspiration and be a starting point for further investigations:
CVSS score. Prioritize remediations starting with the vulnerabilities with the highest score.
Vulnerabilities per asset. Prioritize remediations starting with the assets with the greatest number of vulnerabilities.
Prediction. Use a prediction algorithm for prioritization, e.g.

Exploit Predicting Scoring System (EPSS)
Vulnerability lists. Prioritize actively exploited vulnerabilities found on security lists CISA,

The outcome from this thesis is a risk-based analysis and recommendation of IT vulnerability remediation strategies suitable for a large international transport company.

Contact information:
Monica Andersson,


  • Arbetsplats: Group IT
  • 1 plats
  • 6 månader eller längre
  • Heltid
  • Fast månads- vecko- eller timlön
  • Publicerat: 5 oktober 2022
  • Ansök senast: 5 november 2022

Liknande jobb

Informations-och IT-säkerhet

2 december 2022

Inspektör inom IT-säkerhet

29 november 2022