CAVP: A context-aware vulnerability prioritization model

•Step-by-step process of vulnerability prioritization for risk management.•Temporal-enabled vulnerability scores using expert-validated heuristics rules.•Context-aware vulnerability scoring with visualization for better prioritization.•Two practical use cases highlight the usefulness of CAVP model. With the growing number of vulnerabilities while attacks are becoming more advanced, known software security vulnerabilities need to be managed more efficiently with prioritization and contextualization. The current industry standard approach towards vulnerability management at a large scale is limited for two reasons. First, it does not automatically capture the temporal characteristics of the Common Vulnerability Exposures (CVEs) (i.e., how CVEs change over time). Second, it requires manual labor to prioritize identified vulnerabilities. To address these limitations, this research designs a context-aware vulnerability prioritization (CAVP) model to calculate temporal-enabled vulnerability scores of CVEs and prioritize these vulnerabilities visually. The CAVP model includes an enhanced Context-Aware Vulnerability Scoring System (CAVSS) that automatically derives temporal metric values of CVEs through a set of expert-validated heuristic rules. The CAVP model is the first attempt to provide a step-by-step process of vulnerability prioritization that can be integrated within the risk management workflow of an organization. The implementation of the CAVP model in two organizations validates its usefulness. [Display omitted]