1. Introduction
Cyber-attacks have the potential to inflict a range of adverse consequences on organizations, including physical or digital damage, economic losses, psychological distress, reputational damage, and broader social and societal disruptions [
1]. To effectively defend against the wide range of such threats [
2], organizations require innovative approaches to cybersecurity.
Conventional cybersecurity strategies, including Risk Assessment and Risk Management frameworks, such as ISO 31000:2018 [
3] and the National Institute of Standards and Technology (NIST) 800-37 Risk Management Framework [
4], are insufficient for sustaining an organization’s security posture in contemporary, rapidly changing environments. Although these frameworks provide a foundational approach, they are limited in their ability to adapt to the dynamic and evolving threat landscape [
5] in which modern organizations operate.
In response to the limitations of traditional approaches, the scientific community has proposed various dynamic risk assessment (DRA) frameworks and models. Our previous work [
6] has demonstrated that the majority of these frameworks rely on Bayesian networks as the primary analysis method for evaluating changes in the probability or likelihood of threat occurrence. This is based on the premise that risk can be assessed as a function of probability, impact, and vulnerability. In addition, most DRA frameworks lack the capability to provide actionable information regarding potential mitigation strategies.
In this study, we introduce a novel dynamic risk assessment and mitigation methodology. The proposed model consists of three key modules. The first module is responsible for retrieving essential external information. Specifically, our methodology utilizes Common Vulnerability and Exposure (CVE) records to obtain relevant Common Vulnerability Scoring System (CVSS) metrics, leveraging the National Vulnerability Database (NVD) and the CVSS 3.x framework. Additionally, the model uses the CVEs to retrieve Exploit Prediction Scoring System (EPSS) scores and Common Weakness Enumeration (CWE) records. These are further linked to matching Common Attack Pattern Enumeration and Classification (CAPEC) entries. Finally, the model checks whether a detected CVE appears in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.
The second module is responsible for creating multiple risk scenarios by considering identified vulnerabilities, environment-specific factors and the attacker’s perspective. The third module then integrates the output of the second module, along with the information gathered by the first module, to provide proactive and dynamic risk assessments and mitigation suggestions for each of the generated risk scenarios.
The innovation of the proposed methodology lies in its integration of Bayesian networks to dynamically and proactively update threat probabilities, combined with the dynamic adjustment of vulnerability severity values using Fuzzy Cognitive Maps. These updates are further integrated with impact estimation to generate accurate, dynamic, and proactive risk assessments. By providing proactive risk estimates alongside tailored mitigation suggestions, this work offers organizations actionable insights to reduce the estimated risk before incidents occur. Furthermore, the methodology addresses the limitations of subjective cybersecurity evaluations, which are often imprecise or unreliable [
7], by employing objective data collection and analysis.
The remainder of this paper is structured as follows:
Section 2 provides the background information pertinent to this study, while
Section 3 presents a review of related work.
Section 4 outlines the proposed methodology, followed by a comprehensive application of this methodology within an artificial environment in
Section 5.
Section 6 discusses the outcomes derived from the application of our methodology, and
Section 7 concludes with an analysis of the study’s findings, providing a comparison with related research and discussing the limitations of the proposed model. Finally,
Section 8 concludes the study and provides insights into potential directions for future work.
2. Background
The CVE framework, developed by MITRE [
8], functions as a comprehensive repository for cataloging individual cybersecurity vulnerabilities. Widely regarded as an industry-standard framework, the CVE initiative facilitates the identification, definition, and public disclosure of vulnerabilities associated with cybersecurity. Each vulnerability is assigned a unique identifier, referred to as a CVE-ID, which adheres to the format CVE-year-arbitrary digits. For instance, CVE-2019-11510 denotes a vulnerability identified in the year 2019.
The CVSS [
9] provides an open and standardized framework for describing the characteristics and severity of vulnerabilities. Each CVSS vulnerability is represented by a vector string, which acts as a concise textual summary of the metric values used to compute the vulnerability’s score. This study utilizes version 3.x of the CVSS to evaluate CVEs, with a particular emphasis on the exploitability and impact metrics.
10] serves as the official repository of the U.S. government for comprehensive data related to standards-compliant vulnerability management. Within the NVD, CVEs from the CVE Dictionary undergo detailed analysis. This analysis encompasses a thorough examination of CVE descriptions, references, and supplementary publicly available data. The process results in the assignment of relevant metrics using the CVSS framework. Specifically, the NVD provides an aggregated score under the CVSS 3.x framework, integrating the three distinct metric groups: Base, Temporal, and Environmental. However, it is important to note that many vulnerabilities in the NVD are still evaluated using the older CVSS 2.0 framework. Additionally, the latest CVSS 4.0 framework has not yet been adopted by the NVD for CVE scoring.
The EPSS [
11] model synthesizes vulnerability-related data from various sources to generate quantitative predictions about the likelihood of vulnerabilities being exploited within the next 30 days. Leveraging machine learning techniques, EPSS identifies patterns and correlates vulnerability information with relevant exploitation activities. This process produces an exploitation probability score for each CVE, influenced by factors such as the age of the vulnerability, the availability of publicly accessible exploit code, and other pertinent considerations. In the context of its application within the risk calculation Equation (
The EPSS model’s authors explicitly recommend that EPSS scores be utilized as part of the threat component rather than the vulnerability component.
The CWE [
12] is an extensive catalog of prevalent software and hardware weaknesses, collaboratively identified and maintained by the cybersecurity community. A weakness is defined as a condition in hardware, firmware, or software that can contribute to the emergence of vulnerabilities under specific circumstances. Each weakness is assigned a unique identifier, referred to as a CWE-ID, which facilitates the specification and tracking of individual weaknesses. The NVD enables users to associate specific CVE-IDs with corresponding CWE-IDs, providing insights into the underlying weaknesses that contribute to particular vulnerabilities. Notably, a single CWE may be linked to multiple CVE-IDs, as a single type of weakness can result in multiple distinct vulnerabilities. In this study, the NVD website and API are utilized to correlate CVEs with CWEs, although similar functionality is also available through the MITRE CWE website.
The CAPEC initiative [
13] serves as a comprehensive repository of common attack patterns that adversaries may employ, enabling users to understand how system weaknesses can be exploited. CAPEC provides detailed descriptions of the techniques adversaries might utilize to exploit these weaknesses effectively. Additionally, the CAPEC framework includes suggested mitigations for the majority of the attack patterns, which are specified under the “mitigations” field, offering guidance for reducing the risk of exploitation.
The CISA KEV Catalog [
14] is a publicly accessible database maintained by the United States Cyber Defense Agency. It is designed to support the cybersecurity community and network defenders in effectively managing vulnerabilities. CISA strongly advises the prompt remediation of vulnerabilities listed in the catalog. To qualify for inclusion in the KEV Catalog, a vulnerability must meet the following criteria:
It must have an assigned CVE-ID.
There must be credible evidence demonstrating active exploitation of the vulnerability in the wild.
A clear remediation measure, such as a vendor-provided update, must be available for the vulnerability.
3. Related Work
Mo et al. [
15] proposed a quantitative model for assessing the cybersecurity risk of firms, utilizing a hierarchical Bayesian network to evaluate security posture. Within this framework, the influence of vulnerabilities is mapped to the overall risk score based on threat information, such as breach statistics. By leveraging Bayesian inference, the model enables dynamic risk assessment, allowing firms to update their risk evaluations. The effectiveness of the proposed methodology is validated through its application in a network security environment, demonstrating its ability to assess cyber risk.
Zhang et al. [
16] proposed a model for quantitatively assessing risk in Industrial Production Systems by evaluating the likelihood and impact of abnormal events. The model combines two key components—probability inference and loss calculation—to deliver real-time risk evaluations. By utilizing an Extended Multilevel Flow Model (EMFM), it quantitatively represents the production process, facilitating the prediction of the consequences of abnormal events. A Bayesian network, built upon the EMFM, is employed to estimate the probabilities of such events, integrating predefined control strategies and data from an Intrusion Detection System (IDS).
Peng et al. [
17] proposed a method for quantifying cyber risk in Industrial Control System (ICS) environments. This approach integrates real-time attack evidence into a Bayesian network, which is enriched with ICS security knowledge, including vulnerabilities, system functions, potential accidents, and critical assets. The Bayesian network generates probabilities of event occurrences, which are combined with impact assessments to compute real-time risk.
Cam et al. [
18] introduced a model for dynamically and quantitatively assessing network risks. Using a vulnerability scanner to detect system weaknesses, the model employs a Bayesian network to capture relationships between vulnerabilities and extends the CVSS framework by considering asset criticality, current damage, and inter-vulnerability effects. Additionally, a Hidden Markov Model is used to dynamically evaluate exploitation likelihoods based on observations from intrusion detection systems and firewalls. Risk is estimated by identifying probable exploitation paths and their impacts.
Debnath et al. [
19] proposed HPCvul, a novel framework for vulnerability and risk assessment in High-Performance Computing (HPC) networks. Using the NVD repository, CVSS scoring, and other tools like IDS, HPCvul deploys agents within HPC sub-networks to gather system data, including configurations, services, software, and topology. A Bayesian network performs real-time risk assessment by analyzing vulnerabilities and their dependencies, identifying potential attack paths, and estimating the likelihood of compromise. Quantitative risk metrics are provided to support security decisions.
Abraham et al. [
20] proposed a model to assess the current and future security posture of an enterprise network. To predict how security will evolve over time, the model constructs an attack graph capturing the inter-dependencies of identified software vulnerabilities. Using CVSS metrics, it determines the initial severity of vulnerabilities and their progression. A Markov model is then applied to explain attack scenarios, with success probabilities represented as probabilistic paths.
Kanoun et al. [
21] proposed a model to bridge the gap between technical and organizational risk in information and communication technology systems. They introduced two key concepts: Elementary Risk (ER), representing the impact of a single technical attack on a strategic asset (e.g., a server), and Composite Risk (CR), which aggregates ERs based on specific criteria (technical or organizational). The model includes:
An attack graph generator using system topology and a vulnerability database (e.g., NVD).
ER instantiation, leveraging attack graphs and organizational data on assets, supporting assets, and detrimental events.
ER calculation, where likelihood is determined via Markov modeling and impact reflects the consequences of attack scenarios.
CR calculation by aggregating ERs.
Result analysis.
Rios et al. [
22] proposed a framework to quantitatively analyze cyber risk scenarios in parts of IoT-based smart grid systems. The model is based on the attack-defense trees framework, which is used to calculate key risk metrics. In addition, the method provides risk sensitivity analysis to evaluate different attack scenarios, enabling the optimization of risk strategies and minimizing the estimated risk. The validity of the proposed model is demonstrated through a real-world smart building energy efficiency application.
Alhomidi et al. [
23] propose an attack graph model designed to quantify risks associated with various distinct attack paths within a network. Each attack path is treated as an independent attack scenario, spanning from the attack source to the target. By estimating the likelihood of an attacker exploiting specific vulnerabilities and assessing the potential impact in monetary terms, the model facilitates the identification and prioritization of high-risk paths. A genetic algorithm is utilized to explore the extensive range of possible attack paths.
Lyu et al. [
24] introduced a dynamic risk assessment methodology to quantitatively evaluate risk in Cyber-Physical Systems (CPS). The model incorporates vulnerability nodes and machine nodes, representing systems accessible to attackers upon exploiting vulnerabilities. Initial probabilities of exploitation are calculated using the CVSS exploitability equation. Conditional Probability Tables (CPTs) are constructed using logic gates, as described by Poolsappasit et al. [
25]. These elements, combined with the network topology, enable the estimation of posterior probabilities, which are further integrated with impact assessments to determine risk. The authors employed GeNIe to simulate the model and assess its accuracy.
Dimitriadis et al. [
26] developed a risk assessment approach for smart sensor environments that combines business process management with established security standards and frameworks. The model utilizes the CVE–CWE–CAPEC pathway to evaluate the likelihood of successful attacks based on identified CVEs. These likelihoods are then qualitatively combined with their impact on the Confidentiality, Integrity, and Availability (C-I-A) attributes to calculate overall risk.
Lyvas et al. [
27] propose a hybrid threat hunting and dynamic risk analysis methodology for CPS. The authors leverage the CVE–CWE–CAPEC pathway to associate identified vulnerabilities with attack patterns, enhancing threat modeling. The CVSS framework is utilized to evaluate vulnerability severity by incorporating exploitability and impact metrics. Additionally, the study introduces an automated threat occurrence estimation approach based on CVE data, asset type, vendor, and historical exploitability trends. The overall risk assessment is derived by integrating threat occurrence, vulnerability severity, and system-specific C-I-A requirements.
Vasilyev et al. [
28] proposed a cybersecurity risk assessment model tailored for ICS. The model incorporates known vulnerabilities along with CAPEC framework to construct potential attack pathways. It then utilizes Fuzzy Cognitive Maps (FCM) alongside the CVSS framework to calculate the system’s overall risk exposure.
Gonzalez et al. [
29] proposed a Dynamic Risk Management Response System (DBRMS) designed to quantify risks and generate response plans to address cyber threats dynamically. The system employs an attack graph generator, which uses data on device connections, a vulnerability inventory, and a business model (e.g., critical assets) to identify possible attack scenarios. Markov chains estimate the likelihood of attack success based on the difficulty of exploiting vulnerabilities, while impacts are calculated from the consequences on critical business devices. The system quantifies risks by combining threat probabilities from various threat scenarios along with impact. Response plans, created from internal organizational data such as security policies, recommend actions like rebooting, or isolating devices to mitigate threats. Experiments on a SCADA system demonstrated the DBRMS’s ability to adapt to changing input data and generate automated, effective response strategies.
4. Methodology
Our methodology (
Figure 1) comprises four modules designed to provide a dynamic and proactive approach to cybersecurity risk assessment. The first module is responsible for collecting all necessary data from publicly accepted, open-source cybersecurity-related repositories. It begins by detecting all vulnerabilities (CVEs) within the target environment. Using this data, it collects additional information, such as CVSS 3.x metrics (exploitability and impact subscores), which are then normalized to a scale of 1. Other critical data sources include EPSS scores, CWE, CAPEC, and confirmation of whether the identified CVEs are listed in the CISA KEV Catalog.
The second module focuses on the generation of risk scenarios by integrating the identified CVEs, the target network topology, and the attacker’s perspective. This module primarily considers the number of vulnerabilities identified on a single asset and the potential pathways an attacker could exploit to reach an asset. Specifically, for assets with multiple vulnerabilities, individual risk scenarios are generated for each detected vulnerability. Furthermore, if an attacker can access an asset through multiple distinct pathways within the network, the methodology produces separate risk scenarios for each pathway.
The third module constitutes the core of the methodology. This module integrates the normalized exploitability scores from the first module with the identified risk scenarios using a Fuzzy Cognitive Map (FCM) model to generate dynamic vulnerability severity values for each risk scenario. Additionally, a Bayesian network (BN) model incorporates EPSS scores and the identified risk scenarios to provide dynamic and proactive threat assessments for each scenario. The dynamic and proactive risk calculator combines the outputs of the FCM (dynamic vulnerability severity values) and the BN (dynamic and proactive threat scores) with the normalized impact to generate dynamic and proactive risk estimates for each risk scenario.
After estimating the dynamic and proactive risk, the fourth module provides additional insights for each identified CVE. These include whether the vulnerability is listed in the CISA KEV Catalog and mitigation recommendations based on CAPEC framework, offering actionable guidance to reduce the estimated risk for each scenario.
4.1. Information Collection
The primary objective of our methodology is to detect vulnerabilities and use the identified CVEs to collect all necessary data. Following the identification of CVEs, our model utilizes the NVD API to retrieve CVSS 3.x metrics, retaining only the exploitability and impact subscores. These subscores are then normalized to enable their integration into the third module of our methodology.
Additionally, the same API is used to retrieve the associated CWE-ID for each detected CVE. The CWE-ID is subsequently employed to identify related CAPEC entries by leveraging the CAPEC 3.9.xml file. This approach establishes a pathway from each identified CVE to the CAPEC framework via CWE. The CAPEC framework is then utilized to provide mitigation recommendations for each identified CVE.
Furthermore, the proposed methodology integrates the CISA KEV API, which is queried using the detected CVEs to identify whether the vulnerabilities are included in the CISA KEV Catalog. This process allows for the determination of whether a clear remediation action, such as the availability of a patch, has been specified for the identified vulnerabilities. This information is then presented to the user along with corresponding mitigation recommendations. Finally, the EPSS API is utilized to retrieve EPSS scores for each detected CVE. These scores are subsequently integrated into the Bayesian network within the third module.
4.2. Risk Scenarios Creation
The second module is responsible for creating all possible risk scenarios, taking into account identified vulnerabilities, the target network topology, and the potential movement of attackers within it. In more detail, while our previous work [
30] demonstrated the capability to adjust CVSS metrics based on environment-specific factors and consolidate multiple vulnerabilities within a single asset into a unified vulnerability value, this study adopts a different approach. Specifically, we focus on generating multiple risk scenarios for assets with multiple CVEs, retaining the original (normalized) exploitability scores for each CVE.
Figure 2 provides a schematic representation of the risk scenario creation process in our methodology. In this example, the network configuration consists of Asset A connected to Asset B. Asset A is associated with two CVEs—CVEA1 and CVEA2—while Asset B is associated with CVEB. This configuration results in two distinct risk scenarios (paths): CVE-A1 to CVE-B and CVE-A2 to CVE-B, assuming that exploitation of each of the CVE-A1 and CVE-A2 enable the exploitation of CVE-B. It is important to note that each CVE is associated with its own unique threat that can exploit it. Consequently, our methodology creates a vulnerability–threat pairing for each identified CVE.
Additionally, the model incorporates the unique network topology and the potential movements of attackers within it. When an attacker can reach an asset node through multiple distinct pathways (assets), our methodology generates separate risk scenarios for each pathway individually. For example,
Figure 3 illustrates a schematic representation of the creation of risk scenarios in this case. In this example, two distinct assets, Asset A “or” Asset B can be exploited by an attacker to reach Asset C. This configuration results in two distinct risk scenarios: Asset A to Asset C and Asset B to Asset C A2 to A3.
4.3. Dynamic Risk Assessment
The third module of our methodology serves as the core component, as it is responsible for generating dynamic and proactive risk assessments for each risk scenario, along with providing corresponding mitigation actions to reduce the estimated risk. This module consists of two primary components: the dynamic vulnerability severity calculator and the dynamic and proactive threat assessment.
4.3.1. Dynamic Vulnerability Severity Calculator
One of the core components of our methodology is the dynamic vulnerability severity calculator. At the heart of the dynamic vulnerability severity calculator lies the Fuzzy Cognitive Map (FCM), a powerful tool widely used for analyzing complex systems governed by causality. FCMs have been extensively applied across domains such as modeling, decision-making, analysis, prediction [
31], and cybersecurity [
32]. They offer a robust framework for representing relationships among various factors within a system.
In our methodology, FCMs are employed to model dependencies among vulnerabilities within each risk scenario, specifically evaluating how the vulnerability values of one asset influences another. This application incorporates several key characteristics of FCMs, which have been adapted to meet the requirements of our methodology. These characteristics are outlined as follows:
Signed Causality: In our model, signed causality captures the directional sequence of potential attacker movements, illustrating how an attacker might transition between assets by exploiting vulnerabilities. This analysis is based on the identification of all possible risk scenarios, which encompass detected vulnerabilities, the network topology, and the attacker’s perspective.
Weights of Relationships: The weights correspond to normalized exploitability scores derived from CVSS metrics (module 1). For each detected CVE, the CVSS 3.x framework is used to extract the exploitability subscore, which is then normalized to a scale of 0–1 for compatibility with the FCM model (given the maximum original exploitability score of 3.9).
Equilibrium Point: The equilibrium point provides dynamic vulnerability severity values for all assets within the examined risk scenario, representing the system’s stabilized state and offering a comprehensive assessment of vulnerability severity.
4.3.2. Dynamic and Proactive Threats Assessment
The second core component of our model is the Bayesian network, which plays a critical role in generating proactive and dynamic threat assessments by incorporating the EPSS scores along with the identified risk scenarios. Given that EPSS values are inherently scaled between 0 and 1, reflecting the probabilistic nature of the EPSS model, no additional normalization is required before integrating them into the Bayesian network. Furthermore, as the EPSS model provides exploitation likelihood estimates for the upcoming 30 days, these scores inherently support proactive threat assessment.
A Bayesian network is defined as
, where
represents the structure of a Directed Acyclic Graph (DAG), with
V as the nodes and
E as the directed edges, and
P denotes the parameters corresponding to the probability distributions of
V [
17], typically expressed through Conditional Probability Tables (CPTs). In our model, the Bayesian network structure incorporates two types of nodes: (
threat nodes, which represent potential threats exploiting CVEs linked to assets, and (
asset nodes, which denote the assets that attackers may target using the associated threats.
The construction of the Bayesian network is facilitated by our second module, which is responsible for generating distinct risk scenarios based on the detected vulnerabilities, the target’s network topology, and the potential movements of the attacker within it. These risk scenarios are incorporated separately into the Bayesian network, facilitating the generation of dynamic and proactive threat scores for each identified CVE across all risk scenarios.
Once the structure is defined, the CPT parameters are established. The CPTs for T nodes are populated using the EPSS scores retrieved for each identified CVE. Two states are defined to represent the likelihood of an exploitation during an attack: S0 (non-attack) and S1 (attack). These states correspond to the relative probabilities of exploitation or non-exploitation. For example, a threat with an EPSS score of 0.8 is interpreted as having a 20% probability of being in the S0 state (non-attack) and an 80% probability of being in the S1 state (attack). The A nodes are determined by analyzing the network topology and attacker movement in conjunction with the T nodes for each risk scenario.
Our model leverages the logic gates proposed by Poolsappasit [
25] to compute the conditional probability distribution for each node within the Bayesian network. This framework employs two types of gates, “AND” and “OR”, to address cybersecurity-related events. The “AND” gate is used when all associated cybersecurity events must occur for a security incident to materialize, whereas the “OR” gate is applied when a single event is sufficient to trigger an incident.
Since, our methodology generates multiple distinct risk scenarios in cases where an asset possesses multiple vulnerabilities exploitable by various threats, or when an attacker can reach an asset node via multiple distinct pathways, the “OR” gate is not employed within our methodology. Instead, the CPTs of the Bayesian network rely exclusively on the use of the“AND” gate.
4.3.3. Impact Scale
For the estimation of impact, we utilize the impact metrics (subscores) provided by the NVD database, leveraging the CVSS 3.x framework. These metrics are evaluated in relation to the confidentiality, integrity, and availability aspects of each CVE. Additionally, the scope metrics are considered alongside these to compute an overall impact subscore, which scales between 0 and 6.
Our model computes this impact score by dividing it by 6, resulting in a single, normalized impact value for each CVE. This computed value represents the overall impact score for the given CVE. The resulting impact values range from 0 to 1, ensuring alignment with the scale of dynamic vulnerability severity values and dynamic and proactive threat scores. This normalization ensures that the impact is proportionally and uniformly weighted with the other two factors in the dynamic risk calculation formula, maintaining consistency and balance across all risk metrics.
4.3.4. Dynamic Risk Calculator
By integrating dynamic vulnerability severity values, dynamic and proactive threat scores, and impact values into Equation (
2), the resulting dynamic risk estimates are scaled within the range of 0 to 1. This range results from the uniform scaling of all individual risk metrics (vulnerability, threat, and impact) to the 0–1 range, and their combination through multiplication as defined in the dynamic risk assessment formula:
In this formula, DRA represents the dynamic risk assessment estimation, DVSV the dynamic vulnerability severity value, DPTS the dynamic and proactive threat scores, and I the Impact values. By combining a dynamic vulnerability severity value with a dynamic and proactive threat score along with the impact, the model produces truly dynamic and proactive risk estimates. This process is systematically repeated for each risk scenario identified by the methodology. Each scenario represents a distinct combination of dynamic vulnerability severity values, dynamic and proactive threat scores, and impact values, ensuring a comprehensive risk analysis for every identified risk scenario.
4.4. Mitigation Suggestion
After the successful estimation of DRA, our methodology determines whether the identified vulnerabilities (CVEs) are listed in the CISA KEV Catalog. This process provides two critical insights. First, it confirms that the specified vulnerability has been previously exploited, highlighting a credible risk of exploitation within the environment where it is detected. Second, it identifies whether a patch is available to mitigate the vulnerability or whether the affected asset has reached end-of-life status, in which case it should be removed from the network. Armed with this information, organizations can take immediate and informed actions, such as applying patches, to address these vulnerabilities effectively and reduce their exposure to potential threats.
Additionally, our model correlates CVE-IDs with CAPEC-IDs through CWE-IDs, offering detailed mitigation suggestions for each identified CVE. The CAPEC framework provides specific mitigation actions that can be implemented to reduce the assessed risk. By correlating each CVE with its corresponding CAPEC, our model delivers tailored, vulnerability-specific guidance to inform actionable risk reduction strategies.
It is acknowledged that each organization operates in a unique environment, and not all CAPEC-recommended actions may be applicable. However, by presenting the full range of potential mitigation actions, the methodology equips organizations with comprehensive information to evaluate and implement measures suited to their context.
All provided information—including whether a vulnerability is listed in the CISA KEV Catalog and the associated mitigation suggestions—is specific to each CVE and tailored to every risk scenario. As a result, organizations gain detailed, scenario-specific guidance to address and mitigate the risks associated with each vulnerability.
5. Case Study
Although the scenario used for demonstration purposes is fictional, it aims to represent a realistic environment of a small business, which includes a Virtual Private Network (VPN) for secure remote access, a public-facing website, a back-end database for storing customer data, product inventory, and transactions, as well as workstations (
Figure 4). The vulnerabilities selected for this case study correspond to real CVEs that have been identified in similar components. In the proposed scenario, the VPN is vulnerable to CVE-2019-11510, which allows an unauthenticated remote attacker to exploit a specially crafted URI, enabling unauthorized file access that can be leveraged for authentication bypass. The Web Server (WebS) is affected by CVE-2019-0211 which could lead to attackers to execute arbitrary code. Additionally, the WorkStations (WS) is susceptible to CVE-2017-0143 and CVE-2017-8692, both of which facilitate remote code execution. Finally, the database (DB) is vulnerable to CVE-2021-41773, which could also lead to remote code execution. The network topology of this case study assumes that the VPN and WebS are accessible externally and both communicate with the router, which connects to the WS, and subsequently, the WS communicates with the DB.
5.1. Information Collection
Our methodology begins by identifying vulnerabilities (CVEs) for each asset within the target environment. This identification process can be conducted either by using a vulnerability scanner, such as Nessus [
33], or by utilizing the NVD API in conjunction with the Common Platform Enumeration (CPE) identifiers of the assets present in the environment. Following the identification of CVEs, relevant CVSS metrics (exploitability and impact subscores) are retrieved and subsequently normalized on a scale of 0–1.
Table 1 provides a comprehensive summary of all CVEs utilized in this case study, including their original CVSS scores, exploitability (sub)scores, and the final vulnerability values (after normalization).
Next, we again utilize the CVSS 3.x framework for the detected CVEs, with a particular emphasis on the impact subscore.
Table 2 provides a summary of all CVEs considered in this case study, including their original CVSS scores, impact (sub)scores, and final impact values.
Furthermore, based on the detected CVEs we retrieve the relative EPSS scores.
Table 3 presents the EPSS scores for each identified CVE in the case study.
Finally, based on the identified CVEs, we retrieve relevant information regarding whether these CVEs are listed in the CISA KEV Catalog, as well as their corresponding CWEs and CAPECs.
Table 4 presents the relevant information.
5.2. Risk Scenarios Creation
In all scenarios, it is assumed that the attackers’ ultimate goal is to reach and exploit the vulnerability located in the database. Consequently, all possible attacker movements are directed toward achieving this objective. Given that the scenario involves an asset (Workstation-WS) associated with two CVEs, two distinct risk scenarios are generated for these CVEs. Additionally, both the VPN and the Web Server act as potential entry points from the attacker’s perspective, leading to the generation of two distinct risk scenarios. Therefore, a total of four distinct risk scenarios are identified for this case study. For simplicity, CVE-2017-0143 is mapped to WS1, and CVE-2017-8692 is mapped to WS2. Every risk scenario represents a possible pathway for an attacker to traverse the target environment to reach the database. The resulting risk scenarios (RS) are described below, with each scenario representing a unique potential attack:
RS3: WebS—WS1—DB
RS4: WebS—WS2—DB
5.3. Dynamic Risk Assessment
After the successful retrieval of information and the creation of risk scenarios, our methodology proceeds with the dynamic risk assessment estimation by integrating dynamic vulnerability severity values, dynamic and proactive threats assessments, and impact values.
5.3.1. Dynamic Vulnerability Severity Calculator
This component is tasked with calculating the dynamic vulnerability severity values using the retrieved and normalized exploitability scores (module 1) and the identified risk scenarios (module 2). Since four distinct risk scenarios are identified, a separate FCM model must be developed for each, resulting in four distinct FCM models, each corresponding to the described scenarios. The respective FCM models are presented in
Figure 5.
The FCM models are constructed using the widely recognized open-source software FCM Expert [
34]. For demonstration purposes, the results obtained using FCM Expert for risk scenario 1 are presented in
Figure 6.
Table 5 summarizes the dynamic vulnerability severity values for each asset across all risk scenarios, rounded to three decimal places. All FCM models are developed based on
Kosko’s standard activation rule [
5.3.2. Dynamic and Proactive Threats Assessment
This component is responsible for calculating the dynamic and proactive threat scores, based on the retrieved EPSS scores (module 1) and the identified risk scenarios (module 2). Given that four distinct scenarios are identified for this case study, this results in the creation of four distinct Bayesian networks, each utilizing the “AND” logic gate to generate the CPTs. The resulting risk scenarios are outlined below, with each scenario representing a distinct potential attack:
The Bayesian network for each risk scenario is constructed using the GeNIe Modeler software [
36], a reliable software for developing Bayesian networks that is freely available for academic use.
Risk Scenario 1
This section focuses on the construction of the Bayesian network for the first risk scenario.
Figure 7 presents the schematic representation of the BN model, where threats are represented by circular shapes and assets by rectangular shapes.
Table 6 presents the CPT table for VPN, while
Table 7 focuses on the CPT for the WS (WS1) asset, specifically addressing threat T3, and
Table 8 provides the CPT for the DB.
For demonstration purposes,
Figure 8 presents the schematic representation and results obtained using the GeNIe Modeler for risk scenario 1.
Table 9 summarizes the output of the threat assessment model, specifically detailing the dynamic and proactive threat scores for each asset involved in risk scenario 1.
Risk Scenario 2
The same process described above is followed for the construction of risk scenario 2, this time considering the alternate threat, T4, for WS (WS2) instead of T3. Accordingly, the CPT tables for VPN and DB remain unchanged. However, a new CPT table is created for WS, corresponding to threat T4.
Table 10 presents the updated CPT values, taking into consideration threat T4.
Table 11 presents the new threat scores, resulting from the replacement of T3 with T4.
Risk Scenario 3
In this scenario, the attacker uses the CVE detected on the Web Server (T2) as the entry point. Therefore, we need to create the corresponding CPT table for the Web Server asset.
Table 12 presents the relevant CPT table. The CPTs for WS1 and DB remain the same as those used in risk scenario 1.
Table 13 presents the results obtained from this scenario.
Risk Scenario 4
In the final scenario, the attacker again uses the CVE detected in the Web Server as the entry point. However, instead of exploiting T3, the attacker utilizes T4 (WS2). For this scenario, the CPT for WebS remains the same as before, while the CPT for WS is the same as that used in risk scenario 2, and the CPT for DB remains unchanged. Based on these CPT tables, we only need to integrate them into our BN model to generate updated threat scores, which are presented in
Table 14.
Table 15 presents the results from all scenarios, highlighting the proactive and dynamic threat assessments for each asset across these scenarios.
5.4. Dynamic Risk Calculator and Mitigations
The dynamic risk estimation process begins by combining the dynamic vulnerability severity values, dynamic and proactive threat scores, and impact scores to generate dynamic and proactive risk estimates, which are scaled from 0 to 1. This calculation is performed for each CVE across all scenarios using Equation (
2). In addition, this module provides information regarding possible mitigation actions. In cases where no direct connection exists between a CVE and a CWE, mitigation suggestions cannot be provided, as it becomes impossible to identify relevant CAPEC-IDs. Similarly, this limitation applies when there is no connection between a detected CWE and the corresponding CAPECs.
5.4.1. Risk Scenario 1
This section presents the dynamic risk estimations and the proposed mitigation suggestions, focusing on risk scenario 1, as shown in
Table 16. Specifically,
DVSV represents the dynamic vulnerability severity value, which is the outcome of the FCM model;
DPTS represents the dynamic and proactive threat scores, which is the output of the Bayesian network; and
DRA represents the dynamic risk assessment for the given asset (CVE).
Following the successful dynamic risk estimations, the next step involves identifying and proposing relevant mitigation actions for the specific risk scenario. To achieve this, we utilize the information retrieved in module 1, pertaining to mitigation suggestions.
Table 17 presents these results.
A total of five CAPECs corresponding to the detected CVEs have been identified. Additionally, it has been observed that all CVEs detected in this scenario are listed in the CISA KEV Catalog. This indicates that these vulnerabilities have been exploited in real-world scenarios and that clear remediation guidance is available. Although the complete description of the mitigation actions suggested by each CAPEC can be found on the CAPEC website, we provide a summary of the proposed actions for each identified CAPEC-ID.
CAPEC-126: Focus on enforcing least privilege and running programs with constrained privileges. Validate and sanitize all input using an allowlist and strict checks. Use proxy communication to sanitize requests, monitor host integrity, and enforce file access permissions
CAPEC-64: Treat all input as malicious and validate it using an allowlist. Ensure security checks after decoding, use POST instead of GET for web forms, and validate URLs with tools like URL scan.
CAPEC-76: Apply the principle of least privilege and validate all input to prevent unsafe file system commands. Use non-root accounts or chroot jails, and conduct pen-testing and vulnerability scans to identify weaknesses.
CAPEC-78: Assume all input is malicious and validate it against an allowlist. Prevent unauthorized directory access by applying least privilege and rejecting suspicious data after decoding.
CAPEC-79: Validate and sanitize all input with an allowlist and perform security checks after decoding. Use POST for web forms, reject unsafe data, and ensure file system access adheres to the least privilege principle.
5.4.2. Risk Scenario 2
This section outlines the dynamic risk estimations and proposed mitigation actions, with a focus on risk scenario 2.
Table 18 display the outputs generated by our methodology for the second risk scenario. In this scenario, while the assets remain unchanged, the attacker exploits a different CVE. Specifically, instead of targeting CVE-2017-0143 (WS1), the attacker exploits CVE-2017-8692 (WS2).
The next step in this process involves determining whether the CVEs associated with the scenario are listed in the CISA KEV Catalog and identifying the corresponding CAPECs to suggest possible mitigations. This information is summarized in
Table 19.
CVE-2017-8692 is the first identified CVE in this case study and is not listed in the CISA KEV Catalog, indicating that no patch is currently available. The CAPECs associated with CVE-2019-11510 (VPN) and CVE-2021-41773 (DB) are identical to those in risk scenario 1. Conversely, there are 12 new CAPECs associated with CVE-2017-8692 (WS2). While detailed mitigation actions for each CAPEC are provided on the CAPEC website, we present a summary of the recommended actions for each identified CAPEC-ID.
CAPEC-10: Do not expose environment variables to the user or use untrusted data in them. Use a language or compiler that performs automatic bounds checking and secure functions to prevent buffer overflows. Tools like Sharefuzz can be used to detect vulnerable environment variables.
CAPEC-10: Use a language or compiler with automatic bounds checking. Utilize secure functions and perform boundary checking if dangerous functions are necessary. Compiler mechanisms like StackGuard and ProPolice can help, but are not complete solutions. OS-level preventive functionality should be used as well.
CAPEC-123: Choose a language or compiler that limits buffer manipulation risks, such as Java. For languages like C, use secure functions and perform boundary checking. Tools like StackGuard and ProPolice can assist, and OS-level protections may be applied to prevent issues.
CAPEC-14: Do not install untrusted code from non-authenticated servers. Ensure client software is patched and validated for vulnerabilities before use. Perform input validation and use secure functions. Utilize canary mechanisms and OS-level protections for additional safety.
CAPEC-24: Ensure proper handling of failures in filtering or input validation to prevent malicious input from bypassing. Use a language or compiler with bounds checking, canary mechanisms, and OS-level protections, though these are not complete solutions on their own.
CAPEC-42: Keep third-party vendor patches up to date and disable unnecessary features like 7–8 bit conversion to prevent exploits. Always monitor and patch vulnerabilities in your software.
CAPEC-44: Perform bounds checking on all buffers and enforce the principle of least privilege. Use static code analysis, execute programs in lower-privilege environments, and ensure software is regularly patched to prevent attacks.
CAPEC-45: Be cautious of symbolic link vulnerabilities. Validate symlinks before accessing resources and ensure they are located in protected directories. Perform proper bounds checking and use secure coding practices to avoid buffer overflows.
CAPEC-46: Use languages or compilers that enforce bounds checking and secure APIs. Validate all user inputs and use abstraction libraries to handle risky APIs. OS-level protections and static code analysis can further help mitigate vulnerabilities.
CAPEC-47: Ensure accurate assumptions and visibility of parameter sizes during expansion to avoid buffer issues.
CAPEC-8: Use languages or compilers with automatic bounds checking, and secure functions to prevent buffer overflow. Use canary mechanisms and OS-level functionality as additional protections.
CAPEC-9: Review service implementation thoroughly before release, using code reviews to detect vulnerabilities like buffer overflows. Apply patches and use secure coding practices, but be cautious of zero-day attacks and unnecessary exposure of services.
5.4.3. Risk Scenario 3
This section provides an overview of the dynamic risk estimations and proposed mitigation actions, concentrating on risk scenario 3.
Table 20 illustrates the outputs generated by our model for the third risk scenario. In this case, the attacker leverages the Web Server (WebS) vulnerability CVE-2019-0211 as the entry point, in conjunction with CVE-2017-0143 (WS1).
The next step involves identifying the relevant CAPECs associated with this specific scenario, along with information related to the CISA KEV Catalog.
Table 21 presents the outcomes of this process.
No CAPECs are associated with CWE-416, which correlates with CVE-2019-0211 (Web Server). Consequently, we cannot provide mitigation suggestions for this vulnerability using the CAPEC framework. However, CVE-2019-0211, associated with the Web Server, is listed in the CISA KEV Catalog, indicating that clear remediation guidance is available. Additionally, both the CAPEC-related information and the CISA KEV Catalog data for WS1 and DB have already been analyzed in the previously examined scenarios.
5.4.4. Risk Scenario 4
Finally, we present the results of risk scenario 4. Specifically,
Table 22 displays the outputs for this final risk scenario. In this case, the attacker exploits the WebServer (WebS) vulnerability, CVE-2019-0211 in conjunction with CVE-2017-8692 (WS2).
The CAPECs identified in the final scenario have already been analyzed in previous scenarios, as certain CVEs are shared among them. For risk scenario 4, these CAPECs are detailed in
Table 23, alongside information about the presence of the associated CVEs in the CISA KEV Catalog, which was also analyzed in the previous risk scenarios.
6. Results
With regard to the dynamic vulnerability severity process, the highest score is observed in the database (0.648) during risk scenario 1. This discrepancy is attributed to the original exploitability score (3.9/3.9) of CVE-2021-41773. This is further influenced by the contributions of WS1 (0.610)—CVE-2017-0143 and the VPN (0.622)—CVE-2019-11510. In contrast, the database assets in the other three scenarios exhibit lower dynamic vulnerability severity values compared to risk scenario 1.
Additionally, the VPN, which serves as the entry point along with the Web Server, exhibits higher initial (pre-execution) and post-execution vulnerability values compared to the Web Server alone. This disparity is attributed to the differing exploitability subscores, with the VPN scoring 3.9/3.9 and the Web Server scoring 1.8/3.9.
Furthermore, WS1 (CVE-2017-0143) shows higher initial (original exploitability score) and post-execution vulnerability severity values than WS2 (CVE-2017-8692). Collectively, these factors render risk scenario 1 the most vulnerable among the four scenarios. Risk scenario 2 ranks as the second most vulnerable, followed by scenarios 3 and 4 in decreasing order of severity. These values are summarized in
Table 5. Based on the above findings, it can be concluded that dynamic vulnerability severity values are influenced by the original exploitability scores and the influence of other vulnerability values, which are, in turn, determined by the network location of the assets.
In the context of dynamic and proactive threat assessments (
Table 15), the VPN demonstrates the highest dynamic and proactive threat score among all assets analyzed in this use case. This prominence is attributable to its exceptionally high EPSS score of 0.972, combined with its critical position within the target network topology. Both the VPN and the Web Server serve as potential entry points for attackers. The Web Server also exhibits a high dynamic and proactive threat score, driven by its EPSS score of 0.967. These two assets, the VPN and the Web Server, consistently retain the highest dynamic and proactive threat scores (post-Bayesian adjustment) due to their initially elevated EPSS scores and their strategic locations within the network.
WS1, associated with CVE-2017-0143, has a high original EPSS score, which translates to dynamic and proactive threat scores of 0.885 in risk scenario 1 and 0.877 in scenario 3. Conversely, WS2, linked to CVE-2017-8692, demonstrates significantly lower dynamic and proactive threat scores of 0.074 and 0.073 in risk scenarios 2 and 4, respectively. This disparity stems from the substantial difference in their EPSS scores, with WS1 achieving a score of 0.968 compared to WS2’s 0.28. The dynamic and proactive threat scores of both WS1 and WS2 are lower than their original EPSS scores, reflecting the model’s assumption that an attacker must first compromise either the VPN or the Web Server, depending on the risk scenario, before targeting WS1 or WS2.
The database, associated with CVE-2021-41773 and an initial EPSS score of 0.973, achieves a dynamic and proactive threat score of 0.838 in risk scenario 1. This reduction, approximately 14%, is more significant compared to WS1, which experiences a decrease from 0.968 to 0.885 (around 9%) in the same scenario. The greater reduction for the database is attributable to the additional requirement in scenario 1 that an attacker must first compromise both the VPN and WS1 before exploiting the database.
More specifically, the value of an asset is determined by its position within the network, evaluated from the attacker’s perspective, as well as the threat scores of previously compromised assets. Notably, in scenarios involving WS2, the dynamic threat score of the database drops to nearly zero. These findings underscore that the threat score of an asset is not solely influenced by its initial estimation, such as the EPSS scores, but also by its position within the network topology and the threat scores of interconnected assets.
Risk scenario 1 yields the highest dynamic and proactive threat scores, followed by scenarios 3, 2, and finally 4. The variation in these scores results from the dynamic and proactive threat scores of WS1 compared to WS2. Specifically, when WS1 is involved, the exploitation of the database results in relatively high scores of 0.838 and 0.830. Conversely, when WS2 is involved, the scores are nearly negligible, at 0.070 and 0.069.
Table 24 presents the dynamic and proactive risk estimates for each asset across all the scenarios outlined. In addition, the last column of this table presents the average risk for each scenario.
As observed, the highest risk is associated with the first risk scenario, followed by the third, second, and finally the fourth, which has the lowest risk. Since dynamic risk is a combination of dynamic vulnerability severity values, dynamic and proactive threat assessments, and impact, it is logical that risk scenario 1, with both the highest dynamic vulnerability severity value and the highest dynamic and proactive threat scores, also exhibits the highest dynamic risk.
With regard to mitigation suggestions, the presented case study identified five distinct vulnerabilities (CVEs), four of which are included in the CISA KEV Catalog. Their inclusion indicates the availability of clear remediation actions, such as vendor-provided updates. The only CVE not included in the CISA KEV Catalog is CVE-2017-8692, associated with WS2, for which no patch is available.
Regarding mitigation suggestions from CAPEC, out of the five identified CVEs, three could be correlated with relevant CAPEC entries, enabling our model to provide corresponding mitigation recommendations. Additionally, both CVE-2019-11510, detected on the VPN, and CVE-2021-41773, detected on the database (DB), were correlated with the same CWE (CWE-22). Consequently, the retrieved CAPEC-IDs and the resulting mitigation suggestions for these vulnerabilities are identical. This highlights cases where similar vulnerabilities share common mitigations due to their correlation with the same CAPEC entries.
7. Discussion and Limitations
The proposed model is founded on the detection of vulnerabilities (CVEs) to retrieve and utilize critical data for dynamic risk assessment, establishing a direct relationship between CVEs and risk levels within its framework. Prior research has also leveraged CVEs for risk estimation [
38], as they enable the extraction of risk-related data from diverse sources, including the NVD.
An advantage of the proposed model is its adaptability. Although it primarily utilizes the CVSS 3.x framework, it can also be applied to the CVSS 2.0 framework, as many CVEs are still assessed using CVSS 2.0. This is feasible because CVSS 2.0 provides the necessary exploitability and impact metrics required by our model. Since our approach directly employs the original CVSS exploitability and impact metrics without modifying them based on environmental factors—such as adjustments to the Attack Vector metric [
30], which varies between versions (CVSS 2.0: Local, Adjacent Network, Network; CVSS 3.x: Physical, Local, Adjacent Network, Network)—the primary adaptation required is in the normalization process to integrate these metrics into the FCM model. For example, to normalize the CVSS 2.0 exploitability score, we divide by 10, as its maximum value is 10, whereas in CVSS 3.x, the maximum exploitability score is 3.9.
Regarding the recently introduced CVSS 4.0 framework, no CVEs are currently assessed using this framework in the NVD. Consequently, we are unable to integrate CVSS 4.0 into our model at this stage. However, given that CVSS 4.0 also provides exploitability and impact metrics, our model could be adapted to accommodate this version in the future once sufficient data becomes available.
Table 25 presents a systematic analysis of key features of all models discussed in Related Work (
Section 3). The majority of studies employ ML techniques to dynamically update the threat vector within the risk formula, where risk is defined as the product of
vulnerability, and
impact. However, two models also dynamically adjust the impact vector [
20] within the risk formula. This adjustment is achieved through the application of a Markov models. A distinguishing feature of the proposed model is its ability to dynamically update the vulnerability vector within the risk formula using a separate model (FCM), while also providing dynamic updates to the threat vector using the Bayesian network. Consequently, the proposed methodology is the only approach that calculates risk as the product of a dynamic threat vector, a dynamic vulnerability vector, and the impact vector, thereby ensuring truly dynamic and comprehensive risk assessments.
Attack graphs have been extensively utilized in prior research to generate and visualize multiple attack scenarios [
39], identify system vulnerabilities and potential exploits [
40], predict attacker movements [
41], and develop mitigation strategies [
42]. In contrast, our approach focuses on the creation of distinct attack paths and their corresponding separate risk scenarios. This enables our model to illustrate how an asset’s risk score varies across different scenarios, providing valuable insights for dynamic and scenario-specific risk assessment.
The majority of analyzed DRA models rely on real-time data or vulnerability-related data (e.g., CVSS) to generate risk assessments, thereby adopting a predominantly reactive approach. In contrast, our model uniquely integrates EPSS data, which provides probabilistic estimations of exploitation likelihoods over the next 30 days. This direct incorporation of predictive data renders our model genuinely proactive, enabling it to deliver forward-looking risk assessments.
Two existing models utilize the CVE–CWE–CAPEC pathway: one for estimating the likelihood of threat occurrence [
26] and another for threat modeling [
27]. Our approach extends this functionality by offering targeted mitigation suggestions for each detected CVE. The tracing from CVE to CAPEC is a procedure that has been utilized by scholars [
44], ensuring qualitatively that the proposed mitigation strategies from CAPEC align with the identified CVEs.
Furthermore, our model is the only one that actively references the CISA KEV Catalog to provide information on the status of detected vulnerabilities. As a result, it offers insights into the availability of clear remediation actions, such as vendor patches, or identifies whether an affected product has reached end-of-life and should be removed from the network. Vulnerability patching has been recognized as an effective method for reducing the attack surface [
45] and minimizing risk [
46]. In addition, by offering tailored estimates of a vulnerability’s current severity level, our model enhances vulnerability prioritization, facilitating more effective resource allocation [
By integrating proactive capabilities with targeted mitigation recommendations based on CAPEC and CISA KEV Catalog, our approach enables organizations to reduce or mitigate estimated risks before a cyber incident occurs. This empowers organizations to adopt a proactive risk management strategy rather than relying solely on reactive measures. The significance of proactive controls in effective risk management has been emphasized in multiple studies [
With regard to the functionality of providing relative mitigation suggestions, our model is the only one that offers this capability, as no other DRA model includes such a feature. While we classify our work as a dynamic risk assessment model with enhanced functionalities rather than a dynamic risk management model, a comparison with an existing dynamic risk management model [
29] highlights a key distinction in the scope of mitigation actions. The dynamic risk management model offers a broader range of mitigation measures, including system reboots, shutdowns, and access control modifications. However, these actions are primarily derived from predefined, organization-specific strategies. On the other hand, our model leverages trusted, cybersecurity-related open sources to inform mitigation actions, providing more informative guidance rather than prescriptive directives.
A key limitation of the proposed model is its inability to perform risk assessments based on real-time attack evidence, as it relies exclusively on EPSS data, which are inherently proactive. Unlike other DRA models that incorporate real-time attack evidence from IDS or other sources, our model focuses on estimating the likelihood of exploitation over the next 30 days, assuming the organization becomes a target of the identified threats.
Another limitation lies in the assumption that every identified vulnerability (CVE) can be exploited and that such exploitation inevitably leads to subsequent exploitations, which may not always hold true in practice. The exploitability of vulnerabilities is influenced by multiple factors, such as the capabilities of attackers [
51], which are not considered in the current model. Moreover, expert validation would be valuable in refining the assessment of identified vulnerabilities, offering a more nuanced understanding of their real-world impact and potential consequences.
Additionally, the CAPEC mitigation strategies provided by our model are sourced directly from the original CAPEC framework without modification. Consequently, these strategies serve as general guidance rather than tailored recommendations, as they do not take into account environment-specific factors that may influence their practical effectiveness. In practice, organizations should evaluate their specific operational contexts and adapt the suggested mitigation strategies accordingly to maximize their applicability and effectiveness.
8. Conclusions and Future Work
In this article, we presented a dynamic risk assessment and mitigation model designed to assess cyber risk and provide corresponding mitigation recommendations. The proposed model integrates data from cybersecurity-related open sources with information from an organization’s internal environment to both assess risk and offer mitigation strategies to reduce it. The incorporation of EPSS data equips the model with dynamic and proactive capabilities. A key novelty of the proposed model lies in its ability to dynamically update both the threat and vulnerability vectors within the risk calculation formula. The effectiveness of the model was demonstrated through a comprehensive case study, showcasing its capability to accurately assess risk and propose mitigation measures.
For future work, we plan to incorporate machine learning or artificial intelligence techniques [
53] to automate and enhance the detection of CAPEC processes. Additionally, we aim to enhance the model’s functionality by integrating mechanisms to evaluate the effectiveness of the proposed mitigation actions in reducing the assessed risk. These advancements will further increase the model’s utility for dynamic and proactive risk assessment. Finally, we intend to apply the proposed methodology in a real-world environment to assess the model’s effectiveness in practical scenarios.