An article in tech publication Medium suggests that the end of US government-backed cyber vulnerabilities lab MITRE’s Common Vulnerabilities and Exposures (CVE) programme will not have much impact as nothing more than a catalogue of vulnerabilities which lacks robustness in measuring true risk.
The author, risk specialist Doug Hubbard, said the CVE’s metadata and severity scores were static and were based on worst-case or ideal scenarios under which a vulnerability could be exploited; hence, they often failed to reflect the realistic impact on a specific organisation, leading to an overload of ‘critical’ alerts and desensitisation.
Hubbard advocated abandoning the use of CVE and other such frameworks in favour of measuring risk by estimating the probability of an event and the resultant loss or damage.
The end of the CVE programme could encourage better, more focused risk assessment amongst users, the author said.