Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization

This paper proposes "Vulnerability Management Chaining," an open-source, two-stage decision tree framework that integrates KEV, EPSS, and CVSS data to reduce urgent remediation workloads by approximately 95% while maintaining 85.6% coverage of exploited vulnerabilities.

The Gist

Imagine you are the Head of Security for a massive castle. Every day, a new report arrives at your desk listing thousands of cracks in the walls, loose stones, and unlocked windows. These reports are called CVEs (Common Vulnerabilities and Exposures).

Your problem? You have a tiny team of guards, but the list of cracks is growing faster than you can read it. If you try to fix every single crack, you'll burn out, and the castle will still be vulnerable because you spent all your time fixing tiny, harmless hairline fractures while a giant boulder was rolling toward the main gate.

This paper presents a new, smarter way to decide which cracks to fix first. The authors call it "Vulnerability Management Chaining."

Here is how it works, explained through simple analogies:

The Old Way: The "Scary Score" Problem

For years, security teams used a system called CVSS. Think of this as a "Scary Score" from 0 to 10.

• If a crack gets a score of 9 or 10, the rule was: "Fix this immediately!"
• The Problem: Almost everything gets a high score. Your team ends up with a list of 16,000 "urgent" items. You can't fix them all, so you panic, and the truly dangerous ones get lost in the noise.

The New Way: The "Chaining" Framework

The authors suggest a two-step filter (a decision tree) that combines three different sources of information to create a "Smart Shortlist."

Think of it like a bouncer at a VIP club who uses three different checks to decide who gets in.

Step 1: The "Is Anyone Actually Breaking In?" Check

First, the framework asks: "Is there proof someone is trying to break in right now, or is this just a theoretical risk?"
It uses two tools for this:

1. KEV (The "Wanted" List): This is a government list of cracks that attackers have already been caught using. It's like a "Most Wanted" poster. If a crack is on this list, it's definitely dangerous.
2. EPSS (The "Weather Forecast"): This is a computer program that predicts the probability of a crack being used in the next 30 days. It's like a weather app saying, "There's an 88% chance of rain." If the chance is high enough, we treat it as a threat.

The Analogy: If a crack is on the "Wanted" list OR the "Weather Forecast" says it's likely to rain, we flag it. If not, we ignore it for now. This immediately cuts the list of problems down by 95%.

Step 2: The "How Bad Would It Be?" Check

Now, we have a much shorter list of "likely threats." But we still need to know how bad they are.

• We look at the CVSS Score again, but this time we only care if the score is 7.0 or higher (High Severity).
• The Logic: If a crack is being exploited (Step 1) but it's a tiny, hard-to-reach crack that only hurts a little bit (Low Severity), we don't need to fix it today. We can put it on a "Monitor" list.
• The Result: We only rush to fix the cracks that are both being attacked AND would cause massive damage.

The Magic Result: The "Chaining" Effect

The paper tested this on 28,000 real-world cracks. Here is what happened:

1. The Old Way (CVSS only): You had to worry about 16,000 cracks. Your team was overwhelmed.
2. The New Way (Chaining): You only have to worry about 850 cracks.
   • Efficiency: You are 18 times more efficient. You are spending your time on the things that actually matter.
   • Coverage: You didn't miss the bad guys. You still caught 85% of the cracks that were actually being used by hackers.

The "Secret Sauce" (The Chain):
The most interesting finding was that KEV and EPSS are best friends.

• Sometimes, a crack is being used by hackers (KEV), but the computer forecast (EPSS) didn't predict it yet.
• Sometimes, the computer forecast (EPSS) predicts a new attack, but it hasn't been added to the "Wanted" list (KEV) yet.
• By chaining them together, the system found 48 extra dangerous cracks that neither tool would have found on its own. It's like having a detective who checks both the police database and the weather forecast; you catch more criminals than if you only checked one.

Why This Matters for You

• It's Free: You don't need to buy expensive, secret software. All the data used (the "Wanted" list, the "Weather Forecast," and the "Scary Scores") is open-source and free.
• It's Simple: You don't need a PhD in math. It's just a simple flowchart: Is it on the list? Is the forecast high? Is the damage score high?
• It Saves Time: It allows security teams to stop panicking about thousands of fake emergencies and focus on the few real fires.

In summary: This paper teaches us that instead of trying to fix every crack in the castle wall, we should use a smart filter to find the ones that are currently being attacked and would cause the most damage. By chaining different pieces of information together, we can do our job 18 times faster without letting the bad guys in.

Technical Summary

Here is a detailed technical summary of the paper "Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization."

1. Problem Statement

Organizations face an exponential growth in Common Vulnerabilities and Exposures (CVEs), creating an unsustainable workload for security teams. Current prioritization strategies suffer from significant limitations:

• CVSS (Common Vulnerability Scoring System): Measures theoretical severity but correlates poorly with actual exploitation likelihood. It generates an overwhelming volume of "high/critical" alerts, many of which are never exploited.
• KEV (Known Exploited Vulnerabilities): Provides high-confidence evidence of active exploitation but is inherently retrospective (reactive) and has limited coverage, missing emerging or targeted threats.
• EPSS (Exploit Prediction Scoring System): Uses machine learning to predict exploitation probability but suffers from inherent uncertainty (false positives/negatives) and may miss vulnerabilities exploited via novel patterns.

The core challenge is the lack of a systematic framework that integrates these complementary data sources to balance efficiency (reducing false positives/workload) with coverage (ensuring no critical exploited vulnerabilities are missed).

2. Methodology: Vulnerability Management Chaining (VMC)

The authors propose Vulnerability Management Chaining, a decision tree framework that systematically integrates CVSS, EPSS, and KEV data. The framework operates on a two-stage evaluation process:

Stage 1: Threat-Based Filtering

The first stage filters the total vulnerability pool to identify those with a confirmed or predicted threat of exploitation.

• Input: All CVEs in the environment.
• Logic:
  • Is the CVE in the CISA KEV Catalog? (Yes = Threat)
  • OR Is the EPSS score ≥ 0.088? (Yes = Threat)
• Outcome: Vulnerabilities failing both checks are categorized as "Defer" (standard patching cycles). Those passing are moved to Stage 2.

Stage 2: Severity Assessment

The second stage evaluates the impact of the identified threats to enable informed deprioritization.

• Input: Vulnerabilities flagged as threats in Stage 1.
• Logic: Is the CVSS Base Score ≥ 7.0?
• Outcome:
  • Yes: High impact + Threat = Critical or High Priority.
  • No: Threat exists but low impact = Monitor.

Final Prioritization Categories

The framework outputs four distinct categories:

1. Critical Priority: KEV-listed AND CVSS ≥ 7.0. (Immediate remediation required).
2. High Priority: EPSS ≥ 0.088 AND CVSS ≥ 7.0. (Scheduled remediation, 2–4 weeks).
3. Monitor: Exploitation evidence (KEV or high EPSS) BUT CVSS < 7.0. (Track for changes).
4. Defer: No exploitation evidence (Not in KEV and EPSS < 0.088). (Standard patching).

Data Sources: The framework relies exclusively on open-source data: CISA KEV catalog, EPSS scores (FIRST), and NVD CVSS scores.

3. Key Contributions

• Integrated Framework Design: The first systematic methodology to combine technical severity (CVSS), predictive intelligence (EPSS), and confirmed exploitation (KEV) into a unified decision tree.
• Empirical Validation: The study utilized a dataset of 28,377 CVEs published over 13 months (April 2022–April 2023) and cross-referenced them with 90 real-world exploited vulnerabilities documented in public vendor reports.
• Demonstration of Complementarity: The research proves that KEV and EPSS capture distinct subsets of exploited vulnerabilities. The integration identifies 48 additional exploited vulnerabilities (53.3% of the vendor report dataset) that neither method would capture individually.
• Accessibility: The framework requires no proprietary data or expensive subscriptions, making it immediately adoptable by organizations of all sizes.

4. Experimental Results

The study compared the VMC framework against three baselines: CVSS-only (≥7.0), KEV-only, and EPSS-only (≥0.088).

Metric	CVSS ≥7.0	KEV Only	EPSS ≥0.088	Proposed VMC
Efficiency (Exploited / Prioritized)	0.5%	74.3%	4.9%	9.1%
Coverage (Prioritized / Total Exploited)	90.0%	86.7%	48.9%	85.6%
Workload Reduction	Baseline	High reduction	Moderate	~95% reduction

• Efficiency Improvement: VMC achieved an 18-fold improvement in efficiency compared to traditional CVSS-based prioritization (9.1% vs. 0.5%). This means a significantly higher percentage of the vulnerabilities flagged for action were actually being exploited.
• Coverage Maintenance: Despite the massive reduction in workload, VMC maintained 85.6% coverage of actually exploited vulnerabilities, comparable to the 90% coverage of the CVSS approach but with far fewer false positives.
• Workload Impact: The framework reduced the urgent remediation workload from ~16,182 vulnerabilities (CVSS approach) to approximately 850 vulnerabilities, a 95% reduction.

5. Significance and Implications

• Operational Transformation: The framework allows security teams to shift from a "comprehensive but overwhelmed" approach to a "risk-based and focused" strategy. By deferring ~95% of vulnerabilities to standard cycles, teams can focus specialized resources on the 5% representing actual, high-impact threats.
• Synergistic Intelligence: The study validates that historical data (KEV) and predictive models (EPSS) are not redundant but complementary. Relying on either alone leaves significant gaps in defense; combining them fills critical coverage holes.
• Scalability and Adaptability: Because the framework uses a decision tree structure based on open data, it is easily automated via scripts or existing vulnerability management platforms. It is designed to accommodate future updates (e.g., EPSS v4.0 or new intelligence feeds) without architectural changes.
• Regulatory Alignment: The approach supports compliance with frameworks like PCI DSS and CISA directives by providing a defensible, evidence-based methodology for prioritizing remediation timelines.

In conclusion, Vulnerability Management Chaining offers a practical, data-driven solution to the vulnerability overload crisis, proving that systematic integration of multiple intelligence sources can drastically improve security posture while reducing operational burden.