BEST PRACTICES FOR VULNERABILITY MANAGEMENT IN LARGE ENTERPRISES: A CRITICAL VIEW ON THE COMMON VULNERABILITY SCORING SYSTEM

Abstract

Over the past decade, enterprises have been increasingly suffering from attacks conducted by cybercriminals. Potential losses are not only reflected on their revenue or stolen data, but also on their damaged reputation. Most often, these attacks were possible due to the successful exploitation of vulnerabilities within the company's system. Many of such attacks could have been mitigated, if responsible actors took the right actions related to the management of such vulnerabilities. This paper aims to summarize good practices regarding vulnerability management, with essential focus on the matter of prioritization. For this, several vulnerability scoring systems such as the Common Vulnerability Scoring System were analyzed according to the way they are portrayed in scientific literature. It will also analyze non-technical, human factors as well by reflecting on organizational aspects. The aim is to provide an overview about the options large enterprises have in this regard and to inform about potential consequences they could face. It will also reflect on the problematic behind the trade-off between investing enough in a cybersecurity foundation, while simultaneously remaining profitable.