{"id":"https://openalex.org/W2044625105","doi":"https://doi.org/10.1109/esem.2009.5314230","title":"Improving CVSS-based vulnerability prioritization and response with context information","display_name":"Improving CVSS-based vulnerability prioritization and response with context information","publication_year":2009,"publication_date":"2009-10-01","ids":{"openalex":"https://openalex.org/W2044625105","doi":"https://doi.org/10.1109/esem.2009.5314230","mag":"2044625105"},"language":"en","primary_location":{"id":"doi:10.1109/esem.2009.5314230","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem.2009.5314230","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2009 3rd International Symposium on Empirical Software Engineering and Measurement","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5011075320","display_name":"Christian Fr\u00fchwirth","orcid":"https://orcid.org/0009-0004-6081-5970"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Christian Fruhwirth","raw_affiliation_strings":["BIT Research Center, Helsinki University of Technology, Espoo, Finland","BIT Research Center, Helsinki University of Technology, Otaniementie 17, Espoo, Finland#TAB#"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"BIT Research Center, Helsinki University of Technology, Espoo, Finland","institution_ids":[]},{"raw_affiliation_string":"BIT Research Center, Helsinki University of Technology, Otaniementie 17, Espoo, Finland#TAB#","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5057718373","display_name":"Tomi M\u00e4nnist\u00f6","orcid":"https://orcid.org/0000-0001-7470-5183"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tomi Mannisto","raw_affiliation_strings":["Software Business and Engineering Institute, Helsinki University of Technology, Espoo, Finland","Software Business and Engineering Institute, Helsinki University of Technology, Innopoli 2, Tekniikantie 14, Espoo, Finland"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Software Business and Engineering Institute, Helsinki University of Technology, Espoo, Finland","institution_ids":[]},{"raw_affiliation_string":"Software Business and Engineering Institute, Helsinki University of Technology, Innopoli 2, Tekniikantie 14, Espoo, Finland","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":11.6465,"has_fulltext":false,"cited_by_count":104,"citation_normalized_percentile":{"value":0.98231017,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"535","last_page":"544"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.995199978351593,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9944999814033508,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.7872219681739807},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7072864770889282},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.6763967871665955},{"id":"https://openalex.org/keywords/vulnerability-management","display_name":"Vulnerability management","score":0.6609763503074646},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.6596336364746094},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.5840786695480347},{"id":"https://openalex.org/keywords/metric","display_name":"Metric (unit)","score":0.5482689142227173},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.5261908173561096},{"id":"https://openalex.org/keywords/risk-analysis","display_name":"Risk analysis (engineering)","score":0.4663991332054138},{"id":"https://openalex.org/keywords/prioritization","display_name":"Prioritization","score":0.46153366565704346},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4045049548149109},{"id":"https://openalex.org/keywords/knowledge-management","display_name":"Knowledge management","score":0.3564346432685852},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.25232306122779846},{"id":"https://openalex.org/keywords/process-management","display_name":"Process management","score":0.24468785524368286},{"id":"https://openalex.org/keywords/marketing","display_name":"Marketing","score":0.10103163123130798},{"id":"https://openalex.org/keywords/medicine","display_name":"Medicine","score":0.08721408247947693}],"concepts":[{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.7872219681739807},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7072864770889282},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.6763967871665955},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.6609763503074646},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.6596336364746094},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.5840786695480347},{"id":"https://openalex.org/C176217482","wikidata":"https://www.wikidata.org/wiki/Q860554","display_name":"Metric (unit)","level":2,"score":0.5482689142227173},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.5261908173561096},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.4663991332054138},{"id":"https://openalex.org/C2777615720","wikidata":"https://www.wikidata.org/wiki/Q11888847","display_name":"Prioritization","level":2,"score":0.46153366565704346},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4045049548149109},{"id":"https://openalex.org/C56739046","wikidata":"https://www.wikidata.org/wiki/Q192060","display_name":"Knowledge management","level":1,"score":0.3564346432685852},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.25232306122779846},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.24468785524368286},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.10103163123130798},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.08721408247947693},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C118552586","wikidata":"https://www.wikidata.org/wiki/Q7867","display_name":"Psychiatry","level":1,"score":0.0},{"id":"https://openalex.org/C27415008","wikidata":"https://www.wikidata.org/wiki/Q7256382","display_name":"Psychological intervention","level":2,"score":0.0},{"id":"https://openalex.org/C151730666","wikidata":"https://www.wikidata.org/wiki/Q7205","display_name":"Paleontology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/esem.2009.5314230","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem.2009.5314230","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2009 3rd International Symposium on Empirical Software Engineering and Measurement","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":30,"referenced_works":["https://openalex.org/W653086118","https://openalex.org/W1483280370","https://openalex.org/W1497444954","https://openalex.org/W1534271906","https://openalex.org/W1557598243","https://openalex.org/W1597808407","https://openalex.org/W1614196552","https://openalex.org/W1989440310","https://openalex.org/W2004584049","https://openalex.org/W2014071948","https://openalex.org/W2033783561","https://openalex.org/W2048759110","https://openalex.org/W2056075452","https://openalex.org/W2057553235","https://openalex.org/W2062493711","https://openalex.org/W2088907607","https://openalex.org/W2096274199","https://openalex.org/W2100063638","https://openalex.org/W2130238244","https://openalex.org/W2130424546","https://openalex.org/W2130425133","https://openalex.org/W2136451344","https://openalex.org/W2160372331","https://openalex.org/W2161315914","https://openalex.org/W2167474990","https://openalex.org/W2620244897","https://openalex.org/W3151685851","https://openalex.org/W4237954349","https://openalex.org/W4238226847","https://openalex.org/W6682933086"],"related_works":["https://openalex.org/W4200107511","https://openalex.org/W4306762697","https://openalex.org/W4284888217","https://openalex.org/W4387360145","https://openalex.org/W3191405550","https://openalex.org/W3150345186","https://openalex.org/W2393340519","https://openalex.org/W2390459954","https://openalex.org/W2297096600","https://openalex.org/W4220885008"],"abstract_inverted_index":{"The":[0,33],"growing":[1],"number":[2],"of":[3,50,90,108,133,167,182,216,235,251],"software":[4],"security":[5,14,248,252,256],"vulnerabilities":[6,91],"is":[7,139,166],"an":[8],"ever-increasing":[9],"challenge":[10],"for":[11,47,111,141],"organizations.":[12],"As":[13],"managers":[15,80,117],"in":[16,40,61,81,114,199],"the":[17,48,58,62,73,82,88,99,104,124,131,145,150,176,191,200,206,210,221,231,243],"industry":[18,83],"have":[19,27,84,175],"to":[20,28,129,160,170,178,189,242],"operate":[21],"within":[22],"limited":[23,109],"budgets":[24],"they":[25],"also":[26],"prioritize":[29],"their":[30,134],"vulnerability":[31,112,136,218,236],"responses.":[32],"Common":[34],"Vulnerability":[35,65],"Scoring":[36],"System":[37],"(CVSS)":[38],"aids":[39],"such":[41],"prioritization":[42,113,232],"by":[43,103,122],"providing":[44],"a":[45,155,213],"metric":[46,60],"severity":[49,59,89],"vulnerabilities.":[51],"In":[52],"its":[53],"most":[54],"prominent":[55],"application,":[56],"as":[57],"U.S.":[63],"National":[64],"Database":[66],"(NVD),":[67],"CVSS":[68,100],"scores":[69,101],"omit":[70],"information":[71,127,228],"pertaining":[72],"potential":[74,146,193],"exploit":[75],"victims'":[76],"context.":[77],"Researchers":[78],"and":[79,202,223,233,254],"long":[85],"understood":[86],"that":[87,157,225],"varies":[92],"greatly":[93],"among":[94],"different":[95],"organizational":[96],"contexts.":[97],"Therefore":[98],"provided":[102],"NVD":[105,201,222],"alone":[106],"are":[107,148],"use":[110,169],"practice.":[115],"Security":[116],"could":[118],"address":[119],"this":[120],"limitation":[121],"adding":[123,226],"missing":[125],"context":[126,227],"themselves":[128],"improve":[130],"quality":[132],"CVSS-based":[135],"prioritization.":[137],"It":[138],"unclear":[140],"them,":[142],"however,":[143],"whether":[144],"improvements":[147],"worth":[149],"additional":[151],"effort.":[152],"We":[153,208],"present":[154],"method":[156,165,211],"enables":[158],"practitioners":[159,171],"estimate":[161],"these":[162],"improvements.":[163],"Our":[164,239],"particular":[168],"who":[172],"do":[173],"not":[174],"resources":[177],"gather":[179],"large":[180],"amounts":[181],"empirical":[183],"data,":[184],"because":[185],"it":[186],"allows":[187],"them":[188],"simulate":[190],"improvement":[192],"using":[194],"only":[195],"publicly":[196],"available":[197],"data":[198],"distribution":[203],"models":[204],"from":[205,220],"literature.":[207],"applied":[209],"on":[212,245,247],"sample":[214],"set":[215],"720":[217],"announcements":[219],"found":[224],"significantly":[229],"improved":[230],"selection":[234],"response":[237],"process.":[238],"findings":[240],"contribute":[241],"discourse":[244],"returns":[246],"investment,":[249],"measurement":[250],"processes":[253],"quantitative":[255],"management.":[257]},"counts_by_year":[{"year":2025,"cited_by_count":9},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":11},{"year":2022,"cited_by_count":11},{"year":2021,"cited_by_count":5},{"year":2020,"cited_by_count":5},{"year":2019,"cited_by_count":8},{"year":2018,"cited_by_count":7},{"year":2017,"cited_by_count":7},{"year":2016,"cited_by_count":7},{"year":2015,"cited_by_count":7},{"year":2014,"cited_by_count":3},{"year":2013,"cited_by_count":1},{"year":2012,"cited_by_count":9}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}