Special offers now — see discounted courses.
day
:
hour
:
min
:
sec
See special offers
Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

1h 11mIntermediate2025-07-14

Authors

Lora Vaughn

Lora Vaughn

Cybersecurity Executive in Financial Services

Course details

Vulnerability management is a critical part of an effective information security program, but determining which vulnerabilities to address first is a daunting challenge. In this course, learn how to differentiate between vulnerability severity and vulnerability risk. Discover what elements can be combined to determine vulnerability severity, techniques you can use to determine the risk a vulnerability poses to your specific environment, and things to consider when building a vulnerability management program.

Learning objectives
Analyze vulnerability characteristics to accurately assess the severity of identified vulnerabilities in information systems.
Evaluate the interplay between exploitability, severity, and business criticality to determine the risk level of specific vulnerabilities in your organization's environment.
Differentiate between vulnerability severity and vulnerability risk in the context of an effective vulnerability management program.
Synthesize various elements to construct a comprehensive method for determining vulnerability severity in diverse information systems.
Design a structured vulnerability management program that prioritizes addressing critical vulnerabilities based on both severity and organizational risk factors.

Skills covered

Vulnerability ManagementCybersecurityOne-Off

Concepts

Vulnerability Basics

  • 01 - Vulnerability risk assessment
  • 02 - Vulnerability types and their causes
  • 03 - Methods for addressing vulnerabilities

1. Vulnerability Severity Conversations

  • 04 - Intro to determining severity with CVSS
  • 05 - Making sense of the CVSS Vector String
  • 06 - Attack method or vector when determining severity
  • 07 - How attack complexity impacts severity
  • 08 - How access or privileges required affects severity
  • 09 - How user interaction affects severity
  • 10 - Security Scope in CVSS v 3.1
  • 11 - How impacts affect severity

2. Severity vs. Risk

  • 12 - Severity and risk are not the same
  • 13 - Challenges with CVSS and severity scores
  • 14 - Vendor-specific severity scoring methodologies
  • 15 - Other vulnerability scoring methodologies - KEV and EPSS
  • 16 - Solution - Comparing vulnerabilty severity scores

3. Moving from Severity to Risk

  • 17 - Why severity scores alone aren't enough
  • 18 - Risk assessment basics
  • 19 - Exploit availability
  • 20 - Asset categorization
  • 21 - Combining severity and risk to drive action
  • 22 - Solution - Prioritize vulnerabilities for remediation

4. Stakeholder-Specific Vulnerability Categorization

  • 23 - Intro to SSVC
  • 24 - SSVC - Exploitation
  • 25 - SSVC - Automatable
  • 26 - SSVC - Technical impact
  • 27 - SSVC - Mission prevalence and public well-being
  • 28 - Using SSVC
  • 29 - Solution - Using SSVC to prioritize vulnerabilities

5. Building a RIsk-Based Vulnerability Management Program

  • 30 - Core components to a program
  • 31 - Detect vulnerabilities
  • 32 - Assess the risk
  • 33 - Assign vulnerablities for remediation
  • 34 - Remediate and confirm vulnerabilities
  • 35 - Outliers - Handling celebrity vulnerabilities

Conclusion

  • 36 - Just the beginning

Related courses

Related learn paths

About us

LyndaKade is a leading learning platform that helps people learn business, software, technology, and creative skills to achieve personal and professional goals.

Phone numberAparat ChannelTelegram SupportTelegram ChannelInstagram Page

All rights to this site belong to LyndaKade.

Terms of Service|Privacy Policy

نماد الکترونیک enamad در صورت اتصال با آی‌پی داخل کشور، نمایش داده خواهد شد.
logo-samandehi - لوگو ساماندهی
zarinpal
zibal