/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsUNIVERSITY PARK, Pa.--(BUSINESS WIRE)--The College of Information Sciences and Technology at Penn State, in partnership with Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today announced that the top 25 percent of vulnerability management contributors scanned their networks nearly continuously and had an average aggregate host risk score of 2.14 using the Common Vulnerability Scoring System (CVSS).
CVSS is an industry standard that measures the severity of vulnerabilities and prioritizes remediation efforts. CVSS scores range from zero to ten and vulnerabilities with a base score in the range of 7.0-10.0 are critical, 4.0-6.9 are major and 0-3.9 are minor.
Average host risk score, as well as average days since the last scan, are two key vulnerability management metrics derived from Penn State's Benchmark, a free, cloud-based cybersecurity analytics service. Benchmark allows security professionals to collaborate on security best practices and compare their security performance against community and industry benchmarks.
"Average aggregate host risk score and average days since last scan are excellent indicators of vulnerability management performance because they tend to move in the same direction," said Rod Murchison, vice president of product management at Tripwire. "Together, these scores indicate that companies that scan more frequently tend to have a more effective vulnerability remediation process, lowering their overall vulnerability risks scores."
Vulnerability management is a foundational security control that proactively prevents the exploitation of IT vulnerabilities. As a leading cybersecurity program performance management indicator, vulnerability management is referenced in every major security standard, including the Payment Card Industry Data Security Standard (PCI DSS), the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the 20 Critical Security Controls (20 CSC). Proactive management of vulnerabilities dramatically reduces the potential of successful cyberattacks and improves risk posture.
"Benchmark is a great example of the type of tools we need to train the next generation of cybersecurity analysts, and that is precisely why we are integrating it into our undergraduate curriculum," said Dr. David Hall, dean of the College of Information Sciences and Technology at Penn State. "Benchmark metrics help analysts take a qualitative approach to the capabilities of their cybersecurity infrastructure. Together, these metrics also make it possible for cybersecurity experts to evaluate the performance of their security controls at a higher level of abstraction."