Organizations simply cannot reduce their risk and improve their security posture without having some way to predict, ahead of time, which threats and vulnerabilities will actually lead to an attack.

We exist in a dualstage testing regime. We are subject to a low prevalence (rare event) environment. To act rationally in this scenario, the first test must remove as many false negatives as it can.

We have the better, if harder, problem of the meta-analysis (“research about research”) of many observations, always remembering that the purpose of security metrics is decision support.

Using CVSS to steer remediation is nuts, ineffective, deeply diseconomic, and knee jerk; given the availability of data it is also passé, which we will now demonstrate.