Risk-Based Vulnerability Management (RBVM) Explained

In the digital age, staying ahead means investing in the latest and greatest technologies or being the first to create new features and apps that transform the society and generate a sizeable return.

Unfortunately, these developments are hampered by security flaws in IT systems that are an entry point for threat actors keen on exploiting them for financial gain and other nefarious drivers. According to the 2025 Microsoft Digital Defense Report, 18% of detected data breaches were conducted by targeting known vulnerabilities such as unpatched web assets and exposed remote services.

And this attack surface is increasing at an alarming rate, with DeepStrike reporting that a 16-18% growth of common vulnerabilities and exposures (CVEs) compared with 2024. And cyber attackers are quickly weaponizing these new flaws at high speed including zero-day ones.

So how do organizations go about addressing vulnerabilities in their on-premises and cloud hosted IT systems? Rather than an ad hoc approach that reacts to breaches and alerts with a patchwork of efforts but no focus, they can consider adopting the risk-based vulnerability management (RBVM) way.

What is RBVM: risk-based vulnerability management?

The RBVM method prioritizes addressing vulnerabilities based on the severity of the risk of compromise. RBVM is a strategic approach that properly determines both the potential impact to the organization should the vulnerability be exploited, as well as the severity of the vulnerability based on industry information.

In this article, we will consider the steps involved in carrying out an effective risk-based vulnerability management process as outlined by the Info~Tech research group. Learn more about related concepts such as vulnerability management and the relationship between vulnerabilities, threats, and risk.

Step 1: Identify vulnerability sources

The RVBM process starts by identifying vulnerability sources. The organization needs to understand the scope of its technology environment, and determine where flaws in system design, implementation, operation, or management could be exploited to violate information security policies and bypass controls.

The identification of vulnerability sources is a consultative exercise, so putting together a team of subject matter experts from within and outside the organization can be extremely helpful in comprehensively covering the scoped environment.

Vulnerabilities can originate from many sources

Examples of vulnerability sources and types include:

• Common Vulnerabilities and Exposures (CVEs) which are publicly disclosed lists of information security vulnerabilities. The most popular list is hosted by the CVE Program Mission and includes over 307,000 records. A CVE record includes a unique ID, date of publishing, description, score, severity, and product information including versions affected.
• Security advisories from vendors or developers.
• Results of penetration tests, vulnerability scanning tools, and software composition analysis tools that scan for known vulnerabilities in third-party and open-source components.
• Academic research into technology vulnerabilities
• Bug-bounty programs where technology solution vendors provide rewards for anyone able to exploit their system’s cybersecurity controls

These threat intelligence sources should be formally documented as risk scenarios that are mapped to the organization’s IT asset inventory, as well as categorized based on type. Examples of vulnerability source types include software, hardware, network, human, and environmental.

The vulnerability sources should also be mapped to existing information security controls, to determine whether the containment level is sufficient or requires further strengthening. Understanding these sources is key in determining the best way to address the associated flaws.

Step 2: Assess and prioritize related risks

Once vulnerability sources are identified, the next step is to assess and prioritize related risks. Assessing a vulnerability’s risks is a critical step in properly determining its true urgency within the organizational context. This serves two purposes: ensuring that immediate action is taken on critical and high risk vulnerabilities, while allowing the standard remediation cycle to address the remaining medium and minor ones.

This step involves choosing a methodology that will direct how vulnerabilities are assessed and evaluated based on intrinsic qualities, and their impact on critical organizational processes and data.

The ISO/IEC 27005 guidance on managing information security risks is an example of a reference document that can be used to assess and prioritize risks related to vulnerabilities. There are four main activities that are outlined during this step:

Assess potential consequences

Consequences relate to the failure to adequately preserve the confidentiality, integrity, and availability of critical data housed or processed in IT systems that are subject to the identified vulnerability sources. Consequences can be computed in terms of:

• Money: revenue lost or costs incurred
• Productivity: lost time and resources
• Reputation: negative customer satisfaction or brand image
• Compliance: regulatory penalties and other negative effects

Assess likelihood

Here the probability of the occurrence of the vulnerability and it being exploited is determined using statistical measures. Both qualitative and quantitative techniques can be applied, using historical data or modelling to come up with unambitious categories and scales for determining likelihood.

Determine the level of risks

The level of risk is a function of the assessed potential consequences and assessed likelihood. The most common approach is by multiplying the two outputs i.e. consequence level of 3 * likelihood of 3 = risk level of 9. Other approaches can include squaring of the two outputs.

The key output is a risk of lists with level values assigned.

Evaluate the related risks

Finally, the risks are evaluated based on comparing the results of the risk levels with the organizational risk criteria particularly the risk acceptance criteria. This informs the prioritization of the risks and informs the decision for next steps to remediate the vulnerabilities. A ranked list of risks related to vulnerabilities is the output at the end of this step.

Step 3: Remediate vulnerabilities

Once the risks are assessed and prioritized, a plan is put in place to address the identified vulnerabilities. Both temporary and permanent solutions should be considered, the latter obviously being more effective but may be constrained by time and cost concerns.

Examples of remediation actions suggested by the ISO/IEC 27002 standard on information security controls include:

• Patching IT systems as soon as possible as per vendor or developer instructions. This also includes configuring automatic updates wherever there is low risk to live services.
• Purging IT systems that are at end-of-life or are no longer supported by vendors from as security standpoint.
• Implementing temporary solutions or manual changes to vulnerable IT systems to prevent exploitation until a permanent solution is obtained from vendors or developers.
• Turning off services or capabilities or rerouting traffic from IT systems that are determined to be exploitable or under active exploitation.
• Implementing security controls to increase the security layers (defense in depth) protecting vulnerable IT systems such as firewalls, IPS/IDS and honey pots.

The organization should conduct planned, documented, and repeated penetration tests or vulnerability assessments to validate that the remediation actions have been successful. In addition, procedures should be set up to ensure new or modified systems are thoroughly tested for vulnerabilities as part of their acceptance criteria.

The ISO/IEC 30111 standard for vulnerability handling and disclosure processes serves as a good reference developing such procedures on how to process and remediate reported potential vulnerabilities in a product or service.

Step 4: Review and improve RVBM process

The RVBM process should be regularly monitored and evaluated to ensure its effectiveness and efficiency, especially considering it is a joint responsibility between vendors and customers of IT systems. Key metrics should be established, reviewed and reported regarding:

• The quality of threat intelligence
• Responsiveness to vulnerability reports
• Effectiveness of vulnerability risk assessment and treatment activities
• The overall security posture

The results of regular vulnerability scans, audits, and penetration tests should provide good insights into whether the overall vulnerability risk exposure is trending in a downward direction or further remedial actions are needed.

The role of governance

Improving the RVBM process involves not only technical actions, but also governance mechanisms and awareness on the part of IT teams involved in acquisition, installation, and usage of IT systems.

Organizations should establish policies and standards on vulnerability risk assessment and treatment, as well as ensure their contract agreements with vendors clarify SLAs for addressing vulnerabilities once detected.

They should consider training their staff on being conscious about the potential of flaws being exploited, and also rigorously maintaining IT asset inventories with updates data on software versions whether on-premise or on the cloud.

Lastly, they can also consider deploying AI-powered vulnerability scanners that provide real-time, automated threat detection. This ensures that the organization moves from a reactive to a proactive stance in vulnerability management, by attaining maturity levels in the RVBM process.

Final thoughts

The RBVM process is a continuous cycle that involves all stakeholders from management, system administrators, partners, and vendors involved in the technology ecosystem. The speed and approach at which organizations move to detect and address vulnerabilities is a key factor in determining whether their IT security posture supports the overall strategic objectives in terms of quality and secure IT services.

Organizations should strive to ensure their RVBM process leads to more effective resource allocation and minimized risks from a proactive approach to detecting and addressing IT system vulnerabilities.