Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore the realities and absurdities of vulnerability scoring systems in this conference talk that critically examines CVSS, EPSS, and SSVC frameworks. Discover how these supposedly scientific approaches to risk management often resemble fortune-telling more than rigorous analysis, with CVSS performing complex calculations to force artificial patterns, EPSS attempting to predict exploitation through statistical methods, and SSVC abandoning mathematics entirely for structured intuition. Learn how security defenders actually make decisions by combining shortcuts like KEV lists, vendor advisories, and practical experience to distinguish truly urgent threats from routine annoyances. Examine whether these frameworks genuinely improve risk decision-making or simply provide sophisticated justification for predetermined choices. Gain insights into the strengths, weaknesses, and contradictions of each scoring system while comparing them to real-world vulnerability management practices. Determine if any of these models offer meaningful advantages over random chance in predicting exploitation likelihood. Expect critical analysis, industry debates, and humorous comparisons to divination practices throughout this examination of modern cybersecurity's approach to vulnerability assessment.
