Vulnerability Management: A Risk-Based Optimization

The increasing complexity of the European regulatory landscape in cybersecurity, reinforced by the introduction of the NIS2 Directive, has positioned vulnerability management as a fundamental pillar to ensure the resilience of critical infrastructures and essential services. However, traditional approaches to vulnerability prioritization, primarily based on the Common Vulnerability Scoring System (CVSS), reveal significant limitations in predictive capability and in contextualizing real organizational risk. This thesis examines the regulatory and technical evolution of vulnerability management, highlighting the challenges of adopting a purely score-based model. Alternative methodologies are explored, with particular attention to risk-based approaches supported by threat intelligence, such as the Exploit Prediction Scoring System (EPSS). The aim is to demonstrate how these approaches enable a more dynamic and objective assessment of threats, improving backlog management and the planning of remediation activities. The applied part of the research is developed through a banking case study, which illustrates operational challenges related to asset classification, data collection, and the lack of uniform criteria for setting priorities. The implementation of a risk and threat-oriented scoring system improved analysis, reporting, and decision-making processes, ensuring stronger alignment with regulatory requirements (NIS2, DORA, TIBER) and more effective risk management. The findings indicate that adopting risk-based vulnerability management approaches not only better supports compliance needs but also reduces exposure to operational and reputational risks. The thesis concludes with practical recommendations and future perspectives, emphasizing the potential of artificial intelligence and machine learning techniques to further enhance predictive and prioritization models.