Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Enhancing IoT vulnerability prioritization using real-time EPSS and SSVC decision tree modeling

Briliyant, Obrina ORCID: https://orcid.org/0000-0002-1054-8112, Girinot, Girinoto, Syahral, Mohamad and Purwoko, Rahmat 2026. Enhancing IoT vulnerability prioritization using real-time EPSS and SSVC decision tree modeling. Presented at: 2nd International Conference on Cryptography, Informatics, and Cybersecurity (ICoCICs), Depok, Indonesia, 22-23 October 2025. Proceedings of 2nd International Conference on Cryptography, Informatics, and Cybersecurity. IEEE, pp. 185-191. 10.1109/icocics68032.2025.11383863

Full text not available from this repository.

Abstract

The exponential growth in Common Vulnerabilities and Exposures (CVE) has created unprecedented challenges for organizations implementing Internet of Things (IoT) devices, leaving security teams unable to determine remediation priorities effectively. Current industry practices rely predominantly on Common Vulnerability Scoring System (CVSS) base scores for vulnerability triage, despite explicit guidance against this approach in the CVSS specification. This misalignment results in suboptimal resource allocation, with organizations addressing theoretical high-severity vulnerabilities while practical exploitable vulnerabilities remain unpatched. This paper presents a novel real-time vulnerability prioritization framework that integrates live Exploit Prediction Scoring System (EPSS) with the Stakeholder-Specific Vulnerability Categorization (SSVC) to prioritize vulnerabilities based on active exploitation patterns. Our methodology shifts focus from static severity scoring to dynamic exploitation likelihood assessment, enabling organizations to address vulnerabilities being actively exploited in the wild while significantly reducing vulnerability management costs and minimizing adversary access windows. We evaluated the framework using 14 representative IoT vulnerability cases, comparing traditional CVSS-based approaches with our exploitation-focused method. Results demonstrate substantial improvements in vulnerability prioritization accuracy, with the proposed approach identifying 3 critical vulnerabilities (21.4% of total CVEs) requiring immediate attention that were missed by conventional static methods.

Item Type: Conference or Workshop Item - published (Paper)
Date Type: Published Online
Status: Published
Schools: Schools > Computer Science & Informatics
Publisher: IEEE
ISBN: 9798331554828
Last Modified: 05 Mar 2026 11:45
URI: https://orca.cardiff.ac.uk/id/eprint/185542

Actions (repository staff only)

Edit Item Edit Item
Altmetric
Dimensions
CORE (COnnecting REpositories)


Maintained by Cardiff University IT