Measuring vs. Modeling
Dan Geer and Michael Roytman
Punchline: Using CVSS to steer remediation is nuts, ineffective, deeply diseconomic, and knee jerk; given the availability of data it is also passé, which we will now demonstrate.
Vulnerability data is often used to describe the vulnerabilities themselves. This is not actually interesting—it’s like using footprints to describe bear paws. Sure, a black bear has different ones from a polar bear . . . but a more interesting fact is what kind of fur they have.