Abstract

This document proposes a reconceptualisation of vulnerability management, not as a purely technical artefact, but as a contextual property of an information system that contributes to organisational risk. Our approach does not oppose risk analysis, but rei ntegrates vulnerability management into it by placing vulnerabilities in their operational context. This allows vulnerabilities to be prioritised not only according to their intrinsic technical severity, but also according to the specific risks they pose t o the organisation. We introduce a method designed to support this integrative perspective, which will be presented and discussed in this paper. In addition, we explore the vulnerability chain and the trade -offs between security and sustainability, introdu cing financial metrics as a lever for risk arbitrage

Share

COinS