Vulnerability Confirmation
True Positive: Real exploitable vulnerability detected
True Negative: Scanner incorrectly states vulnerability exists on the system
False Positive: Scanner correctly identifies there is no vulnerability
False Negative: Scanner does not detect the vulnerability the exists on the system
Common Vulnerabilities and Exposures (CVE)
System that provides a standardized way to uniquely identify and reference known vulnerabilities in software and hardware
Exposure Factor (EF)
Used as a quantifiable metric to help understand the exact percentage of an asset that is likely to be damaged or affected if a particular vulnerability is exploited
Quantitative Risk Analysis
Risk Tolerance
Level of risk that an organization is willing to accept in pursuit of its objectives and before action is deemed necessary to mitigate the risk
Risk Appetite