Risk Based Vulnerability Management (or RBVM) is a process by which one evaluates the business risk for an organization resulting from its vulnerable digital assets and helps organization achieve an acceptable security posture by prioritizing the remediation.

Current challenges

Organizations are managing risk by :-

i. Complying to Industry Standards

E.g. ISO 27001:2013, NIST-CSF. This is via manual audits, which is time consuming and laborious. It is enough for an organization to achieve a cyber hygiene, but not sufficient to counter cyber-attacks, which are ever changing!

ii. Performing Vulnerability Assessments

Typically tool based, identifies vulnerabilities in assets by looking up popular vulnerability databases, like NVD (National Vulnerability Database).

Another class of issues is Misconfiguration. Though these are not the classic vulnerabilities, they do render the asset vulnerable. These are checks performed against popularly accepted industry benchmarks like CIS (Centre for Internet Security).

The IT infrastructure of an organization today is diverse, spread across the cloud, on-premise and employees working from home. The vulnerability assessment must cover the assets in the above scenarios.

Challenges with Vulnerability Assessments
  • The findings from these  assessments are quite technical in nature.

  • Severity of the issues are based on CVSS (Common Vulnerability Scoring System), which is constant and does not take the organization context into account.

  • Reports of the each of the asset type are different, given 8-10 asset types, there is no way to correlate and normalize them.

  • The number of issues identified are large, with tens of assets, the identified issues can be in the thousands.


Every organization is constrained in terms of time and money they can invest in cybersecurity. When the number of issues identified are too large, prioritization becomes the challenge. It boils down to managing risk. For this the first step is identifying the risks.


So, what is Risk ?

The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.

Risk is not the enemy – too much of it is. But very importantly, so is too little of it. Between recklessness and complacency, there is a Goldilocks Zone of risk – not too much, not too little – just right.

Rohit Ghai - President, RSA
How to manage Risk ?

The process would be to identify vulnerabilities across the organization, model the risk for the identified weakness, prioritize them, and start remediating the top risks – thereby given the same time and effort, the organizations is de-risking themselves optimally.

 DeRisk Center

  • DeRisk Center follows a Risk Based Vulnerability Management model.

  • Identifies asset’s inherent weaknesses by performing a combination of VA, Misconfiguration checks and PT (Penetration Testing). This is the inside out view.

  • Using Threat Intelligence identifies the threats from the outside, outside-in view.

  • Computes likelihood of a breach for each identified weakness.

  • Further, models the risk objects and scores them.

  • Builds a prioritized risk register and suggests remediations.




Assessment VA PT

Risk based Vulnerability Management as the name implies, is identifying vulnerabilities to start with and analyzing the risk associated with the vulnerability.                        
[Read more]                

Cyber Risk Management

In this new age economy, organizations either get digitized or perish.

[Read more]

Related Post

Schedule a Demo​
Book a session with one of our senior Customer Success Specialists.​

Use Cases

Ofofo Cyber Security Marketplace

Copyright © 2024 Seconize Technologies Pvt Ltd. All rights reserved.