Thesis Demonstration · Context-Aware Risk Scoring

Beyond CVSS: a context-aware risk-rating model.

Severity is not the same as risk.

A context-aware cybersecurity maturity framework for higher-education institutions — one risk-weighted score that fuses technical severity, real-world exploitation likelihood, and the institutional context an asset actually lives in.

The Model · 0–10 scale
R  =  10  ×  ( w1·s  +  w2·e  +  w3·c  +  w4·x )
s
CVSS base score ÷ 10
technical severity
e
EPSS-style probability
real-world exploit activity
c
asset criticality (0–1)
institutional value
x
exposure (0–1)
network reachability
Σw
w1+w2+w3+w4 = 1
AHP-derived weights
Try the model → Assess your institution → See prioritisation flip

01

CVSS answers the wrong question

The base score tells you how bad a flaw could be in the abstract. It says nothing about whether this asset matters to your institution, whether it is reachable from outside, or whether anyone is exploiting it today.

  1. a

    It measures severity, not risk.

    A 9.8 base score describes worst-case technical impact under hypothetical conditions. It is one ingredient of risk, not risk itself — and treating it as a decision is what fills triage queues with theoretical danger.

  2. b

    It is blind to asset criticality and exposure.

    The same CVE on a public-facing student records system and on an isolated lab workstation scores identically. Institutional value and network reachability never enter the equation — yet they are the variables that decide whether harm actually occurs.

  3. c

    It ignores real exploitation likelihood.

    Most high-severity CVEs are never weaponised. Without an EPSS-style probability, teams chase abstract worst cases while genuinely active threats wait their turn behind louder ones.

02

Try it — and see exactly how the score is built

Pick a scenario or move any slider. Every part of the score updates live, the math is exposed line-by-line, and a stacked bar shows which input is driving the result — so the score is never a black box.

Load a scenario

Inputs

9.8

0 – 10. How damaging the flaw is in technical terms (CVSS v3.1 base score).

0.05

0 – 1. Probability someone actually exploits it in the wild — EPSS-style.

0.20

0 – 1. How much your institution depends on this asset. Student records ≈ 0.95 · isolated lab PC ≈ 0.20.

0.30

0 – 1. How reachable it is. Public-facing portal ≈ 0.95 · air-gapped ≈ 0.05.

AHP weights

Sliders auto-normalise so w1+w2+w3+w4 = 1.000.

0.300
0.300
0.250
0.150

Verdict

MEDIUM

Moderate priority — fix during normal patch cycle, monitor for change.

Delta vs CVSS

−5.76

Context-aware risk is lower than CVSS suggests.

CVSS-only

9.8

severity in isolation

Context-aware risk

4.04

severity × context × likelihood

What's driving the score

out of 10

Each block is one input × its weight × 10. The longest block is the dominant driver.

    How the score breaks down

    The same calculation, written out.

    ComponentInput× Weight= Contribution
    Severity 0.98 0.300 0.294
    Exploit 0.05 0.300 0.015
    Criticality 0.20 0.250 0.050
    Exposure 0.30 0.150 0.045
    Weighted sum 0.404
    × 10 (rescale to 0–10) 4.04

    In plain English

    03

    Prioritisation changes everything

    Six real-world higher-education vulnerabilities, scored with the default AHP weights. Sorting by context-aware risk reshuffles the queue — the headline OpenSSL flaw sinks; the quiet SQL injection rises to the top.

    Vulnerability CVSSEPSSCritExpContext risk

    Rank movement

    CVSS rank  →  Context rank

    Each line is one vulnerability moving from its CVSS rank (left) to its context-aware rank (right).

    moves up vs CVSS moves down vs CVSS unchanged

    04

    What each existing system captures

    Existing frameworks each address part of the picture. Only the proposed model spans severity, likelihood, institutional context, decision support, and maturity integration.

    System Severity Exploit likelihood Asset / context Decision support Maturity integration

    full  ·  partial  ·  absent

    05 · The contribution

    One risk-weighted score that feeds a maturity assessment.

    This model integrates technical severity, real-world exploitation likelihood, and institutional context — asset criticality and exposure — into a single, AHP-weighted risk score on a 0–10 scale. Unlike severity-only systems such as CVSS, that score is not an endpoint: it feeds directly into a higher- education cybersecurity maturity assessment, linking individual vulnerability triage to institutional capability. The result is prioritisation that reflects what is actually at risk, and a measurable bridge from day-to-day remediation to long-term security maturity.