The Exploit Prediction Scoring System (EPSS) is a crucial tool for organisations, guiding them in prioritising vulnerabilities based on the likelihood of exploitation. However, as cyber threats evolve and organisational priorities shift, a static approach to EPSS thresholds may not suffice. Adapting your EPSS thresholds to match organisational risk tolerance, the capabilities of your cybersecurity team, and the changing threat landscape is essential for maintaining an effective defence.

Understanding EPSS Thresholds

EPSS provides a probabilistic score, predicting the chance a vulnerability will be exploited. To make this information actionable, organisations set EPSS thresholds—specific scores that categorise vulnerabilities into priority levels (e.g., high, medium, low). These thresholds are not universal; they should be customised to reflect each organisation’s unique security needs.

Factors Influencing EPSS Threshold Adjustments

Risk Tolerance

Organisations vary widely in their risk tolerance, influenced by their industry, regulatory requirements, and strategic goals. High-risk sectors, such as finance, might necessitate stricter EPSS thresholds, while innovative tech companies may afford to be more lenient.

Human Resources

The size and expertise of your cybersecurity team significantly affect your ability to address vulnerabilities. Larger, more specialised teams can manage more threats and thus operate with lower EPSS thresholds. Conversely, smaller teams may need to prioritise more critical vulnerabilities, necessitating higher thresholds.

Credible Threats and Threat Landscape Evolution

The threat landscape is continuously changing, with new vulnerabilities and attack techniques constantly emerging. Adjusting EPSS thresholds in response to these changes is crucial for maintaining an effective cybersecurity posture.

Implementing Dynamic EPSS Threshold Adjustments

1. Baseline Establishment: Start with setting initial thresholds based on an assessment of your current risk tolerance, cybersecurity team capabilities, and the prevailing threat landscape.
2. Continuous Monitoring and Evaluation: Keep a close eye on factors that could necessitate threshold adjustments, including changes in risk tolerance, team capacity, and the external threat environment.
3. Threshold Adjustment Protocol: Define a clear process for when and how thresholds should be adjusted, who is responsible for making these decisions, and the criteria used to guide these changes.
4. Feedback Loop: Establish a mechanism for evaluating the effectiveness of threshold adjustments in improving your cybersecurity posture. This feedback will inform further refinement of your threshold settings.

Want to know more?

Adopting a strategic approach to EPSS threshold management is essential for adapting to the ever-changing cyber threat landscape and organizational dynamics. This guide complements our ongoing discussion on EPSS and its role in cybersecurity, further explored in the below blog posts:

Adam McHugh

+ posts

• From Vulnerable to Vigilant: Transforming Vulnerability Management Processes
• Managing Residual Risk: Understanding the Limits of Vulnerability Management
• Communicating Vulnerability Risks: Translating Technical Jargon into Business Impact
• Beyond NIST: Diversifying Sources for Accurate Vulnerability Context