CompTIA CySA+ (CS0-001) — Question 103

An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities.
Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower CVSS scores may get a higher priority if they are easier to implement with less risk to system functionality. Management also wants to quantify the priority. Which of the following would achieve management's objective?

Answer options

• A. (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement
• B. (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 1 to 5 with 1 being easiest and lowest risk to implement
• C. (CVSS Score) / Difficulty = Priority Where Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement
• D. ((CVSS Score) * 2) / Difficulty = Priority Where CVSS Score is weighted and Difficulty is a range from 1 to 5 with 5 being easiest and lowest risk to implement

Correct answer: C

Explanation

Option C is correct because it suggests dividing the CVSS Score by the Difficulty, which allows lower-scoring vulnerabilities that are easier to fix to receive a higher priority. Options A and B multiply the CVSS Score by Difficulty, which would not effectively elevate the priority of lower scores. Option D complicates the formula by weighting the CVSS Score, which is unnecessary for achieving the desired prioritization based on ease of implementation.