Abstract

This paper explores the drawbacks of Common Vulnerability Scoring System (CVSS) usage in case of mission critical government infrastructures with special attention to Dubai Immigration systems. Even though the widely used tool against evaluating the severity of technical vulnerability is the CVSS, it fails to consider the organisational factors like the exposure of the asset, the criticality of the system, the number of users and the sensitivity of data. Such contextual blindness may contribute to prioritisation being off-kilter and ineffective resource assignment in high-risk and highly sensitive settings. The researchers systematically analyse the potential to incorporate contextual features in CVSS to have a more effective reflective view of reality risk; the strongest impact of contextual elements on adjusted scores; and is prioritisation affected by contextual weighting. The dataset that was used was 39,537 CVSS v3.1 vulnerabilities and artificial contextual features were created to mimic the environment in which the Dubai Immigration systems would operate. The implementation of a weighted scoring model was done to calculate the context-adjusted vulnerability scores. The Python and IBM SPSS statistics were used to perform data analysis, visualised, and comparative assessments. The results show that the contextual weighting has a strong impact on shifting the severity classification, and over 60 percent of the vulnerabilities had some form of severity change. The most significant contextual factors were exposures type and asset criticality which led to rank defects even among the vulnerabilities of similar technical scores. These findings show that the traditional CVSS scoring is inadequate to reflect the operational risk and that some forms of context-based scoring could better support remediation prioritisation of critical infrastructures. The analysis findings are that contextual variables can be incorporated into vulnerability scoring systems to increase their capability, as well as suitability in critical or high stakes governmental systems. It can be suggested to implement hybrid scoring models in the organisational vulnerability management processes, improve the contextual parameters of weight with the help of expert input, and introduce real-time threat intelligence.

Publication Date

5-29-2026

Document Type

Thesis

Student Type

Graduate

Degree Name

Professional Studies (MS)

Department, Program, or Center

Graduate Programs & Research

Advisor

Hammou Messatfa

Campus

RIT Dubai

Download

Share

COinS