When scoring risks for a penetration test report, which step should be prioritized?

• A. Assign numerical values to each vulnerability's impact and likelihood using CVSS to calculate a risk score, and prioritize vulnerabilities based on these scores.
• B. Rely only on qualitative labels like high/medium/low.
• C. Rank vulnerabilities by asset criticality alone.
• D. Ignore risk scoring and report all issues with equal priority.

Answer: (A)

Use a standardized, quantitative risk scoring approach to triage vulnerabilities. CVSS provides a numerical score that combines impact and exploitability, allowing you to convert each finding into a single risk score and rank them accordingly. This enables fair comparison across different assets and types of vulnerabilities, rather than relying on vague labels. The score incorporates factors such as how severe the impact could be on confidentiality, integrity, and availability, and how easy or scalable it is to exploit. You can adjust for context with temporal and environmental modifiers, but the core idea is to quantify risk so remediation efforts go to the highest-risk items. This approach beats qualitative labels, ranking by asset value alone, or treating all issues as equally important, because those methods miss how likelihood and impact interact and how that interplay affects overall risk to the organization.