Skip to content ↓ | Skip to navigation ↓

The College of Information Sciences and Technology at Penn State, in partnership with Tripwire, today announced that the top 25 percent of vulnerability management contributors scanned their networks nearly continuously and had an average aggregate host risk score of 2.14 using the Common Vulnerability Scoring System (CVSS).

CVSS is an industry standard that measures the severity of vulnerabilities and prioritizes remediation efforts. CVSS scores range from zero to ten: The base score of vulnerabilities ranging from 7.0-10.0 are critical, 4.0-6.9 are major and 0-3.9 are minor.

Two key vulnerability management metrics derived from Penn State’s Benchmark, a free, cloud-based cybersecurity analytics service, include average host risk score and average days since the last scan.

“Average aggregate host risk score and average days since last scan are excellent indicators of vulnerability management performance because they tend to move in the same direction,” said Rod Murchison, vice president of product management at Tripwire. “Together, these scores indicate that companies that scan more frequently tend to have a more effective vulnerability remediation process, lowering their overall vulnerability risks scores,” said Murchison.

In addition, Benchmark also allows security professionals to collaborate on security best practices and compare their security performance against community and industry benchmarks.

“Benchmark metrics help analysts take a qualitative approach to the capabilities of their cybersecurity infrastructure,” said Dr. David Hall, dean of the College of Information Sciences and Technology at Penn State. “Together, these metrics also make it possible for cybersecurity experts to evaluate the performance of their security controls at a higher level of abstraction.”

Tripwire donated its Benchmark service to the Center for Cyber Security, Information Privacy and Trust at Penn State’s College of Information Sciences and Technology in April.

“Benchmark is a great example of the type of tools we need to train the next generation of cybersecurity analysts, and that is precisely why we are integrating it into our undergraduate curriculum,” said Hall.

The free Penn State security analytics service is available today to any organization that would like to measure the effectiveness of their IT security investments. For more information and access to security and risk metrics, scorecards and benchmarks, please visit: