Cyber-risk assessment is gaining momentum due to the wide range of research and innovation sectors that can benefit from the prevention of cyber-incidents. The increasing connectivity of digital and (cyber-)physical systems requires more attention to cyber-security to enhance the integrity, confidentiality, and availability of data. We introduce a general framework supporting the prioritization of cyber-vulnerabilities, using flexible regression models that enhance the interpretability of the analysis for decision-making. We take advantage of Mid-Quantile regression as a robust method to deal with ordinal severity assessment, and we compare it to the state-of-the-art models for cyber-risk ranking and graded responses, identifying a novel accuracy measure suited for the decision-maker's prioritization. Our model is grounded on real data from selected databases that support the exploitation of cyber-vulnerabilities in real contexts. The variety of information arising from such datasets allows us to compare multiple models based on their predictive performance, showing how accessible information can influence perception and, hence, decision-making in operational scenarios. Applications for threat intelligence functionalities are discussed too.

翻译：网络风险评估正日益受到重视，这得益于预防网络事件可为众多研究与创新领域带来广泛益处。数字系统及（网络）物理系统互联性的增强，要求我们更加关注网络安全，以提升数据的完整性、机密性和可用性。我们提出一个通用框架，用于支持网络漏洞的优先级排序，该框架采用灵活的回归模型，增强了决策分析的可解释性。我们利用中分位数回归这一稳健方法处理有序严重性评估，并将其与前沿的网络风险排序及分级响应模型进行对比，同时针对决策者的优先级需求提出一种新型准确性度量指标。我们的模型基于来自选定数据库的真实数据，这些数据支持在真实场景中利用网络漏洞。这些数据集所蕴含的丰富信息使我们能够根据预测性能对多种模型进行比较，从而揭示可获取信息如何影响感知，进而影响操作场景中的决策过程。本文还讨论了该框架在威胁情报功能中的应用。