Cyber-risk assessment is gaining momentum due to the wide range of research and innovation sectors that can benefit from the prevention of cyber-incidents. The increasing connectivity of digital and (cyber-)physical systems requires more attention to cyber-security to enhance the integrity, confidentiality, and availability of data. We introduce a general framework supporting the prioritization of cyber-vulnerabilities, using flexible regression models that enhance the interpretability of the analysis for decision-making. We take advantage of Mid-Quantile regression as a robust method to deal with ordinal severity assessment, and we compare it to the state-of-the-art models for cyber-risk ranking and graded responses, identifying a novel accuracy measure suited for the decision-maker's prioritization. Our model is grounded on real data from selected databases that support the exploitation of cyber-vulnerabilities in real contexts. The variety of information arising from such datasets allows us to compare multiple models based on their predictive performance, showing how accessible information can influence perception and, hence, decision-making in operational scenarios. Applications for threat intelligence functionalities are discussed too.

翻译：网络风险评估正受到广泛关注，其原因在于预防网络事件可为众多研究与创新领域带来裨益。数字系统与（网络）物理系统互联性的增强，要求更加重视网络安全，以提升数据的完整性、机密性和可用性。我们提出了一个通用框架，支持对网络漏洞进行优先级排序，该框架采用灵活的回归模型，增强了分析结果在决策中的可解释性。我们利用中分位数回归作为处理有序严重性评估的稳健方法，并将其与用于网络风险排序和分级响应的最新模型进行比较，提出了一种适用于决策者优先级排序的新型准确度度量指标。我们的模型基于来自选定数据库的真实数据，这些数据支撑了真实场景下网络漏洞的利用。这些数据集所呈现的多样化信息使我们能够基于预测性能对多个模型进行比较，从而揭示可获取的信息如何影响感知，进而影响运营场景中的决策。本文还讨论了该框架在威胁情报功能中的应用。