The Rational Rejection of Vulnerability Management

One of my favorite papers ever written was one by Microsoft entitled “So long, and no thanks for the externalities: the rational rejection of security advice by users”.  Its authors argued that users are right to ignore the advice of the security community. They suggested that the tradeoff between effort and benefit is so misaligned that people are rational, not careless, when they disregard security guidance. They actually save money if they ignore security measures due to the far higher cost to the end user compared to the expected losses, at the time the paper was written. It’s a very interesting paper with a controversial conclusion, but yet, it really made me think more about the preferences and incentives of end users than any paper ever had.

The same idea applies to the world of vulnerability management. Every week there are roughly a thousand new CVEs published. The current vulnerability management approach attempts to raise each one of them to the user’s attention, carrying the implication that it could be the next great disaster. 

Based on a mid-year analysis of vulnerability data, the number of newly published High and Critical Common Vulnerabilities and Exposures (CVEs) in 2025 (as of mid-year) is:

• Critical Severity (CVSS ≥9.0): 1,773 CVEs
• High Severity (CVSS 7.0 – 8.9): 6,521 CVEs

This brings the combined total of High and Critical severity CVEs to approximately 8,294 (1,773 + 6,521) in the first half of 2025.

Overall, about 38% of the 21,500+ total CVEs reported during that period were rated as High or Critical severity.

Another way I like to look at it is that we see around 1,000 new CVEs released each and every week. When I talk to VM teams I say, “No offense, but you are not keeping up with those 1,000 new CVEs each week.” Never, not once, have they refuted that. They know I’m right. In their defense, they do try to focus on the highs and criticals, but as we know, adversaries aren’t particularly married to highs and criticals, they use whatever works. So defacto, we know that these teams are missing real vulns that will lead to loss.

The problem is not that these vulnerabilities exist (they do), but the vast majority of them will never result in an actual loss event. The problem is that no company, no matter how large or efficient, can possibly address them all. This implicitly means that vulnerability management teams must determine which security issues actually matter, so they can prioritize resources. The cost of fixing every theoretical flaw vastly outweighs the expected benefit.

Organizations scan their systems, report the findings, fix a few prioritized on CVSS or some other scoring system, and repeat. Then, they get hacked, because they rarely prioritize properly. The cycle feeds the bureaucracy of compliance and the belief that prioritization, no matter how flawed, is beneficial, but in practice does almost nothing to reduce the probability of loss, which we discussed in the post on paradoxes. The process may feel scientific to the end user because it is full of numbers and charts, red lights and yellow lights, and numbers 0-10 or grades A-F, etc. but it doesn’t actually reduce loss unless all of the vulns that an adversary will use will get closed.

Dan Drees mentioned a Fortune 500 enterprise that had turned off all of its vulnerability signatures. They still ran the software. The VM program still generated reports. But why? Are they crazy, or does it make perfect sense?

On paper, they were doing the minimum bar of compliance - running a vulnerability scanner. They likely turned off the signatures because, like so many other companies, they found that the noise had become unbearable. However, most interestingly, the losses they encountered would likely end up being the same, since the scanner would not actually help them with prioritization.

I would bet many tens or hundreds of thousands of “critical” or “high” issues, most of which had no bearing on their actual exposure, were consuming enormous amounts of time and money and enough of the “medium” vulns or “low” vulns were still being exploited that they were never able to make sense of it. What is the win condition? Fix millions of vulns just to address the handful that sentient adversaries will use?

There is a huge hidden cost here to running a VM program, especially when you box yourself into a corner and find that you have to fix things that don’t matter.

When that fortune 500 company stopped playing the game, I promise you that virtually nothing changed. They likely were not breached more often. They did not lose more data. What they lost was the illusion of progress. I guarantee you that the company is just humming along as they always did without actually scanning for vulnerabilities. What they gained back was a lot of time that they would have spent closing vulns that no adversary on earth has ever used at any time and likely ever will.

To some, this sounds like negligence, or completely crazy. That feels rational to me, not crazy.

The promise of vulnerability management was that by finding and fixing weaknesses, we could prevent loss. Yet the overwhelming majority of losses occur through a fraction of a percent of all tracked causes.

The only rational version of vulnerability management is one that can nearly-perfectly prioritize. It must be able to distinguish between what will lead to loss and what will not. Anything short of that is a tax on the company, toiling away on issues that do not matter to anyone, mindlessly complying with standards that do not understand real world risk. Without next-to-perfect prioritization, the system cannot scale, and pretending otherwise is self-deception.

The irony is that the very companies that turn away from traditional vulnerability management may understand risk more clearly than those who cling to old ways. They recognize that time and focus are finite. They know that compliance is not protection. They are not rejecting security itself. They are rejecting the theater of it.

When viewed through that lens, the rejection of þaˉ ealdan wıˉsan (the Old Ways) of vulnerability management is not a failure of discipline, or negligence, or ignorance.

No… it’s rational.