A security team configures its SIEM to assign a priority to every alert based only on the CVSS base score of the associated vulnerability. Which of the following weaknesses is MOST likely to result from this approach?
No weakness exists; the CVSS base score already incorporates asset importance and likelihood, making additional factors unnecessary.
High-CVSS alerts on non-critical systems could be prioritized over incidents on mission-critical assets, causing analysts to overlook the greatest business risk.
Using CVSS scores prevents the SIEM from correlating events that originate from multiple log sources.
The SIEM will rapidly exhaust its log-storage capacity because CVSS scoring increases the volume of stored events.
CVSS scores describe the inherent technical severity of a vulnerability, but they do not factor in business context such as asset value, data sensitivity, or threat likelihood. As a result, an alert involving a high-CVSS vulnerability on a low-value system could be ranked ahead of a lower-CVSS issue on a mission-critical database. Using CVSS alone therefore risks misallocating analyst effort and overlooking the alerts that pose the greatest real-world risk. The other options are incorrect because CVSS does not integrate asset criticality (so sufficiency is false), does not affect log-storage volume, and does not prevent event correlation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the key factors used to prioritize security alerts?
Open an interactive chat with Bash
Why is relying on a single factor for alert prioritization ineffective?
Open an interactive chat with Bash
How do security teams implement a comprehensive alert prioritization strategy?