This application relates to information systems, computers and software. In the past three decades, the information technology (IT) has changed and continues to change many aspects of the society. Applications based on computers and software have reshaped the technology landscapes and system capabilities in modern financial systems, communication systems, healthcare systems, military systems, aerospace systems, entertainment systems, and much more. As software becomes a key infrastructure in many domains, software security failure can cause severe damages and losses to system key stakeholders.
Vulnerabilities can be prioritized by static rankings recommended by authority organizations such Computer Emergency Response Team (CERT), National Institute of Standard Technology (NIST), Microsoft®, and Symantec®. However, these ratings are static and do not take the system stakeholder utilities into account. Measuring Commercial Off-The-Shelf (COTS) security threats and prioritizing vulnerabilities efficiently can be difficult due to lack of effective metrics to measure stakeholder utilities, lack of firm historical data, and the complex and sensitive nature of security.