The Cognitive Bias Behind Cyber Risk Scoring

Changing someone’s opinion, especially about something they have held for years or that simply feels correct, is less about persuasion and more about creating a moment of genuine cognitive dissonance strong enough to crack the foundation of certainty.

‍

Consider the humble deck of cards.

‍

A standard deck has fifty-two cards. Ask someone, if you shuffle it thoroughly, how many different arrangements are possible?  Most people will not know, but the number must be in the million or billion range, right?  But the true answer is that the resulting arrangement is almost certainly unique in human history. The number of possible permutations is 52 factorial, that is 52 multiplied by 51, then by 50, and so on down to 1.

‍

The result is approximately 8 x 10⁶⁷ or  80,658,175,170,943,878,571,660,636,856,403,766,975,289,505,440,883,277,824,000,000,000,000. That is 10 orders of magnitude more than the number of atoms estimated to make up our solar system!  The arrangement you’re holding is not just rare, it is effectively singular. This is not a feeling. It is mathematics.  But most people will not believe it.  It doesn’t feel right.
‍

‍
Now apply that same sense of scale to a persistent misunderstanding in cybersecurity: the Common Vulnerability Scoring System, or CVSS. Security teams, executives, and even regulators treat CVSS scores as risk scores. A vulnerability with a CVSS score of 9.8 is labeled critical, patched immediately, and used to justify budget, headcount, and sleepless nights. The higher the score, the greater the presumed risk. This belief is widespread, deeply entrenched, and feels right.

‍

But CVSS is not a risk score. It is a severity score. The distinction is not semantic. It is foundational.

‍

Severity measures how bad an exploit would be if it happened in a vacuum. It considers exploitability, impact on confidentiality/integrity/availability, and scope (but only in context of itself). A remote code execution flaw in a widely used library with no authentication required will score high. That makes sense. But risk requires probability. Risk is severity multiplied by likelihood, adjusted for ‘discoverability’, monetary exposure, and controls. A CVSS 10 vulnerability in an air-gapped system behind multiple firewalls, with no network access and monitored by a mature security team, may pose near-zero risk. But a CVSS 6 flaw in an internet-facing application with known exploits in the wild, unpatched for months, and holding sensitive customer data, can represent catastrophic risk.

‍

Most security professionals know this in theory. The CVSS specification itself states clearly that it measures severity, not risk. Yet in practice, dashboards light up red at 9.0 and above. Patch prioritization tools sort by CVSS, or an algorithm that heavily weights it. The belief persists not because the data is unclear, but because the feeling is strong. High severity equals high urgency. It is simple. It is actionable. It feels right.

‍

To challenge this, we return to the deck of cards. Imagine a security analyst staring at a vulnerability with a CVSS of 9.8. Now introduce a single piece of data: in the past year, across a network of 50,000 endpoints, zero exploits of this specific vulnerability class succeeded. Not one. The effective probability of exploitation approaches the likelihood of drawing a specific card from a well-shuffled deck, then repeating that exact draw a thousand times in a row. The severity remains 9.8. The risk does not.

‍

Changing a long-held belief requires more than correction. It requires replacement. The CVSS myth replaces “high score equals high risk” with “high severity equals high impact if triggered.” The new framework is not less rigorous. It is more. It demands context, asset inventory, ‘loss cause’ knowledge, and control effectiveness.

‍

Over time, teams that adopt this distinction see real outcomes. Patch cycles shorten for true risks. False positives plummet. Leadership trusts security recommendations because they align with business reality.

‍

In the end, persuasion is not about winning an argument. It is about creating a crack in certainty wide enough for light to enter. The deck of cards, with its incomprehensible permutations, is one such crack. The truth about CVSS is another.

‍

Together, they remind us that what feels right is often just what feels familiar.