In this work, we present a fuzzy systems approach for assessing the relative risk associated with computer network assets. We use this approach to rank vulnerabilities so that analysts can prioritise their work based on the potential risk exposures of assets and networks. We associate vulnerabilities to individual assets, and therefore networks, and develop fuzzy models of the vulnerability attributes. We use fuzzy rules to make an inference on the risk exposure and the likelihood of attack, which allows us to rank the vulnerabilities and show which ones need more immediate attention. We argue that our approach has more meaningful vulnerability prioritisation values than the severity level calculated by the popularly used Common Vulnerability Scoring System (CVSS) approach.
