Re: The logical next step is the two-dimensional risk rating approach
I don't think the scoring is the real issue. The real issue is the way risk is determined.
Most security frameworks define risk as threat * vulnerability.
The trouble with that is that vulnerabilities are generally easier to identify than threats.
That's what I think this researcher is pointing out. I.e. you can have a couple of relatively low scoring vulnerabilities which wouldn't be prioritised if they aren't aligned with some sort of high scoring threat...thus providing a low risk rating in a risk assessment which in turn leads to the vulnerabilities not being dealt with or compensated for.
I think the vulnerability scoring system is...ok. Threat identification not so much. With threat identification being as woolly as it is, it makes risk assessment less accurate and prone to error.