Quantifying the Impact of CVSS Score Ordering on Attack Paths

A critical open question in cyber risk management is whether the risk is defined by the mere presence of high-scoring vulnerabilities or by the specific topological arrangement of their severity. This paper discusses how the success of an actor depends heavily not only on the aggregate vulnerability scores but also on the distribution of these scores along attack paths. To investigate this problem, we apply adversary simulation via security twins and introduce a formal framework for Permutation-Based Sensitivity Analysis to quantify the impact of CVSS score positioning on adversary success by shuffling the CVSS scores of the steps of attack path. By applying this strategy in two distinct network topologies and considering different adversary strategies, we show that the order of CVSS scores fundamentally alters the risk profile. We also show that distributions where CVSS scores decrease towards the target strongly affect resource-constrained adversaries by trapping them in sunk-cost loops. Conversely, distributions where CVSS scores increase towards the target, are most effective at early deterrence. Furthermore, we provide empirical evidence that meshed topologies are significantly less sensitive to positional hardening in both directions than hierarchical ones, providing further support for the adoption of Zero Trust solutions.