Which element is significant for the Common Vulnerability Scoring System (CVSS) score but is not a primary risk component?

The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess and convey the severity of vulnerabilities in software and hardware. In CVSS, the scoring is based on several factors, some of which directly contribute to the primary risk evaluation, such as impact and exploitability.

Exploitability is significant in the context of CVSS because it considers how easily a vulnerability can be exploited in the real world. This aspect impacts the score by enabling evaluators to understand the potential ease or difficulty of an attack occurring. However, exploitability does not serve as a primary risk component on its own; it acts more as a contributing factor to the overall assessment of risk related to a vulnerability.

Impact, on the other hand, is a central component in determining the potential damage or consequences that could result from the exploitation of a vulnerability. Likelihood correlates with the probability of the vulnerability being exploited, while integrity reflects the accuracy and reliability of the data or system. Among these, exploitability plays a supportive role in scoring but does not embody the core components of risk that focus on the potential harm or the likelihood of occurrence. Thus, while it is relevant to the CVSS score, it is not considered a primary driver of risk assessment.