In vulnerability assessment, which term refers to factors or metrics due to local network or host configuration that increase or decrease the base risk level?

• A. CVE
• B. Environmental variables
• C. False positives
• D. SCAP

Answer: (B)

The main idea here is how local environment and host configuration change the risk a vulnerability poses beyond its inherent severity. Environmental variables describe the context around a system—things like network reachability, segmentation, firewall and access controls, patch level, and the presence of compensating controls. These factors can make the same vulnerability more risky if a host is exposed and poorly configured, or less risky if it’s isolated, well patched, and guarded by strong controls. For example, a vulnerability on a host that’s internet-facing and unpatched presents a higher risk than one on a host behind strict firewalls with up-to-date defenses. CVE catalogs known vulnerabilities, SCAP is an automation framework, and false positives are incorrect scan results; none of these capture how local configuration changes risk.