Fast-growing digital trends have driven growth in the threat landscape of cyber-attacks, pushing unprecedented burdens on organizations to manage vulnerabilities effectively. This study investigated two years of complex relationships between human expertise and technological solutions in the domain of cybersecurity vulnerability management (VM) for a leading fast-moving consumer goods (FMCG) company operating internationally in multiple countries, leveraging both on-premises and cloud infrastructure. This study introduces the tensions arising from this duality, and an innovative AI-driven scoring methodology designed to streamline the end-to-end vulnerability management process to offer a more dynamic and contextualized risk assessment that the current traditional scoring methods such as the Common Vulnerability Scoring System (CVSS) lacks. Rooted in sociotechnical systems theory (STS), actor-network theory (ANT), and resource-based view (RBV), this research bridges the gap between technological reliance and human interpretative skills, which are two dominant but often disconnected aspects of VM. This paper highlights the benefit of VM that results from a symbiotic relationship between humans and technology, emphasizing how artificial intelligence (AI) and automation can mitigate the limitations of human-centric approaches and how humans can address the technological contextual limitations, resulting in a win-win approach. The findings set the orientation for a nascent stream of academic research on the relationship between humans and AI in vulnerability management and practical applications for scoring vulnerabilities in cybersecurity.
Keywords: Vulnerability management; Artificial intelligence; Automation; Human aspects of security; technology vs human expertise; Vulnerability scoring; CVSS