Traditional CVSS scores often fail to effectively prioritize vulnerability remediation in real-world attack scenarios. This work proposes a composite Key Risk Indicator (KRI) based on expected loss decomposition, which, for the first time, decouples threat, exposure, and business impact into distinct modeling components to enable risk-informed remediation decisions. The KRI model integrates the Known Exploited Vulnerabilities (KEV) catalog, over 280,000 CVE records, and metrics including EPSS, CVSS, and attack surface exposure. Empirical evaluation demonstrates that KRI achieves a ROC-AUC of 0.927 and an AUPRC of 0.223, significantly outperforming CVSS. Moreover, when prioritizing the top 500 vulnerabilities for remediation, KRI captures 92.3% of impact-weighted value and identifies 1.75 times more critically exploited vulnerabilities than EPSS.

Organisations overwhelmingly prioritize vulnerability remediation using Common Vulnerability Scoring System (CVSS) severity scores, yet CVSS classifiers achieve an Area Under the Precision-Recall Curve (AUPRC) of 0.011 on real-world exploitation data, near random chance. We propose a composite Key Risk Indicator grounded in expected-loss decomposition, integrating dimensions of threat, impact, and exposure. We evaluated the KRI framework against the Known Exploited Vulnerabilities (KEV) catalog using a comprehensive dataset of 280,694 Common Vulnerabilities and Exposures (CVEs). KRI achieves Receiver Operating Characteristic Area Under the Curve (ROC-AUC) 0.927 and AUPRC 0.223 versus 0.747 and 0.011 for CVSS (24 percents, 20). Ablation analysis shows Exploit Prediction Scoring System (EPSS) alone achieves AUPRC 0.365, higher than full KRI (0.223), confirming that EPSS and KRI serve distinct objectives: EPSS maximizes raw exploit detection, while KRI re-orders by impact and exposure, capturing 92.3 percents of impact-weighted remediation value at k=500 versus 82.6 percents for EPSS, and surfacing 1.75 more Critical-severity exploited CVEs. KRI's net benefit exceeds EPSS whenever the severity premium exceeds 2. While EPSS serves as a robust baseline for exploit detection, the KRI framework is the superior choice for organizations seeking to align remediation efforts with tangible risk reduction.