Top-down

Unlike the bottom-up approach, where the activities are initiated by the ground-level staff, the top-down approach works much better as it is initiated, directed, and governed by the top management. For implementing a vulnerability management program using a top-down approach, the action flow would look like the following:

1. The top management decides to implement a vulnerability management program
2. The management calculates the ROI and checks the feasibility
3. The management then prepares a policy procedure guideline and a standard for the vulnerability management program
4. The management allocates a budget and resources for the implementation and monitoring of the program

5. The mid-management and the ground-level staff then follow the policy and procedure to implement the program
6. The program is monitored and metrics are shared with top management

The top-down approach for implementing a vulnerability management program as stated in the preceding scenario has a much higher probability of success since it's initiated and driven by top management.