A Look at the Time Delays in CVSS Vulnerability Scoring

Emerging Standards

example, should they first address a vulnerability with a severity of “5” or one with a severity of “high”? The Common Vulnerability Scoring System (CVSS) is a public initiative designed to address this issue by presenting a framework for assessing and quantifying the impact of software vulnerabilities. Organizations currently generating CVSS scores include Cisco, US National Institute of Stand...

Quantitative Security Risk Evaluation using CVSS Metrics by Estimation of Frequency and Maturity of Exploit

The evaluation of network risk is a vital task. It is an essential step in securing any network. This evaluation can help security professionals in making optimal decisions about how to design security countermeasures in order to improve security. This paper proposes a risk estimation model that uses vulnerability database National Institute of Standards and Technology (NIST) National Vulnerabi...

The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems

Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment

[Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company’s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical...

Security Risk Scoring Incorporating Computers' Environment

A framework of a Continuous Monitoring System (CMS) is presented, having new improved capabilities. The system uses the actual real-time configuration of the system and environment characterized by a Configuration Management Data Base (CMDB) which includes detailed information of organizational database contents, security and privacy specifications. The Common Vulnerability Scoring Systems' (CV...