Abstract:

The common vulnerability scoring system (CVSS) evaluates the threats of vulnerabilities of a particular system at three levels, and the final environmental scores reflect the degree of its security. In the CVSS metrics, CVSS environmental metrics are the only variable that depends on the conditions of the target organization or system, so obtaining their values becomes the key and most difficult part for users to implement security risk management and control strategies. To solve this issue, we study the influence of environmental metrics on the final CVSS environmental scores, and give an overall estimation of environmental metrics vector influence on CVSS environmental scores, as well as the formulas of each vector component's influence on the score. Experimental results show that the new estimation method can improve the accuracy in the aspects of environmental metrics’ overall impact and subindex influence on CVSS environmental scores, thus entering the completely accepted range of the defacto standard.

Key words: vulnerability, common vulnerability scoring system (CVSS), environmental metric, scoring, security