Estimating ToE Risk Level using CVSS

S.H. Houmb, V. Nunes Leal Franqueira

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    38 Citations (Scopus)
    144 Downloads (Pure)


    Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.
    Original languageUndefined
    Title of host publicationProceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference)
    Place of PublicationLos Alamitos
    Number of pages8
    ISBN (Print)978-0-7695-3564-7
    Publication statusPublished - 16 Mar 2009
    Event4th International Conference on Availability, Reliability and Security, ARES 2009: The International Dependability Conference - Fukuoka Institute of Technology (FIT), Fukuoka, Japan
    Duration: 16 Mar 200919 Mar 2009
    Conference number: 4

    Publication series

    NameIEEE Conference Proceedings
    PublisherIEEE Computer Society
    ISSN (Print)1077-2626
    ISSN (Electronic)1941-0506


    Workshop4th International Conference on Availability, Reliability and Security, ARES 2009
    Abbreviated titleARES


    • IR-65220
    • METIS-263703
    • EWI-14617

    Cite this