TY - GEN
T1 - Scoring Cyber Vulnerabilities based on Their Impact on Organizational Goals∗
AU - Keskin, Omer
AU - Gannon, Nick
AU - Lopez, Brian
AU - Tatar, Unal
N1 - Publisher Copyright: © 2021 IEEE.
PY - 2021/4/30
Y1 - 2021/4/30
N2 - Vulnerability Management, which is a vital part of risk and resiliency management efforts, is a continuous process of identifying, classifying, prioritizing, and removing vulnerabilities on devices that are likely to be used by attackers to compromise a network component. For effective and efficient vulnerability management, which requires extensive resources- such as time and personnel, vulnerabilities should be prioritized based on their criticality. One of the most common methods to prioritize vulnerabilities is the Common Vulnerability Scoring System (CVSS). However, in its severity score, the National Institute of Standards and Technology (NIST) only provides the base metric values that include exploitability and impact information for the known vulnerabilities and acknowledges the importance of temporal and environmental characteristics to have a more accurate vulnerability assessment. There is no established method to conduct the integration of these metrics. In this study, we created a testbed to assess the vulnerabilities by considering the functional dependencies between vulnerable assets, other assets, and business processes. The experiment results revealed that a vulnerability's severity significantly changes from its CVSS base score when the vulnerable asset's characteristics and role inside the organization are considered.
AB - Vulnerability Management, which is a vital part of risk and resiliency management efforts, is a continuous process of identifying, classifying, prioritizing, and removing vulnerabilities on devices that are likely to be used by attackers to compromise a network component. For effective and efficient vulnerability management, which requires extensive resources- such as time and personnel, vulnerabilities should be prioritized based on their criticality. One of the most common methods to prioritize vulnerabilities is the Common Vulnerability Scoring System (CVSS). However, in its severity score, the National Institute of Standards and Technology (NIST) only provides the base metric values that include exploitability and impact information for the known vulnerabilities and acknowledges the importance of temporal and environmental characteristics to have a more accurate vulnerability assessment. There is no established method to conduct the integration of these metrics. In this study, we created a testbed to assess the vulnerabilities by considering the functional dependencies between vulnerable assets, other assets, and business processes. The experiment results revealed that a vulnerability's severity significantly changes from its CVSS base score when the vulnerable asset's characteristics and role inside the organization are considered.
KW - CVSS
KW - Cybersecurity risk
KW - vulnerability scoring
UR - https://www.scopus.com/pages/publications/85114197688
U2 - 10.1109/SIEDS52267.2021.9483741
DO - 10.1109/SIEDS52267.2021.9483741
M3 - Conference contribution
T3 - 2021 IEEE Systems and Information Engineering Design Symposium, SIEDS 2021
BT - 2021 IEEE Systems and Information Engineering Design Symposium, SIEDS 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2021 IEEE Systems and Information Engineering Design Symposium, SIEDS 2021
Y2 - 30 April 2021
ER -