## Friday, August 8, 2008

### Making sense of the CVSS equations for risk analysis

I am considering to use the CVSS standard to get realistic input values to a real-time risk management model I am developing in a research project. This vulnerability scoring system is meant to be easy to use and understandable. However, I have been trying to make sense of the equations of CVSSv2 without much success. This is how the equation for the base score looks like:

`BaseScore =round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))Exploitability = 20 *      AccessVector*AccessComplexity*Authenticationf(impact)= 0 if Impact=0, 1.176 otherwise`

It is not clear at all why the equation looks like this. Especially the parts marked with bold. If we look at the old version (CVSSv1) it is much easier to understand:

`BaseScore = round_to_1_decimal(10 * AccessVector                  * AccessComplexity                  * Authentication                  * ((ConfImpact * ConfImpactBias)                  + (IntegImpact * IntegImpactBias)                  + (AvailImpact * AvailImpactBias)        ))`

As can be seen CVSSv1 is much more straight forward than CVSSv2. In CVSSv1 the different parts might be interpreted as probabilities or costs.

I have a lot of questions about CVSSv2 that I would like to ask:
• Most important: Can anybody tell me what the numerical values of ConfImpact, IntegImpact and AvailImpact mean? Are they probabilities, risk metrics of their own or anything else?
• Why are the impact values combined with a noisy-OR instead of just being added?
• Why are the values of the access vector, authentication and access complexity weighted and then added together with the impact instead of just being multiplied?
• Did the people behind CVSSv2 try to adjust the weights of the CVSSv1 to fit the requirements of CVSSv2 before changing to the new equation? If not, why?
• There is a lot of research in knowledge representation and elicitation, how has it influenced this work (if at all)?