Friday, August 8, 2008

Making sense of the CVSS equations for risk analysis

I am considering to use the CVSS standard to get realistic input values to a real-time risk management model I am developing in a research project. This vulnerability scoring system is meant to be easy to use and understandable. However, I have been trying to make sense of the equations of CVSSv2 without much success. This is how the equation for the base score looks like:

BaseScore =
round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)
*f(Impact))

Impact = 10.41*
(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))

Exploitability = 20 *
AccessVector*AccessComplexity*Authentication

f(impact)= 0 if Impact=0, 1.176 otherwise


It is not clear at all why the equation looks like this. Especially the parts marked with bold. If we look at the old version (CVSSv1) it is much easier to understand:

BaseScore = round_to_1_decimal(10 * AccessVector
* AccessComplexity
* Authentication
* ((ConfImpact * ConfImpactBias)
+ (IntegImpact * IntegImpactBias)
+ (AvailImpact * AvailImpactBias)
))

As can be seen CVSSv1 is much more straight forward than CVSSv2. In CVSSv1 the different parts might be interpreted as probabilities or costs.

I have a lot of questions about CVSSv2 that I would like to ask:
  • Most important: Can anybody tell me what the numerical values of ConfImpact, IntegImpact and AvailImpact mean? Are they probabilities, risk metrics of their own or anything else?
  • Why are the impact values combined with a noisy-OR instead of just being added?
  • Why are the values of the access vector, authentication and access complexity weighted and then added together with the impact instead of just being multiplied?
  • Did the people behind CVSSv2 try to adjust the weights of the CVSSv1 to fit the requirements of CVSSv2 before changing to the new equation? If not, why?
  • There is a lot of research in knowledge representation and elicitation, how has it influenced this work (if at all)?

2 comments:

Alex said...

Hey Tomas,

I'm catching up on my blog reading. Did you see Chris Hayes' discussion about FAIR and CVSSv2 over at riskital.com?

Tomas said...

Yes, I have seen his discussion. Though interesting, he did not address the specific issues I have raised.