Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment

Luca Allodi; Silvio Biagioni; Bruno Crispo; Katiaryna Labunets; Fabio Massacci; Wagner Santos

doi:10.1007/978-3-319-70004-5_2

Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment

Luca Allodi, Silvio Biagioni, Bruno Crispo, Katiaryna Labunets, Fabio Massacci, Wagner Santos

Safety and Security Science

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

4 Citations (Scopus)

138 Downloads (Pure)

Abstract

[Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company’s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical configurations) for PCI-DSS compliance for networks and systems vulnerabilities of different type? [Results] A controlled experiment with 29 MSc students shows that given a segmented network it is significantly more difficult to apply the CVSS scoring guidelines on security requirements with respect to a flat network layout, both before and after the network has been changed to meet the PCI-DSS security requirements. The network configuration also impact the correctness of vulnerabilities assessment at system level but not at application level. [Contribution] This paper is the first attempt to empirically investigate the guidelines for the CVSS environmental metrics. We discuss theoretical and practical key aspects needed to move forward vulnerability assessments for large scale systems.

Original language	English
Title of host publication	Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017
Editors	Tran Khanh Dang, Roland Wagner, Josef Küng, Nam Thoai, Makoto Takizawa, Erich J. Neuhold
Publisher	Springer
Pages	23-39
Number of pages	17
ISBN (Print)	978-3-319-70003-8
DOIs	https://doi.org/10.1007/978-3-319-70004-5_2
Publication status	Published - 2017
Event	International Conference on Future Data and Security Engineering - Ho Chi Minh City, Viet Nam Duration: 29 Nov 2017 → 1 Dec 2017 Conference number: 4 http://www.cse.hcmut.edu.vn/fdse2017/

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	10646
ISSN (Print)	0302-9743

Conference

Conference	International Conference on Future Data and Security Engineering
Abbreviated title	FDSE
Country	Viet Nam
City	Ho Chi Minh City
Period	29/11/17 → 1/12/17
Internet address	http://www.cse.hcmut.edu.vn/fdse2017/

Access to Document

10.1007/978-3-319-70004-5_2

FDSE_2017_paper_34Accepted author manuscript, 539 KB

http://resolver.tudelft.nl/uuid:67af62d4-9be6-4d01-91ee-a662c8435bbc

Fingerprint Dive into the research topics of 'Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment'. Together they form a unique fingerprint.

Cite this

Allodi, L., Biagioni, S., Crispo, B., Labunets, K., Massacci, F., & Santos, W. (2017). Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment. In T. Khanh Dang, R. Wagner, J. Küng, N. Thoai, M. Takizawa, & E. J. Neuhold (Eds.), Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017 (pp. 23-39). (Lecture Notes in Computer Science; Vol. 10646). Springer. https://doi.org/10.1007/978-3-319-70004-5_2

Allodi, Luca ; Biagioni, Silvio ; Crispo, Bruno ; Labunets, Katiaryna ; Massacci, Fabio ; Santos, Wagner. / Estimating the Assessment Difficulty of CVSS Environmental Metrics : An Experiment. Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017. editor / Tran Khanh Dang ; Roland Wagner ; Josef Küng ; Nam Thoai ; Makoto Takizawa ; Erich J. Neuhold. Springer, 2017. pp. 23-39 (Lecture Notes in Computer Science).

@inproceedings{67af62d49be64d0191eea662c8435bbc,

title = "Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment",

abstract = "[Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company{\textquoteright}s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical configurations) for PCI-DSS compliance for networks and systems vulnerabilities of different type? [Results] A controlled experiment with 29 MSc students shows that given a segmented network it is significantly more difficult to apply the CVSS scoring guidelines on security requirements with respect to a flat network layout, both before and after the network has been changed to meet the PCI-DSS security requirements. The network configuration also impact the correctness of vulnerabilities assessment at system level but not at application level. [Contribution] This paper is the first attempt to empirically investigate the guidelines for the CVSS environmental metrics. We discuss theoretical and practical key aspects needed to move forward vulnerability assessments for large scale systems.",

author = "Luca Allodi and Silvio Biagioni and Bruno Crispo and Katiaryna Labunets and Fabio Massacci and Wagner Santos",

year = "2017",

doi = "10.1007/978-3-319-70004-5_2",

language = "English",

isbn = "978-3-319-70003-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "23--39",

editor = "{Khanh Dang}, Tran and Roland Wagner and Josef K{\"u}ng and Nam Thoai and Makoto Takizawa and Neuhold, {Erich J.}",

booktitle = "Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017",

note = "International Conference on Future Data and Security Engineering, FDSE ; Conference date: 29-11-2017 Through 01-12-2017",

url = "http://www.cse.hcmut.edu.vn/fdse2017/",

}

Allodi, L, Biagioni, S, Crispo, B, Labunets, K, Massacci, F & Santos, W 2017, Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment. in T Khanh Dang, R Wagner, J Küng, N Thoai, M Takizawa & EJ Neuhold (eds), Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017. Lecture Notes in Computer Science, vol. 10646, Springer, pp. 23-39, International Conference on Future Data and Security Engineering, Ho Chi Minh City, Viet Nam, 29/11/17. https://doi.org/10.1007/978-3-319-70004-5_2

Estimating the Assessment Difficulty of CVSS Environmental Metrics : An Experiment. / Allodi, Luca; Biagioni, Silvio; Crispo, Bruno; Labunets, Katiaryna; Massacci, Fabio; Santos, Wagner.

Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017. ed. / Tran Khanh Dang; Roland Wagner; Josef Küng; Nam Thoai; Makoto Takizawa; Erich J. Neuhold. Springer, 2017. p. 23-39 (Lecture Notes in Computer Science; Vol. 10646).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Estimating the Assessment Difficulty of CVSS Environmental Metrics

T2 - International Conference on Future Data and Security Engineering

AU - Allodi, Luca

AU - Biagioni, Silvio

AU - Crispo, Bruno

AU - Labunets, Katiaryna

AU - Massacci, Fabio

AU - Santos, Wagner

N1 - Conference code: 4

PY - 2017

Y1 - 2017

N2 - [Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company’s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical configurations) for PCI-DSS compliance for networks and systems vulnerabilities of different type? [Results] A controlled experiment with 29 MSc students shows that given a segmented network it is significantly more difficult to apply the CVSS scoring guidelines on security requirements with respect to a flat network layout, both before and after the network has been changed to meet the PCI-DSS security requirements. The network configuration also impact the correctness of vulnerabilities assessment at system level but not at application level. [Contribution] This paper is the first attempt to empirically investigate the guidelines for the CVSS environmental metrics. We discuss theoretical and practical key aspects needed to move forward vulnerability assessments for large scale systems.

AB - [Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company’s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical configurations) for PCI-DSS compliance for networks and systems vulnerabilities of different type? [Results] A controlled experiment with 29 MSc students shows that given a segmented network it is significantly more difficult to apply the CVSS scoring guidelines on security requirements with respect to a flat network layout, both before and after the network has been changed to meet the PCI-DSS security requirements. The network configuration also impact the correctness of vulnerabilities assessment at system level but not at application level. [Contribution] This paper is the first attempt to empirically investigate the guidelines for the CVSS environmental metrics. We discuss theoretical and practical key aspects needed to move forward vulnerability assessments for large scale systems.

UR - http://resolver.tudelft.nl/uuid:67af62d4-9be6-4d01-91ee-a662c8435bbc

U2 - 10.1007/978-3-319-70004-5_2

DO - 10.1007/978-3-319-70004-5_2

M3 - Conference contribution

SN - 978-3-319-70003-8

T3 - Lecture Notes in Computer Science

SP - 23

EP - 39

BT - Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017

A2 - Khanh Dang, Tran

A2 - Wagner, Roland

A2 - Küng, Josef

A2 - Thoai, Nam

A2 - Takizawa, Makoto

A2 - Neuhold, Erich J.

PB - Springer

Y2 - 29 November 2017 through 1 December 2017

ER -

Allodi L, Biagioni S, Crispo B, Labunets K, Massacci F, Santos W. Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment. In Khanh Dang T, Wagner R, Küng J, Thoai N, Takizawa M, Neuhold EJ, editors, Proceedings of the 4th International Conference on Future Data and Security Engineering, FDSE 2017. Springer. 2017. p. 23-39. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-319-70004-5_2