Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
An expert-based investigation of the Common Vulnerability Scoring System
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences.
Number of Authors: 22015 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 53, p. 18-30Article in journal (Refereed) Published
Abstract [en]

The Common Vulnerability Scoring System (CVSS) is the most widely used standard for quantifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database are scored according to this system. Unfortunately, it is largely unexplored whether or not its scores are accurate. This paper studies this property through a survey with opinions by 384 experts, covering more than 3000 vulnerabilities. The results show that the mean disagreement between the judgments of the experts and the CVSS Base Score is 0.38, with a variance of 4.46 (on a scale from 0 to 10). The direction of this difference depends on the type of vulnerability that is concerned. The experts then suggest a number of possible revisions to the CVSS that could explain this difference.

Place, publisher, year, edition, pages
2015. Vol. 53, p. 18-30
Keywords [en]
Cyber security, Vulnerabilities, Security metrics, Expert judgment, Common Vulnerability Scoring System
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:su:diva-159649DOI: 10.1016/j.cose.2015.04.012ISI: 000367124600002OAI: oai:DiVA.org:su-159649DiVA, id: diva2:1244815
Available from: 2018-09-03 Created: 2018-09-03 Last updated: 2018-09-03Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text
By organisation
Department of Computer and Systems Sciences
In the same journal
Computers & security (Print)
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 24 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf