Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics

Known vulnerabilities which have been discovered but not patched represents a security risk which can lead to considerable financial damage or loss of reputation. They include vulnerabilities that have either no patches available or for which patches are applied after some delay. Exploitation is even possible before public disclosure of a vulnerability. This paper formally defines risk measures and examines possible approaches for assessing risk using actual data. We explore the use of CVSS vulnerability metrics which are publically available and are being used for ranking vulnerabilities. Then, a general stochastic risk evaluation approach is proposed which considers the vulnerability lifecycle starting with discovery. A conditional risk measure and assessment approach is also presented when only known vulnerabilities are considered. The proposed approach bridges formal risk theory with industrial approaches currently being used, allowing IT risk assessment in an organization, and a comparison of potential alternatives for optimizing remediation. These actual data driven methods will assist managers with software selection and patch application decisions in quantitative manner.