Common Vulnerability Scoring System
IEEE Security and Privacy
An Attack Graph-Based Probabilistic Security Metric
Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Measuring network security using dynamic bayesian network
Proceedings of the 4th ACM workshop on Quality of protection
PCChecker: Harding Windows Security Configurations
ICCIT '08 Proceedings of the 2008 Third International Conference on Convergence and Hybrid Information Technology - Volume 02
A Study and Implementation of Vulnerability Assessment and Misconfiguration Detection
APSCC '08 Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference
An AHP-based methodology to rank critical success factors of executive information systems
Computer Standards & Interfaces
Improving CVSS-based vulnerability prioritization and response with context information
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
An analysis of CVSS version 2 vulnerability scoring
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Vulnerability analysis for a quantitative security evaluation
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Quantifying security risk level from CVSS estimates of frequency and impact
Journal of Systems and Software
VRSS: A new system for rating and scoring vulnerabilities
Computer Communications
WIVSS: a new methodology for scoring information systems vulnerabilities
Proceedings of the 17th Panhellenic Conference on Informatics
A novel approach to evaluate software vulnerability prioritization
Journal of Systems and Software
Hi-index | 0.00 |
The number of vulnerabilities discovered in computer systems has increased explosively. Thus, a key question for system administrators is which vulnerabilities to prioritize. The need for vulnerability prioritization in organizations is widely recognized. The significant role of the vulnerability evaluation system is to separate vulnerabilities from each other as far as possible. There are two major methods to assess the severity of vulnerabilities: qualitative and quantitative methods. In this paper, we first describe the design space of vulnerability evaluation methodology and discuss the measures of well-defined evaluation framework. We analyze 11,395 CVE vulnerabilities to expose the differences among three current vulnerability evaluation systems (X-Force, CVSS and VRSS). We find that vulnerabilities are not separated from each other as much as possible. In order to increase the diversity of the results, we firstly enable vulnerability type to prioritize vulnerabilities using analytic hierarchy process on the basis of VRSS. We quantitatively characterize the vulnerability type and apply the method on the set of 11,395 CVE vulnerabilities. The results show that the quality of the quantitative scores can be improved with the help of vulnerability type.