Abstract
Enterprises suffer economic losses due to vulnerability exploitation. The aim of this paper is to propose a comprehensive software vulnerability severity evaluation model incorporating technical assessment and circumstances information of enterprises, especially economic losses caused by vulnerability exploitation. We use analytic hierarchy process to establish the model and get weights of evaluation factors, obtaining both of qualitative severity ranking levels and quantitative severity scores of vulnerabilities. Through case study, we show that evaluation values are accurate and effective and consequently, our model can be used for security improvement prioritization.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Global Corporate IT Security Risks (2013). http://media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf
National Vulnerability Database. http://nvd.nist.gov/
Common Vulnerability Scoring System (CVSS-SIG). http://www.first.org/cvss
Frigault, M., Wang, L.Y., Singhal, A., Jajodia, S.: Measuring network security using dynamic Bayesian network. In: ACM Conference on Computer and Communications Security, pp. 23 − 30 (2008)
Cheng, P.S., Wang, L.Y., Jajodia, S., Singhal, A.: Aggregating CVSS base scores for semantics-rich network security metrics. In: 2012 IEEE 31st International Symposium on Reliable Distributed Systems (SRDS 2012), Irvine, CA, USA, 8 − 11 October 2012
Allodi, L., Massacci, F.: Comparing vulnerability severity and exploits using case-control studies. ACM Trans. Inf. Syst. Secur. 17(1), 1–20 (2014)
Huang, C.C., Lin, F.Y., Lin, F.Y.-S., Sun, Y.S.: A novel approach to evaluate software vulnerability prioritization. J. Syst. Softw. 86, 2822–2840 (2013)
Liu, Q.X., Zhang, Y.Q.: VRSS: a new system for rating and scoring vulnerabilities. Comput. Commun. 34(3), 264–273 (2011)
Liu, Q.X., Zhang, Y.Q., Kong, Y., Wu, Q.R.: Improving VRSS-based vulnerability prioritization using analytic hierarchy process. J. Syst. Softw. 85, 1699–1708 (2012)
Ghani, H., Luna, J., Suri, N.: Quantitative assessment of software vulnerabilities based on economic-driven security metrics. In: 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS), IEEE Computer Society, p. 8 (2013)
Innerhofer-Oberperfler, F., Breu, R.: An empirically derived loss taxonomy based on publicly known security incidents. In: 4th International Conference on Availability, Reliability and Security (ARES), vol. 1 and 2, pp. 66–73 (2009)
Saaty, T.L.: How to make a decision: the analytic hierarchy process. Eur. J. Oper. Res. 48, 9–26 (1990)
Acknowledgement
This work is supported by the National Natural Science Foundation of China under Grant No. 61402437.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yang, Y., Jin, S., He, X. (2015). Software Vulnerability Severity Evaluation Based on Economic Losses. In: Yueming, L., Xu, W., Xi, Z. (eds) Trustworthy Computing and Services. ISCTCS 2014. Communications in Computer and Information Science, vol 520. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47401-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-662-47401-3_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47400-6
Online ISBN: 978-3-662-47401-3
eBook Packages: Computer ScienceComputer Science (R0)