Home > Publications
Home University of Twente
Prospective Students
Intranet (internal)

EEMCS EPrints Service

14617 Estimating ToE Risk Level using CVSS
Home Policy Brochure Browse Search User Area Contact Help

Houmb, S.H. and Nunes Leal Franqueira, V. (2009) Estimating ToE Risk Level using CVSS. In: Proceedings of the Fourth International Conference on Availability, Reliability and Security (ARES 2009 - The International Dependability Conference), 16-19 March 2009, Fukuoka, Japan. pp. 718-725. IEEE Conference Proceedings. IEEE Computer Society. ISSN 1077-2626 ISBN 978-0-7695-3564-7

Full text available as:


178 Kb
Open Access

Official URL:

Exported to Metis


Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource
effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects.

Risk level is the combination of the frequency and impact
of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service
levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.

Item Type:Conference or Workshop Paper (Full Paper, Talk)
Research Group:EWI-IS: Information Systems
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:IPID: Integrated Policy-based Intrusion Detection, VRIEND: Value-Based Security Risk Mitigation in Enterprise Networks that are Decentralized
Additional Information:The Proceedings is not printed yet, but the camera-ready version of the paper is uploaded for print.
ID Code:14617
Deposited On:07 January 2010
ISI Impact Factor:1,400
More Information:statisticsmetis

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item