CVSS scores are widely used – and widely mis-used – in cyber risk management. The Common Vulnerability Scoring System serves as a valuable alert system to point defenders to weaknesses in their defenses. But because CVSS scoring is numeric, it is often confused as quantitative cyber risk analysis – it’s not. Let’s dig into this distinction.
What Are CVSS Scores?
Typically, a vendor discovers a vulnerability and assigns a base CVSS score, rating it for severity from 1-10. Although rating is a disciplined process done by cybersecurity experts, a key point is that CVSS scores are qualitative, in other words based on inputs such as:
“Confidentiality Impact: None/Partial/Complete“
“Access Complexity: High/Medium/Low”
“Authentication: Multiple/Single/None”
See the NIST National Vulnerability Database CVSS Calculator
Ordinal values are then assigned to these judgment calls to calculate an overall view of the “exploitability” or severity of the vulnerability, say 7.8 or 9.8. Those are numbers so that counts as risk quantification, right?
Well, no. To unpack this, CVSS scores are not quantification and not quantitative cyber risk measurement.
CVSS Scores Are Not Quantification
As Jack Jones, creator of FAIR™ (Factor Analysis of Information Risk) wrote in his blog post series on automating cyber risk quantification,
“The CVSS scoring model involves a lot of math on ordinal values. Functionally, that’s the same thing as doing math on a color scale.
“In order to be quantitative, there has to be a unit of measurement — a quantity of something — like frequency, percentage, monetary values, time, etc. In a numeric ordinal scale (e.g., 1-5 or 1-10), the numbers are simply labels for buckets/categories, just as colors would be…
“Math on ordinal values is only one of several problems with CVSS scores, but it is significant enough by itself to invalidate them as reliable data…It’s an accuracy problem.”
CVSS Scores Do Not Measure Risk
So, CVSS scores should not be data inputs in a system of cyber risk quantification—and should not be mistaken for a form of cyber risk analysis. To quote the CVSS User Guide from FIRST, its governing body,
“CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk…
“Concerns have been raised that the CVSS Base Score is being used in situations where a comprehensive assessment of risk is more appropriate.
“A comprehensive risk assessment system should be employed that considers more factors than simply the CVSS Base Score. Such systems typically also consider factors outside the scope of CVSS such as exposure and threat.”
A comprehensive cyber risk assessment, Jack writes, requires accurate data, well-defined loss event scenarios to analyze, and a model that accounts for the interplay of loss event frequency and loss event impact in quantifiable units – FAIR™ is the international standard for cyber risk quantification and the requisite for any truly comprehensive cyber risk assessment. (Note: Jack includes vulnerability scans as appropriate data for quantifying the efficacy of patching in controls analytics, but not CVSS scores).
Best Use of CVSS Scores
Let’s be clear. The CVSS system is most used with vulnerability scanning to identify technology-related weaknesses in cybersecurity defenses, such as missing patches, and rate the significance of the findings. That’s very useful for managing cyber risk efficiently. Just be wary of solutions that purport to offer cyber risk quantification based in whole or part on adding CVSS scores to their calculations.
