Estimating Attackers’ Profiles Results in More Realistic Vulnerability Severity Scores

Abstract

Digitalization is moving at an increasing speed in all sectors of the economy. Along with it the cybersecurity threats and attacks continue to rise rapidly. Enterprises in all economic sectors are imposed to constantly assess the vulnerabilities (weaknesses) of their Information and Communication Systems (ICT) and further estimate their severity, to avoid exploitability by targeted cyber-attacks. Attacks may have catastrophic consequences (impacts), including the disruption or termination of operations, economic damages, long-term damaged reputation, customer loss, lawsuits, and fines. Organisations need to undertake mitigating actions and technical controls to lower the severity of the vulnerabilities and protect their ICT assets. However, security measures are expensive, especially for small companies. Cybersecurity is considered a burden to the Small-Medium Enterprises (SMEs) and not a marketing advantage, while cost is their biggest challenge. We need to be as realistic as possible in the vulnerability severity scoring, to decrease the security costs for smaller companies and simultaneously prevent potential attackers to exploit their assets. Identifying the potential attacker for each sector and company is the first step in building resilience. The classifications for attackers are usually based on whether they are internal, or by their means and capabilities, such as knowledge of the organization’s resources, including personnel, facilities, information, equipment, networks, and systems. In 2021, ENISA published a sector-specific taxonomy based on opportunities, means, motives and sectors or products they wish to attack. In all existing classifications, psychological, behavioural, and social traits of the attackers are neither measured nor considered. The existing security scoring systems concentrate on technical severity, not considering the human factors with practical methods such as via the external or internal attackers’ profile in their calculations. The Common Vulnerability Scoring System (CVSS) is a standard and widely adopted measure for vulnerabilities’ severity. CVSS assumes that the potential attacker will be highly skilled, but it does not consider any other human factors which may be involved. Our work, in the latest years, targets to bridge psychosocial advancements, including human, behavioural, and psychosocial factors, with cybersecurity efforts to improve and reach a realistic cyber-resilient state within the information systems. The overarching objective of the present paper is to further contribute to providing realistic vulnerability severity scoring. Our main aim is to show that the CVSS scores are not unique for every vulnerability but vary depending on the potential attacker. Based on the organisations’ cyber threat intelligence (CTI) level, the sectoral threats can be identified, and the profiles of their potential attackers can be predicted. In this paper, we measure the attackers’ profiles and use these values in the CVSS calculator to score the vulnerabilities’ severity more accurately. Considering practical implications, multiple interventions and suggestions at various levels are presented to tackle the ongoing cybersecurity internal and external threats and also enhance the CVSS to provide more realistic and accurate results.