CVSS-based Estimation and Prioritization for Security Risks

Abstract

During software development, it is of essential importance to consider security threats. The number of reported incidents and the harm for organizations due to such incidents highly increased during the last few years. The efforts for treating threats need to be spent in an effective manner. A prioritization can be derived from the risk level of a threat, which is defined as the likelihood of occurence and the consequence for an asset. In this paper, we propose a risk estimation and evaluation method for information security based on the Common Vulnerability Scoring System (CVSS). Our method can be applied during requirements engineering. The application in one of the earliest stages of a software development lifecycle enables security engineers to focus on the most servere risks right from the beginning. As initial input, we make use of a pattern-based description of relevant threats to the software. When estimating the risk level of those threats, we consider three perspectives: (1) software providers, (2) data owner, and (3) third parties for which a potential harm may exist, too. Our method combines attributes of the pattern and the different perspectives to estimate and prioritize risks. The pattern-based description allows a semi-automatic application of our method, which ends with a ranking of risks according to their priority as final outcome.