Scoring Vulnerabilities After Seeing a Chained Vulnerability Demonstration

The general problem was the NIST SP 800-40r3 (Souppaya & Scarfone, 2013) or the CVSS (FIRST, 2018a) did not provide enough information to prioritize vulnerability remediation. The specific problem was CVSS severity rankings were specific to individual vulnerabilities, which limited organizations to remediate vulnerabilities based on the potential downstream impact to other systems (Franklin, Wergin, & Booth, 2014). The purpose of this quantitative study was to use a pre-test / pro-test experiment to compare how cybersecurity professionals in the USMC rate vulnerabilities before and after seeing examples of vulnerability chaining using the CVSS calculator. The research question was, what score would cybersecurity professionals in the USMC give individual vulnerabilities before and after seeing vulnerabilities used in combination to create a more severe cyberattack? The research method used a quasi-experimental method with a pre-test / post-test design to identify how vulnerabilities would be scored before and after seeing a chained vulnerability demonstration. The results of the vulnerability scores were compared between the control and treatment groups, as well as the CVSS scores provided in versions 2.0 and 3.0 for each vulnerability. Participants from the control group changed two vulnerabilities from a Medium score to a High score; CSRF (from 7.5 to 9.0) and XSS (8.3 to 9.0). The treatment group did not change any vulnerability scores in a statistically significant manner, but the researcher found this was due to the overall higher scores for each vulnerability.