Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS

TL;DR

This paper investigates which information cues improve the accuracy of vulnerability severity assessments using CVSS, highlighting the importance of specific data and warning against misleading information.

Contribution

It identifies key information types that enhance CVSS-based vulnerability assessment accuracy and provides guidance for better vulnerability communication.

Findings

Additional info on assets, attacks, and vulnerability type improves accuracy.

Known threats information can mislead and reduce assessment accuracy.

Baseline descriptions are insufficient for accurate assessments.

Abstract

The assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a `severity' score for the vulnerability. The Common Vulnerability Scoring System (\CVSS) is the reference standard for this assessment. Yet, no guidance currently exists on \emph{which information} aids a correct assessment and should therefore be considered. In this paper we address this problem by evaluating which information cues increase (or decrease) assessment accuracy. We devise a block design experiment with 67 software engineering students with varying vulnerability information and measure scoring accuracy under different information sets. We find that baseline vulnerability descriptions provided by standard vulnerability sources provide only part of the information needed to achieve an accurate vulnerability assessment. Further, we find that additional information on \texttt{assets}, \texttt{attacks}, and \texttt{vulnerability type} contributes in increasing the accuracy of the assessment; conversely, information on \texttt{known threats} misleads the assessor and decreases assessment accuracy and should be avoided when assessing vulnerabilities. These results go in the direction of formalizing the vulnerability communication to, for example, fully automate security assessments.