CONNECTEDNESS: A DIMENSION OF SECURITY BUG SEVERITY ASSESSMENT FOR MEASURING UNCERTAINTY
Автор: Chan Shue Long
Организация: Independent Researcher
Категория:
Ключевые слова: Attack Surface, Cyber Risk Quantification, Philosophy of Cybersecurity, Uncertainty
Аннотация. Current frameworks for evaluating security bug severity, such as the Common Vulnerability Scoring System (CVSS), prioritize the ratio of exploitability to impact. This paper suggests that the above approach measures the "known knowns" but inadequately addresses the "known unknowns" especially when there exist multiple possible exploit paths and side effects, which introduce significant uncertainty. This paper introduces the concept of connectedness, which measures how strongly a security bug is connected with different entities, thereby reflecting the uncertainty of impact and the exploit potential. This work highlights the critical but underappreciated role connectedness plays in severity assessments.
Библиография:
F.H. Knight and D.E. Jones. Risk, Uncertainty and Profit. Warriors (Washington, D.C.). Beard Books, 2002. ISBN 9781587981265. URL https://books.google.com.hk/books?id=Im2dnQAACAAJ
Peter Mell, Jonathan Spring, Dave Dugal, Srividya Ananthakrishna, Francesco Casotto, Troy Fridley, Christopher Ganas, Arkadeep Kundu, Phillip Nordwall, Vijayamurugan Pushpanathan, Daniel Sommerfeld, Matt Tesauro, and Christopher Turner. Measuring the common vulnerability scoring system base score equation, 2022-11-15 05:11:00 2022. URL https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935413
Andrew Simpson. “Into the unknown: the need to reframe risk analysis.” Journal of Cybersecurity, 10(1):tyae022, 11 2024. ISSN 2057-2085. doi:10.1093/cybsec/tyae022. URL https://doi.org/10.1093/cybsec/tyae022
Vilhelm Verendel. “Quantified security is a weak hypothesis: a critical survey of results and assumptions.” In Proceedings of the 2009 Workshop on New Security Paradigms Workshop, NSPW ’09, page 37–50, New York, NY, USA, 2009. Association for Computing Machinery. ISBN 9781605588452. doi:10.1145/1719030.1719036. URL https://doi.org/10.1145/1719030.1719036
Меню