Abstract

It is widely recognized that metrics are important to information security. Metrics can be an effective tool for companies and information security professionals to measure, control, and improve their security control and mechanisms. However, common security metrics are often qualitative, subjective, and informal in the sense that they are lacking formal models and automated support. This paper discussed our work on temporal metrics for software vulnerabilities based on the Common Vulnerability Scoring System 2.0. A mathematical model is provided to calculate the severity and risk of a vulnerability, which is time dependent including exploitability, remediation level, and report confidence attributes of an information asset in a computing environment. A prototype of an automated tool, CVSSWizzard, is illustrated with examples.