Different security standards use different methods for calculating risk likelihood, such as Attack Potential (AP) in ISO/SAE 21434 and Exploitability Sub-Score (ESS) in the Common Vulnerability Scoring System (CVSS). Consequently, combining systems, for which the risk was calculated using two different methods, poses a significant challenge. We propose the Unified Likelihood Scale (ULS), a novel method for bridging the risk calculation of such systems. The ULS provides a unified framework for AP and ESS likelihood methods to combine risk assessments across different standards. The ULS is a mapping of AP and ESS to a unified four-segment scale. It is designed such that for relevant attacks, the ULS mapping yields the minimal error when rating the attacks in both likelihood estimation methods. Furthermore, we provide a dataset of 30 attacks rated according to AP and ESS, which we use to find the ULS mapping with minimal error. The resulting ULS can be used to combine the risk assessment of systems, which were rated using different risk assessment methods.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

ULS: A Unified Likelihood Scale for Cross-Standard Risk Assessment

  • Mohamed Abdelsalam,
  • Simon Greiner,
  • Oum-El-Kheir Aktouf,
  • Annabelle Mercier

摘要

Different security standards use different methods for calculating risk likelihood, such as Attack Potential (AP) in ISO/SAE 21434 and Exploitability Sub-Score (ESS) in the Common Vulnerability Scoring System (CVSS). Consequently, combining systems, for which the risk was calculated using two different methods, poses a significant challenge. We propose the Unified Likelihood Scale (ULS), a novel method for bridging the risk calculation of such systems. The ULS provides a unified framework for AP and ESS likelihood methods to combine risk assessments across different standards. The ULS is a mapping of AP and ESS to a unified four-segment scale. It is designed such that for relevant attacks, the ULS mapping yields the minimal error when rating the attacks in both likelihood estimation methods. Furthermore, we provide a dataset of 30 attacks rated according to AP and ESS, which we use to find the ULS mapping with minimal error. The resulting ULS can be used to combine the risk assessment of systems, which were rated using different risk assessment methods.