Extending a Hybrid Security Risk Assessment Model with CWSS

Cybersecurity risk management is the foundation of business and organizational decisions involving digital technology. Various models have been proposed and are in use, but these apply to current technologies and use cases, and none are sufficient to evaluate new technologies. This paper builds upon prior work using CVSS to quantify potential security threats for which information is limited. That prior work merges CVSS data with MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC™) tools to inform a new technology risk scoring system in a Bayesian Belief Network (BBN). This work extends this risk model to incorporate CWSS data to better reflect the environments’ weaknesses that may apply to new technologies. This approach enables a more accurate and trustworthy way of quantitatively estimating risk as a function of the Base Finding Subscore and Attack Surface Subscore for weaknesses most relevant to businesses, missions, and deployed technologies.