{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,4,9]],"date-time":"2025-04-09T00:48:41Z","timestamp":1744159721342},"publisher-location":"Cham","reference-count":25,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319700038"},{"type":"electronic","value":"9783319700045"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-70004-5_2","type":"book-chapter","created":{"date-parts":[[2017,10,31]],"date-time":"2017-10-31T01:23:20Z","timestamp":1509413000000},"page":"23-39","source":"Crossref","is-referenced-by-count":11,"title":["Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment"],"prefix":"10.1007","author":[{"given":"Luca","family":"Allodi","sequence":"first","affiliation":[]},{"given":"Silvio","family":"Biagioni","sequence":"additional","affiliation":[]},{"given":"Bruno","family":"Crispo","sequence":"additional","affiliation":[]},{"given":"Katsiaryna","family":"Labunets","sequence":"additional","affiliation":[]},{"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[]},{"given":"Wagner","family":"Santos","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,11,1]]},"reference":[{"key":"2_CR1","doi-asserted-by":"crossref","unstructured":"Allodi, L., Massacci, F.: Comparing vulnerability severity and exploits using case-control studies. ACM Trans. Inf. Syst. Secur. 17(1), 1:1\u20131:20 (2014)","DOI":"10.1145\/2630069"},{"key":"2_CR2","unstructured":"Beck, A., Rass, S.: Decision-support by aggregation and flexible visualization of risk situations. In: Proceedings of ECCWS 2016, p. 313. Academic Conferences and Publishing Limited (2016)"},{"key":"2_CR3","unstructured":"CVSS-SIG. Common vulnerability scoring system v3.0: Specification document. Technical report (2015). First.org"},{"key":"2_CR4","doi-asserted-by":"crossref","unstructured":"Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: Proceedings of LSAD 2006, pp. 131\u2013138. ACM (2006)","DOI":"10.1145\/1162666.1162671"},{"key":"2_CR5","doi-asserted-by":"crossref","unstructured":"Gallon, L., Bascou, J.J.: Using cvss in attack graphs. In: Proceedings of ARES 2011, pp. 59\u201366. IEEE (2011)","DOI":"10.1109\/ARES.2011.18"},{"key":"2_CR6","doi-asserted-by":"crossref","unstructured":"Giacalone, M., Mammoliti, R., Massacci, F., Paci, F., Perugino, R., Selli, C.: Security triage: a report of a lean security requirements methodology for cost-effective security analysis. In: Proceedings of ACM\/IEE ESEM 2014, pp. 25\u201327 (2014)","DOI":"10.1109\/EmpiRE.2014.6890112"},{"key":"2_CR7","doi-asserted-by":"crossref","unstructured":"Hamid, T., MacDermott, \u00c1.: A methodology to develop dynamic cost-centric risk impact metrics. In: Proceedings of DeSE 2015, pp. 53\u201359. IEEE (2015)","DOI":"10.1109\/DeSE.2015.9"},{"key":"2_CR8","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2015.04.012","volume":"53","author":"H Holm","year":"2015","unstructured":"Holm, H., Afridi, K.K.: An expert-based investigation of the common vulnerability scoring system. Comput. Secur. 53, 18\u201330 (2015)","journal-title":"Comput. Secur."},{"issue":"6","key":"2_CR9","doi-asserted-by":"crossref","first-page":"825","DOI":"10.1109\/TDSC.2012.66","volume":"9","author":"H Holm","year":"2012","unstructured":"Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secur. Comput. 9(6), 825\u2013837 (2012)","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"issue":"3","key":"2_CR10","doi-asserted-by":"crossref","first-page":"201","DOI":"10.1023\/A:1026586415054","volume":"5","author":"M H\u00f6st","year":"2000","unstructured":"H\u00f6st, M., Regnell, B., Wohlin, C.: Using students as subjects-a comparative study of students and professionals in lead-time impact assessment. Empir. Soft. Eng. 5(3), 201\u2013214 (2000)","journal-title":"Empir. Soft. Eng."},{"issue":"9","key":"2_CR11","doi-asserted-by":"crossref","first-page":"1622","DOI":"10.1016\/j.jss.2009.08.023","volume":"83","author":"SH Houmb","year":"2010","unstructured":"Houmb, S.H., Franqueira, V.N., Engum, E.A.: Quantifying security risk level from cvss estimates of frequency and impact. J. Sys. Soft. 83(9), 1622\u20131634 (2010)","journal-title":"J. Sys. Soft."},{"issue":"8","key":"2_CR12","doi-asserted-by":"crossref","first-page":"1699","DOI":"10.1016\/j.jss.2012.03.057","volume":"85","author":"Q Liu","year":"2012","unstructured":"Liu, Q., Zhang, Y., Kong, Y., Wu, Q.: Improving VRSS-based vulnerability prioritization using analytic hierarchy process. J. Sys. Soft. 85(8), 1699\u20131708 (2012)","journal-title":"J. Sys. Soft."},{"key":"2_CR13","unstructured":"PCI. PCI (2010)"},{"issue":"3","key":"2_CR14","doi-asserted-by":"crossref","first-page":"489","DOI":"10.1111\/j.1540-5915.2007.00167.x","volume":"38","author":"R Pennington","year":"2007","unstructured":"Pennington, R., Tuttle, B.: The effects of information overload on software project risk assessment. Decision Sci. 38(3), 489\u2013526 (2007)","journal-title":"Decision Sci."},{"key":"2_CR15","doi-asserted-by":"crossref","unstructured":"Quinn, S.D., Scarfone, K.A., Barrett, M., Johnson, C.S.: SP 800\u2013117: Guide to adopting and using the security content automation protocol (SCAP) version 1.0. Technical report, NIST (2010)","DOI":"10.6028\/NIST.SP.800-117"},{"key":"2_CR16","unstructured":"Runeson, P.: Using students as experiment subjects-an analysis on graduate and freshmen student data. In: Proceedings of EASE 2003, pp. 95\u2013102 (2003)"},{"key":"2_CR17","unstructured":"Singh, U.K., Joshi, C.: Quantitative security risk evaluation using CVSS metrics by estimation of frequency and maturity of exploit. In: Proceedings of the WCECS 2016, vol. 1, pp. 19\u201321 (2016)"},{"key":"2_CR18","unstructured":"Verizon. PCI compliance report. Technical report, Verizon Enterprise (2015)"},{"key":"2_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"494","DOI":"10.1007\/978-3-319-11212-1_28","volume-title":"Computer Security - ESORICS 2014","author":"L Wang","year":"2014","unstructured":"Wang, L., Zhang, M., Jajodia, S., Singhal, A., Albanese, M.: Modeling network diversity for evaluating the robustness of networks against zero-day attacks. In: Kuty\u0142owski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 494\u2013511. Springer, Cham (2014). doi: 10.1007\/978-3-319-11212-1_28"},{"key":"2_CR20","doi-asserted-by":"crossref","unstructured":"Wang, R., Gao, L., Sun, Q., Sun, D.: An improved CVSS-based vulnerability scoring mechanism. In: Proceedings of MINES 2011, pp. 352\u2013355. IEEE (2011)","DOI":"10.1109\/MINES.2011.27"},{"key":"2_CR21","doi-asserted-by":"crossref","unstructured":"Wen, T., Zhang, Y., Dong, Y., Yang, G.: A novel automatic severity vulnerability assessment framework. J. Commun. 10(5) (2015)","DOI":"10.12720\/jcm.10.5.320-329"},{"key":"2_CR22","unstructured":"Williams, B.R., Chuvakin, A.: PCI compliance: understand and implement effective PCI data security standard compliance. Syngress (2014)"},{"key":"2_CR23","doi-asserted-by":"crossref","unstructured":"Younis, A.A., Malaiya, Y.K.: Comparing and evaluating CVSS-based base metrics and microsoft rating system. In: Proceedings of QRS 2015, pp. 252\u2013261. IEEE (2015)","DOI":"10.1109\/QRS.2015.44"},{"issue":"5","key":"2_CR24","doi-asserted-by":"crossref","first-page":"1071","DOI":"10.1109\/TIFS.2016.2516916","volume":"11","author":"M Zhang","year":"2016","unstructured":"Zhang, M., Wang, L., Jajodia, S., Singhal, A., Albanese, M.: Network diversity: a security metric for evaluating the resilience of networks against zero-day attacks. IEEE Trans. Inf. Forensics Secur. 11(5), 1071\u20131086 (2016)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"2_CR25","unstructured":"Zhuang, H., Aberer, K.: A non-intrusive and context-based vulnerability scoring framework for cloud services. arXiv preprint arXiv:1611.07383 (2016)"}],"container-title":["Lecture Notes in Computer Science","Future Data and Security Engineering"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-70004-5_2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,10,5]],"date-time":"2019-10-05T10:21:16Z","timestamp":1570270876000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-70004-5_2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319700038","9783319700045"],"references-count":25,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-70004-5_2","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2017]]}}}