{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,4]],"date-time":"2025-12-04T10:00:45Z","timestamp":1764842445308,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":31,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,12,7]],"date-time":"2020-12-07T00:00:00Z","timestamp":1607299200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,12,7]]},"DOI":"10.1145\/3427228.3427257","type":"proceedings-article","created":{"date-parts":[[2020,12,9]],"date-time":"2020-12-09T22:20:18Z","timestamp":1607552418000},"page":"154-164","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["Measurements of the Most Significant Software\u00a0Security\u00a0Weaknesses"],"prefix":"10.1145","author":[{"given":"Carlos Cardoso","family":"Galhardo","sequence":"first","affiliation":[{"name":"National Institute of Standards and Technology; INMETRO, United States of America"}]},{"given":"Peter","family":"Mell","sequence":"additional","affiliation":[{"name":"National Institute of Standards and Technology, United States of America"}]},{"given":"Irena","family":"Bojanova","sequence":"additional","affiliation":[{"name":"National Institute of Standards and Technology, United States of America"}]},{"given":"Assane","family":"Gueye","sequence":"additional","affiliation":[{"name":"UADB-Senegal & Prometheus Computing"}]}],"member":"320","published-online":{"date-parts":[[2020,12,8]]},"reference":[{"volume-title":"Recent Advances in Intrusion Detection, Vol.\u00a07. Online proceeding","author":"Baker W","key":"e_1_3_2_1_1_1","unstructured":"David\u00a0 W Baker , Steven\u00a0 M Christey , William\u00a0 H Hill , and David\u00a0 E Mann . 1999. The Development of a Common Enumeration of Vulnerabilities and Exposures . In Recent Advances in Intrusion Detection, Vol.\u00a07. Online proceeding , Purdue, IN, USA , 9. David\u00a0W Baker, Steven\u00a0M Christey, William\u00a0H Hill, and David\u00a0E Mann. 1999. The Development of a Common Enumeration of Vulnerabilities and Exposures. In Recent Advances in Intrusion Detection, Vol.\u00a07. Online proceeding, Purdue, IN, USA, 9."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2006.101"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/QRS.2016.29"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1539-6924.2008.01142.x"},{"key":"e_1_3_2_1_5_1","volume-title":"Risk matrix user\u2019s guide","author":"Engert A","year":"1999","unstructured":"Pamela\u00a0 A Engert and Zachary\u00a0 F Lansdowne . 1999. Risk matrix user\u2019s guide . Bedford, MA : The MITRE Corporation( 1999 ). Pamela\u00a0A Engert and Zachary\u00a0F Lansdowne. 1999. Risk matrix user\u2019s guide. Bedford, MA: The MITRE Corporation(1999)."},{"key":"e_1_3_2_1_6_1","unstructured":"FIRST. 2019. Common Vulnerability Scoring System Special Interest Group. https:\/\/www.first.org\/cvss Accessed: 2019-12-10.  FIRST. 2019. Common Vulnerability Scoring System Special Interest Group. https:\/\/www.first.org\/cvss Accessed: 2019-12-10."},{"key":"e_1_3_2_1_7_1","unstructured":"FIRST. 2019. Common Vulnerability Scoring System v3.1: Specification Document. https:\/\/www.first.org\/cvss\/v3.1\/specification-document Accessed: 2020-2-5.  FIRST. 2019. Common Vulnerability Scoring System v3.1: Specification Document. https:\/\/www.first.org\/cvss\/v3.1\/specification-document Accessed: 2020-2-5."},{"key":"e_1_3_2_1_8_1","volume-title":"Operational Resilience, and ROI","author":"Herrmann S.","unstructured":"Debra\u00a0 S. Herrmann . 2007. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance , Operational Resilience, and ROI ( 1 st ed.). Auerbach Publications , USA. Debra\u00a0S. Herrmann. 2007. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI(1st ed.). Auerbach Publications, USA.","edition":"1"},{"key":"e_1_3_2_1_9_1","volume-title":"Eric\u00a0Hatleback.","author":"Allen","year":"2018","unstructured":"Allen D. Householder Art Manion Deana\u00a0Shick Jonathan\u00a0Spring , Eric\u00a0Hatleback. 2018 . Towards Improving CVSS. https:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=538368 Accessed : 2020-05-11. Allen D. Householder Art Manion Deana\u00a0Shick Jonathan\u00a0Spring, Eric\u00a0Hatleback. 2018. Towards Improving CVSS. https:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=538368 Accessed: 2020-05-11."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1387830.1387835"},{"key":"e_1_3_2_1_11_1","unstructured":"McAfee. 2020. McAfee Labs 2019 Threats Predictions Report. https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-labs-2019-threats-predictions\/ Accessed: 2020-02-01.  McAfee. 2020. McAfee Labs 2019 Threats Predictions Report. https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-labs-2019-threats-predictions\/ Accessed: 2020-02-01."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC48688.2020.0-201"},{"key":"e_1_3_2_1_13_1","unstructured":"MITRE. 1999. Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org Accessed: 2020-2-5.  MITRE. 1999. Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org Accessed: 2020-2-5."},{"key":"e_1_3_2_1_14_1","unstructured":"MITRE. 2018. Common Weakness Scoring System (CWSS). https:\/\/cwe.mitre.org\/cwss\/ Accessed: 2020-04-10.  MITRE. 2018. Common Weakness Scoring System (CWSS). https:\/\/cwe.mitre.org\/cwss\/ Accessed: 2020-04-10."},{"key":"e_1_3_2_1_15_1","unstructured":"MITRE. 2019. Common Weakness Enumeration. https:\/\/cwe.mitre.org Accessed: 2019-12-10.  MITRE. 2019. Common Weakness Enumeration. https:\/\/cwe.mitre.org Accessed: 2019-12-10."},{"key":"e_1_3_2_1_16_1","unstructured":"MITRE. 2019. Common Weakness Risk Analysis Framework (CWRAF). https:\/\/cwe.mitre.org\/cwraf\/ Accessed: 2020-04-10.  MITRE. 2019. Common Weakness Risk Analysis Framework (CWRAF). https:\/\/cwe.mitre.org\/cwraf\/ Accessed: 2020-04-10."},{"key":"e_1_3_2_1_17_1","unstructured":"MITRE. 2020. 2019 CWE Top 25 Most Dangerous Software Errors. https:\/\/cwe.mitre.org\/top25\/archive\/2019\/2019_cwe_top25.html Accessed: 2020-02-01.  MITRE. 2020. 2019 CWE Top 25 Most Dangerous Software Errors. https:\/\/cwe.mitre.org\/top25\/archive\/2019\/2019_cwe_top25.html Accessed: 2020-02-01."},{"key":"e_1_3_2_1_18_1","unstructured":"MITRE. 2020. CWE Glossary. https:\/\/cwe.mitre.org\/documents\/glossary\/ Accessed: 2020-05-11.  MITRE. 2020. CWE Glossary. https:\/\/cwe.mitre.org\/documents\/glossary\/ Accessed: 2020-05-11."},{"key":"e_1_3_2_1_19_1","unstructured":"MITRE. 2020. History of the Common Weakness Scoring System (CWSS). https:\/\/cwe.mitre.org\/about\/history.html Accessed: 2020-04-10.  MITRE. 2020. History of the Common Weakness Scoring System (CWSS). https:\/\/cwe.mitre.org\/about\/history.html Accessed: 2020-04-10."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2018.05.011"},{"key":"e_1_3_2_1_21_1","unstructured":"NIST. 2020. BF Memory Model. https:\/\/samate.nist.gov\/BF\/Classes\/MEMModel.html Accessed: 2020-05-11.  NIST. 2020. BF Memory Model. https:\/\/samate.nist.gov\/BF\/Classes\/MEMModel.html Accessed: 2020-05-11."},{"key":"e_1_3_2_1_22_1","unstructured":"NVD. 2020. National Vulnerability Database. https:\/\/nvd.nist.gov Accessed: 2020-01-10.  NVD. 2020. National Vulnerability Database. https:\/\/nvd.nist.gov Accessed: 2020-01-10."},{"volume-title":"Quantitative security risk assessment of enterprise networks","author":"Ou Xinming","key":"e_1_3_2_1_23_1","unstructured":"Xinming Ou and Anoop Singhal . 2011. Quantitative security risk assessment of enterprise networks . Springer-Verlag , New York, NY, USA . Xinming Ou and Anoop Singhal. 2011. Quantitative security risk assessment of enterprise networks. Springer-Verlag, New York, NY, USA."},{"key":"e_1_3_2_1_24_1","unstructured":"OWASP. 2020. OWASP Top Ten. https:\/\/owasp.org\/www-project-top-ten\/ Accessed: 2020-04-10.  OWASP. 2020. OWASP Top Ten. https:\/\/owasp.org\/www-project-top-ten\/ Accessed: 2020-04-10."},{"key":"e_1_3_2_1_25_1","unstructured":"OWASP. 2020. SQL Injection. https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection Accessed: 2020-05-11.  OWASP. 2020. SQL Injection. https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection Accessed: 2020-05-11."},{"key":"e_1_3_2_1_26_1","volume-title":"Article 62 (dec","author":"Pendleton Marcus","year":"2016","unstructured":"Marcus Pendleton , Richard Garcia-Lebron , Jin-Hee Cho , and Shouhuai Xu. 2016. A Survey on Systems Security Metrics. ACM Comput. Surv. 49, 4 , Article 62 (dec 2016 ), 35\u00a0pages. https:\/\/doi.org\/10.1145\/3005714 10.1145\/3005714 Marcus Pendleton, Richard Garcia-Lebron, Jin-Hee Cho, and Shouhuai Xu. 2016. A Survey on Systems Security Metrics. ACM Comput. Surv. 49, 4, Article 62 (dec 2016), 35\u00a0pages. https:\/\/doi.org\/10.1145\/3005714"},{"key":"e_1_3_2_1_27_1","unstructured":"Guy Podjarny. 2017. Which of the OWASP Top 10 Caused the World\u2019s Biggest Data Breaches?https:\/\/snyk.io\/blog\/owasp-top-10-breaches\/ Accessed: 2020-09-22.  Guy Podjarny. 2017. Which of the OWASP Top 10 Caused the World\u2019s Biggest Data Breaches?https:\/\/snyk.io\/blog\/owasp-top-10-breaches\/ Accessed: 2020-09-22."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICICI-BME.2011.6108598"},{"key":"e_1_3_2_1_29_1","unstructured":"Symantec. 2020. 2019 Internet Security Threat Report. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-24-2019-en.pdf Accessed: 2020-02-01.  Symantec. 2020. 2019 Internet Security Threat Report. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-24-2019-en.pdf Accessed: 2020-02-01."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1719030.1719036"},{"key":"e_1_3_2_1_31_1","unstructured":"Y. Wu Irena Bojanova and Y. Yesha. 2015. They know your weaknesses - Do you?: Reintroducing Common Weakness Enumeration. CrossTalk 28 (01 2015) 44\u201350.  Y. Wu Irena Bojanova and Y. Yesha. 2015. They know your weaknesses - Do you?: Reintroducing Common Weakness Enumeration. CrossTalk 28 (01 2015) 44\u201350."}],"event":{"name":"ACSAC '20: Annual Computer Security Applications Conference","acronym":"ACSAC '20","location":"Austin USA"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427257","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3427228.3427257","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:24Z","timestamp":1750197744000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427257"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,7]]},"references-count":31,"alternative-id":["10.1145\/3427228.3427257","10.1145\/3427228"],"URL":"https:\/\/doi.org\/10.1145\/3427228.3427257","relation":{},"subject":[],"published":{"date-parts":[[2020,12,7]]},"assertion":[{"value":"2020-12-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}