Vulnerability management and cybersecurity risk quantification are two of the pillars of any organization's security posture. There are a number of different methods available today for understanding cyber risks, but two of them come up again and again: the CVSS rating system for vulnerability management, and the FAIR method for cyber risk analysis. When should one or the other be used? What are the advantages and disadvantages of each method? What are the differences between CVSS rating and the FAIR method?
What is the CVSS standard?
What does CVSS mean?
CVSS is a vulnerability rating system. It stands for "Common Vulnerability Scoring System". It is an international standard for rating security vulnerabilities, established by FIRST (Forum of Incident Response and Security Teams), an American association whose work is recognized worldwide.
FIRST has produced various versions of CVSS, the most recent being version 4.0 (due for release at the end of 2023).
How is the CVSS score calculated?
The CVSS score corresponds to a mark between 0 and 10. The higher the score assigned to a vulnerability, the more critical it is considered to be. The CVSS score (version 4.0) is based on four groups of metrics (components):
- Base Metric" (base score)
- Threat Metric
- Environmental Metric (data characterizing the environment specific to each organization)
- Supplemental Metric (values that have no impact on the CVSS score, but allow the organization to perform a more in-depth risk analysis)
Each group is made up of different attributes.
One of the major new features of CVSS 4.0 is the introduction of 4 score types:
- CVSS-B: the basic score
- CVSS-BT: the basic score plus threat-related elements
- CVSS-BE: the basic score plus contextual elements
- CVSS-BTE: total score (base score plus threat and context elements)
How is the CVSS score used and what are its benefits for cybersecurity?
The CVSS scoring system is a standardized framework for assessing the characteristics and severity of security flaws in an IT system. Simple to implement, the main advantage of this method is that it assigns a score that is recognized and shared by all information security professionals, particularly by teams working specifically on vulnerability management.
The scores awarded enable security teams to focus their attention and resources on correcting the most serious vulnerabilities. By helping teams to categorize, prioritize and prioritize the vulnerabilities to be addressed, the use of CVSS scores contributes fully to the remediation process.
What is the FAIR Standard?
What is the FAIR Method?
FAIR stands for "Factor Analysis of Information Risk". The FAIR standard is a quantitative analysis model. It is used to understand, analyze and quantify cyber risks from a financial point of view. The FAIR method is considered a pioneering approach to quantifying cyber risks from an operational perspective. It is supported by an active community, which ensures the evolution and promotion of the method.
More information on fairinstitute.org
How does the FAIR Method work?
The FAIR method is a probabilistic approach to risk calculation, based on both the probable frequency and magnitude of losses. The results are quantified and can be expressed in financial terms (in euros, for example).
Example
One organization estimates that an X loss could occur once every 10 years, and that it would result in a loss of 2 million euros.
This represents a probable loss of 200,000 euros a year.
In order to reduce this risk, organizations can seek to reduce its frequency, as well as the amount of financial losses associated with it.
Implementing the FAIR method requires the collection of a large amount of data to accurately analyze each risk. Losses can be broken down into six categories (production losses, cost of incident response, loss of reputation, etc.). The FAIR method also invites us to assess the value of an asset on the basis of its criticality, cost (value) and sensitivity.
What are the advantages of the FAIR method for risk assessment?
Resolutely pragmatic, the FAIR method is particularly appreciated by CISOs and cyber-risk managers. Quantifying cyber risks and translating them into financial terms optimizes information systems security governance.
The FAIR method is not intended to be exhaustive, but rather to consider the most likely risk scenarios. It encourages organizations to focus on the assets that are most critical and indispensable to their business.
CVSS rating system, FAIR method: what are their limitations and differences?
The limits of CVSS scores
Lack of precision in risk measurement
CVSS scores are criticized for their inability to accurately measure risk. If vulnerabilities rated 7 and above are considered the most serious threats, and must therefore be dealt with before others, how can we be sure that a vulnerability rated 6.5 will not also cause serious damage? In the absence of context, it's hard to say.
Lack of context
While they are a good starting point, CVSS scores should not be used on their own, but placed in context. The CVSS score assesses the intrinsic criticality of a vulnerability and is a first step in cyber risk analysis, but it does not reflect the reality of the threats facing an organization. A high CVSS score does not necessarily mean that the vulnerability in question will actually be exploited.
To help organizations prioritize their vulnerabilities, FIRST has also introduced the "EPSS" (Exploit Prediction Scoring System) score in 2019. This score indicates the likelihood of a CVE being successfully exploited in the coming months.
Some disadvantages of the FAIR method
The FAIR method generates probabilities linked to risk analysis, but is not designed to make predictions. Nor is it exhaustive, but it does enable organizations to focus their efforts on the most critical assets and probable scenarios.
On the other hand, because it requires the mobilization of numerous teams to collect technical and financial data, the FAIR method can be time-consuming to implement.
Main differences between the FAIR method and the CVSS rating system
A difference in kind
The fundamental difference between the CVSS rating system and the FAIR method lies in their nature. The former assigns scores to vulnerabilities according to their severity, while the latter translates the potential consequences of cyber risks into financial terms. The methodology adopted to deal with risk is not the same. The CVSS rating system speaks to security experts, while the FAIR method feeds discussion between the various business lines.
Taking asset criticality into account
CVSS scores do not take into account the criticality level of the assets affected by the vulnerabilities. In fact, medium severity vulnerabilities on exposed assets can have greater consequences than high severity vulnerabilities on properly isolated assets with restricted access. By mapping your information system, you can better take into account the criticality of different assets in your cyber risk management approach.
Impacts taken into account
Unlike the FAIR method, CVSS scores do not take into account the potential impact on the organization's activities when quantifying cyber risks. Translating cyber risks into financial terms is one of the strengths of the FAIR method, enabling organizations to focus on the assets that are most essential to their business.
Quantifying cyber risks is an approach that is increasingly in demand from senior management, who today want to better control their risks while optimizing their expenditure. The CVSS rating system and the FAIR method are two recognized but fundamentally different approaches. The CVSS system takes a more technical approach to managing and prioritizing the vulnerabilities to be corrected. The FAIR method, on the other hand, translates the probable consequences of cyber risks into financial terms. It's up to each organization to choose the approach best suited to its needs in terms of cyber risk assessment and management.
Would you like to know how OverSOC can help you assess and quantify cyber risks? Please contact us.
