Web application security - the fast guide 1.1 | Page 56
Chapter 3 - Vulnerabilities and threat models
P a g e | 56
From the other hand to include the environmental effect we use the
environmental equation. This equation will give also a score rating between (0-
10) the result should be less than temporal score.
EnvironmentalScore = round_to_1_decimal((AdjustedTemporal+(10-AdjustedTemporal)
*CollateralDamagePotential)*TargetDistribution)
AdjustedTemporal = TemporalScore recomputed with the BaseScore’s Impact sub-equation
replaced with the AdjustedImpact equation
AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-
AvailImpact*AvailReq)))
CollateralDamagePotential = case CollateralDamagePotential of
none: 0
low: 0.1
low-medium: 0.3
medium-high: 0.4
high: 0.5
not defined: 0
TargetDistribution = case TargetDistribution of
none: 0
low: 0.25
medium: 0.75
high: 1.00
not defined: 1.00
ConfReq = case ConfReq of
low: 0.5
medium: 1.0
high: 1.51
not defined: 1.0
IntegReq = case IntegReq of
low: 0.5
medium: 1.0
high: 1.51
not defined: 1.0
AvailReq= case AvailReq of
low:0.5
medium:1.0
high:1.51
not defined: 1.0
Even though that using CVSS need a lot of experience to be able to give a good
estimation for different metric groups but it provides an efficient way to score
threats and be able to rank it.