Using neural networks to aid CVSS risk aggregation - An empirically validated approach

- A method for automated CVSS risk aggregation is proposed.
- The aggregation can be tailored/trained to domain expertise and uncertain knowledge.
- Results have been verified along an empirical study.
- A method to reduce answer variability and ambiguity in empirical CVSS risk assessments is described.

Managing risks in large information infrastructures is often tied to inevitable simplification of the system, to make a risk analysis feasible. One common way of “compacting” matters for efficient decision making is to aggregate vulnerabilities and risks identified for distinct components into an overall risk measure related to an entire subsystem and the system as a whole. Traditionally, this aggregation is done pessimistically by taking the overall risk as the maximum of all individual risks, following the heuristic understanding that the “security chain” is only as strong as its weakest link. As that method is quite wasteful of information, this work proposes a new approach, which uses neural networks to resemble human expert's decision making in the same regard. To validate the concept, we conducted an empirical study on human expert's risk assessments, and trained several candidate networks on the empirical data to identify the best approximation to the opinions in our expert group.