Call for Paper - January 2024 Edition
IJCA solicits original research papers for the January 2024 Edition. Last date of manuscript submission is December 20, 2023. Read More

Information Security Assessment by Quantifying Risk Level of Network Vulnerabilities

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Year of Publication: 2016
Umesh Kumar Singh, Chanchala Joshi, Neha Gaud

Umesh Kumar Singh, Chanchala Joshi and Neha Gaud. Information Security Assessment by Quantifying Risk Level of Network Vulnerabilities. International Journal of Computer Applications 156(2):37-44, December 2016. BibTeX

	author = {Umesh Kumar Singh and Chanchala Joshi and Neha Gaud},
	title = {Information Security Assessment by Quantifying Risk Level of Network Vulnerabilities},
	journal = {International Journal of Computer Applications},
	issue_date = {December 2016},
	volume = {156},
	number = {2},
	month = {Dec},
	year = {2016},
	issn = {0975-8887},
	pages = {37-44},
	numpages = {8},
	url = {},
	doi = {10.5120/ijca2016912375},
	publisher = {Foundation of Computer Science (FCS), NY, USA},
	address = {New York, USA}


With increasing dependency on IT infrastructure, the main objective of a system administrator is to maintain a stable and secure network, with ensure that the network is robust enough against malicious network users like attackers and intruders. Security risk management provides way to manage the growing threats to infrastructures or system. This paper proposes a framework for risk level estimation that uses vulnerability database National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). The proposedframework measuresthe frequency of vulnerability exploitation; converges this measured frequency with standard CVSS score and estimates the security risk levelwhich helps in automated and reasonable security management. In this paper, equation for the Temporal score calculation with respect to availability of remediation plan is derived and further, frequency of exploitation is calculated with determined temporal score. The frequency of exploitation along with CVSS score is used to calculate the security risk level of the system. The proposed framework uses the CVSS vectors for risk level estimation and measures the security level of specific network environment, which assists system administrator for assessment of security risks and making decision related to mitigation of security risks.


  1. The Common Vulnerability Scoring System, Available:
  2. National Vulnerability Database, Available:
  3. A. Tripathi and U.K. Singh, “On prioritization of vulnerability categories based on CVSS scores”, Proceedings of 6th International Conference on Computer Sciences and Convergence Information Technology, Korea, 2011, pp.692–697.
  4. A. Tripathi and U.K. Singh, “A proposal for common vulnerability classification scheme based on analysis of taxonomic features in vulnerability databases”, International Journal of Computer Science and Information Security, Vol. 9, No. 6, 2011, pp.106–111.
  5. A. Tripathi and U.K. Singh, “Analyzing trends in vulnerability classes across CVSS metrics”, International Journal of Computer Applications, Vol. 36, 2011, No. 3, pp.38–44.
  6. A. Tripathi and U.K. Singh, “Estimating risk level for vulnerability categories using CVSS”, International Journal of Internet Technology and Secured Transactions”, Vol. 4, No. 4, pp.272–289.
  7. C. Joshi and U. Singh, “Analysis of Vulnerability Scanners in Quest of Current Information Security Landscape” International Journal of Computer Application (IJCA, 0975 – 8887), Volume 145 No 2, July 2016, pp. 1-7.
  8. C. Joshi and U. Singh, “A Review on Taxonomies of Attacks and Vulnerability in Computer and Network System”.International Journal of Advanced Research in Computer Science and Software Engineering (IJRCSSE) Volume 5, Issue 1, January 2015, pp 742-747.
  9. C. Joshi C. and U. Singh, “ADMIT- A Five Dimensional Approach towards Standardization of Network and Computer Attack Taxonomies”. International Journal of Computer Application (IJCA, 0975 – 8887), Volume 100, Issue 5, August 2014, pp 30-36.
  10. R. E. Sawilla and X.Ou,, “Identifying critical attack assets in dependency attack graphs”. In: ESORICS ‘08: Proceedings of the 13th European Symposium on Research in Computer Security, Malaga, Spain, Springer-Verlag, 2008, pp. 18–34.
  11. W.U. Bin and A. J. WANG, “EVMAT: An OVAL and NVD Based Enterprise Vulnerability Modeling and Assessment Tool”, In Proceedings of ACMSE, Kennesaw, GA, USA, March 24-25, 2011, pp.115-120.
  12. “Risk Assessment and Mapping Guidelines for Disaster Management”, COMMISSION STAFF WORKING PAPER, Brussels, 2010.
  13. CVE - Common Vulnerabilities and Exposures (CVE), Available:
  14. T. Hamid, C Maple, P. Sant., “Methodologies to Develop Quantitative Risk Evaluation Metrics”, International Journal of Computer Applications, Vol. 48 No.14, June 2012, pp.17-24.
  15. CVSS v3.0 specification document, Available:
  16. P. Mell, K. Scarfone, and S. Romanosky, “CVSS: A complete Guide to the Common Vulnerability Scoring System Version 2.0”, Forum of Incident Response and Security Teams (FIRST), 2007.
  17. A. Arora., R. Krishnan,R.Telang, Y. Yang, “An Empirical Analysis of Software Vendors’ Patching Behavior: Impact of Vulnerability Disclosure”, ICIS 2006 Proceedings, 2006, Paper 22.
  18. M. Ahmed, E. Al-Shaer and L. Khan, “A Novel Quantitative Approach for Measuring Network Security”, INFOCOM 2008, The 27th Conference on Computer Communications, IEEE, 13-18 April 2008.
  19. Common Vulnerability Scoring System Version 3, Available: Calculator
  20. Red Hat Customer Portal, Available:
  21. CVE-2016-4051: SECURITY PATCH FOR SQUID (ALAS-2016-713), Available:
  22. Red Hat Customer Portal
  23. CVE-2016-4051: SecurityPatchforSquid (ALAS-2016-713)


CVSS metrics, risk level, security measurement, severity score, vulnerability category.