Unified Quantitative Evaluation of System Severity: Leveraging Time to Compromise and Cost-Benefit Analysis for Enhanced vulnerability Risk Assessment

• Published in: Journal of network and systems management Vol. 33; no. 4; p. 100
• Main Authors: Jyoti, Bansal, Urvashi, Sikka, Geeta, Awasthi, Lalit Kumar, Verma, Harsh Kumar
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.10.2025; Springer Nature B.V
• Subjects: Communications Engineering; Computer Communication Networks; Computer Science; Computer Systems Organization and Communication Networks; Cost benefit analysis; Cost function; Graphs; Information Systems and Communication Service; Intrusion detection systems; Networks; Operations Research/Decision Theory; Security; Attack path score; Attack path cost; Attack graph analysis; Vulnerability risk assessment; Vulnerability analysis; Attack path time; Network security; Time to compromise system; Risk management; CVSS
• ISSN: 1064-7570; 1573-7705
• DOI: 10.1007/s10922-025-09975-4

Network security remains a critical concern in today’s fast-paced tech world due to the dynamic challenges posed by high-speed networks. Despite using various security tools like firewalls and intrusion detection systems, managing multiple threats simultaneously is time-consuming. Existing vulnerability assessment tools struggle with complex attack scenarios, particularly those involving chained attacks relying on CVSS metrics. Thus, there’s a pressing need for a new strategy to strengthen network security against evolving threats. Attack graphs emerge as a powerful solution, especially for chained attacks, offering better ranking of attack paths and insights for system administrators. This study proposes a new approach, shifting focus from individual vulnerability severity to the overall severity of hosts or systems. The methodology determines system severity considering inherent vulnerabilities, along with exploit time and cost function. This shift allows a more comprehensive understanding of system security, addressing the complexities of chained attacks. The proposed methodology centres on three key elements: calculating average exploit time, modifying the CVSS v3.1 framework based on exploit time, and calculating a cost function for prioritizing attack paths. Results highlight the need to address 33% of existing vulnerabilities, focusing on 3 out of 9 hosts to enhance overall network security.