Risk Scoring Matrix (CVSS)
Vulnerability Scoring Methodology & Business Risk Framework
Comprehensive breakdown of CVSS v3.1 and v4.0 metrics. This reference guide is designed to help maritime technical officers and DPA/CSOs interpret technical severity into operational business risk.
Intelligence Level: Strategic
| Category | Option | Danger | Detailed Interpretation |
|---|---|---|---|
| Exploitability Metrics | |||
| Attack Vector (AV) | Network (N) | 🔴 High | Remote: Exploitable via the Internet/Outside. |
| Adjacent (A) | 🟠Med | Nearby: Limited to local Wi-Fi/Bluetooth range. | |
| Local (L) | 🟡 Low | On-Site: Requires shell/local OS access. | |
| Physical (P) | 🟢 Low | Touch: Must have physical hardware access. | |
| Complexity (AC) | Low (L) | 🔴 High | Easy: No specialized timing or conditions needed. |
| High (H) | 🟢 Low | Hard: Must bypass ASLR/DEP or win a race. | |
| Privileges (PR) | None (N) | 🔴 High | Public: No account required to exploit. |
| Low (L) | 🟠Med | Standard: Requires basic user login. | |
| High (H) | 🟢 Low | Admin: Requires root/admin credentials. | |
| Interaction (UI) | None (N) | 🔴 High | Silent: No human action needed to trigger. |
| Required (R) | 🟡 Low | Phish: Victim must click or execute a file. | |
| Impact Metrics | |||
| Scope (S) | Changed (C) | 🔴 High | Viral: Can spread and impact other systems/OS. |
| Unchanged (U) | 🟢 Low | Contained: Damage limited to target application. | |
| Confidentiality (C) | High (H) | VAR | Full data breach; all information exposed. |
| Low (L) | VAR | Partial leak; some information exposed. | |
| None (N) | VAR | No data exposure. | |
| Integrity (I) | High (H) | VAR | Full control; attacker can modify any data. |
| Low (L) | VAR | Minor changes; limited modification. | |
| None (N) | VAR | No data modification possible. | |
| Availability (A) | High (H) | VAR | Total outage; system is unusable. |
| Low (L) | VAR | Degraded; system is slow or unstable. | |
| None (N) | VAR | No impact to system uptime. | |
| Category | Option | Danger | v4.0 Specification & Business Logic |
|---|---|---|---|
| Base: Exploitability & Requirements | |||
| Attack Vector (AV) | Network | 🔴 High | Remote exploitation across the internet. |
| Adjacent | 🟠Med | Local network/Bluetooth range. | |
| Local | 🟡 Low | Local terminal or user session. | |
| Physical | 🟢 Low | Physical hardware tampering required. | |
| Complexity (AC) | Low | 🔴 High | Reliable attack; no security bypass needed. |
| High | 🟢 Low | Requires bypassing advanced protections. | |
| Attack Req. (AT) | None | 🔴 High | Works on standard/default configurations. |
| Present | 🟢 Low | Requires rare/specific system states. | |
| Interaction (UI) | None | 🔴 High | Zero-click; fully automated. |
| Passive | 🟠Med | User merely views content (visits a page). | |
| Active | 🟡 Low | User must perform a specific action. | |
| Impact: Vulnerable System (The Target App / "Inner Circle") | |||
| V-Confid (VC) | H / L / N | VAR | Passwords: Can the attacker read the app's internal passwords/data? |
| V-Integ (VI) | H / L / N | VAR | Settings: Can the attacker change the app's internal settings? |
| V-Avail (VA) | H / L / N | VAR | Crash: Can the attacker make the app freeze or crash? |
| Impact: Subsequent Systems (Infrastructure / "Blast Radius") | |||
| S-Confid (SC) | H / L / N | VAR | Server Breach: Can they read files on the Windows/Cloud DB behind the app? |
| S-Integ (SI) | H / L / N | VAR | Wipe: Can they delete the server hard drive or modify the OS? |
| S-Avail (SA) | H / L / N | VAR | Outage: Can they shut down the entire network or host hardware? |
| Supplemental Metrics | |||
| Safety (S) | Present | 🔴 High | Life-Safety: Potential for physical injury. |
| Negligible | 🟢 Low | No physical risk to humans. | |
| Automatable (AU) | Yes | 🔴 High | Wormable: Can spread automatically like a virus. |
| No | 🟢 Low | Requires manual effort per target. | |
| Recovery (R) | Automatic | 🟢 Low | System self-heals or reboots. |
| User | 🟠Med | Requires manual intervention to restore. | |
| Irrecoverable | 🔴 High | Bricked: Hardware must be replaced. | |
What does "VAR" mean?
VAR (Variable) means the danger depends on your choice:
- 🔴 High (H): Total loss of control/security.
- 🟠Low (L): Partial exposure or damage.
- 🟢 None (N): No impact to this category.
Inner Circle vs. Blast Radius
Vulnerable System: Damage strictly inside the software containing the bug.
Subsequent System: The damage to everything else connected (OS, Network, Database).
Color Logic Context
🟡 Yellow: Technically "Low" but high risk because phishing (Interaction) and local access are common paths.
🟢 Green: "Physical" is the safest because it requires a person to touch the device.