Software Risk Assessment for Windows Operating Systems with respect to CVSS


  •   HyunChul Joh


CVSS is recognized as a de facto standard for categorizing and measuring software vulnerabilities in both how easy for exploitation for the given security bug and how much impact on a system having the vulnerability in a sense of the three security factors. Meanwhile, since the early 2000s, quantitative risk assessments of software systems had been able to be examined thanks to the accumulated enough datasets for a scientific investigation. However, there are still a lot of research attempts not to be taken in a quantitative examination of software risk assessments. In this paper, we are quantitatively analyzing CVSS scores in vulnerabilities from the three most recent Windows products, namely, Windows 7, Windows 8.1 and Windows 10. The result shows that AML vulnerability discovery model represents Windows vulnerability discovery trend reasonably. Furthermore, we found explicitly that, most of the time, security bugs are compromised with no authentication required systems. This result is corresponding with the output from the previous research based on Web browsers.

Keywords: Software Security Vulnerability, Windows OSes, CVSS, Quantitative Software Risk Assessment.


A. Silberschatz, P. B. Galvin, and G. Gagne, Operating System Concepts, 6th ed. / Windows XP Update, Wiley, 2001

Pfleeger, C. P. and Pfleeger, S. L. (2003). Security in Computing. Prentice Hall PTR, 3rd edition.

O. H. Alhazmi and Y. K. Malaiya, “Application of Vulnerability Discovery Models to Major Operating Systems,” IEEE Trans. Reliability, vol.57, no.1, pp. 14-22, March 2008.

H. Joh and Y.K. Malaiya, “Modeling Skewness in Vulnerability Discovery,” Quality and Reliability Engineering International, vol. 30, no. 8, pp.1445-1459, 2014.

S. Frei, T. Duebendorfer, G. Ollmann, and M. May, “Understanding the Web Browser Threat: Examination of Vulnerable Online Web Browser Populations and the “Insecurity Iceberg”,” ETH Zurich Tech Report Nr. 288, 2008.

T. Duebendorfer and S. Frei, “Web Browser Security Update Effectiveness,” Proceeding of the 4th International Conference on Critical Information Infrastructures Security, pp. 124-137, 2010.

M. Acer and C. Jackson, “Critical Vulnerability in Browser Security Metrics,” Proceeding of Web 2.0 Security and Privacy, IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2010.

A. Grosskurth and M. Godfrey, “A Reference Architecture for Web Browsers,” Proceeding of the 2005 International Conference on Software Maintenance, Budapest, Hungary, pp. 661-664, Sep. 2005.

G. Schryen, “Is Open Source Security a Myth? What do Vulnerability and Patch Data Say?,” Communications of the Association for Computing Machinery, vol. 54, no. 5, pp.130-140, 2011.

F. Akiyama, “An Example of Software System Debugging,” Proceeding of International Federation for Information Processing Congress, pp. 353-379, 1971.

B.T. Compton and C. Withrow, “Prediction and Control of ADA Software Defects,” Journal of Systems and Software, vol. 12, no. 3, pp. 199-207, 1990.

L. Hatton, “Reexamining the Fault Density Component Size Connection,” IEEE Software, vol. 14, no. 2, pp. 89-97, 1997.

J. Rosenberg, “Some Misconceptions About Lines of Code,” Proceeding of the 4th IEEE International Software Metrics Symposium, pp. 137-142, 1997.

O.H. Alhazmi, Y.K. Malaiya, and I. Ray, “Security Vulnerabilities in Software Systems: A Quantitative Perspective,” Proceeding of IFIP WG11.3 Working Conference on Data and Information Security, pp. 281-294, 2005.

P. Mell, K. Scarfone, and S. Romanosky, “CVSS: A complete Guide to the Common Vulnerability Scoring System Version 2.0,” Forum of Incident Response and Security Teams, 2007.

A. Stango, N. R. Prasad, D. M. Kyriazanos, “A threat analysis methodology for security evaluation and enhancement planning,” Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies, Washington, DC, USA: IEEE Computer Society, pp. 262–267, 2009.

I. Mkpong-Ruffin, D. Umphress, J. Hamilton, J. Gilbert, “Quantitative software security risk assessment model,” Proceedings of the 2007 ACM workshop on Quality of protection, New York, NY, USA, pp. 31–33, 2007.

S. H. Houmb, V. N. Franqueira, E. A. Engum, “Quantifying security risk level from cvss estimates of frequency and impact,” Journal of Systems and Software, vol.83, no.9, pp.1622-1634, 2010.

O. H. Alhazmi, Y. K. Malaiya, “Prediction capabilities of vulnerability discovery models,” Proceedings of the rams ’06. annual reliability and maintainability symposium, pp. 86–91, 2006.

Woo, S.-W., Joh, H., Alhazmi, O. H. and Malaiya, Y. K., “Modeling vulnerability discovery process in apache and iis http servers,” Computers & Security, vol.30, no.1, pp.50-62, 2011.

H. Joh, “Assessing Web Browser Security Vulnerabilities with respect to CVSS,” Journal of Korea Multimedia Society, vol.18, no.2, pp.199-206, Feb. 2015.

K. Scarfone and P. Mell, “An Analysis of CVSS Version 2 Vulnerability Scoring,” Proceeding of 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516-525, 2009.


Download data is not yet available.


How to Cite
Joh, H. 2019. Software Risk Assessment for Windows Operating Systems with respect to CVSS. European Journal of Engineering and Technology Research. 4, 11 (Nov. 2019), 41-45. DOI: