ULS: A Unified Likelihood Scale for Cross-Standard Risk Assessment
摘要
Different security standards use different methods for calculating risk likelihood, such as Attack Potential (AP) in ISO/SAE 21434 and Exploitability Sub-Score (ESS) in the Common Vulnerability Scoring System (CVSS). Consequently, combining systems, for which the risk was calculated using two different methods, poses a significant challenge. We propose the Unified Likelihood Scale (ULS), a novel method for bridging the risk calculation of such systems. The ULS provides a unified framework for AP and ESS likelihood methods to combine risk assessments across different standards. The ULS is a mapping of AP and ESS to a unified four-segment scale. It is designed such that for relevant attacks, the ULS mapping yields the minimal error when rating the attacks in both likelihood estimation methods. Furthermore, we provide a dataset of 30 attacks rated according to AP and ESS, which we use to find the ULS mapping with minimal error. The resulting ULS can be used to combine the risk assessment of systems, which were rated using different risk assessment methods.