Data for: Connected and Autonomous Vehicles: A Cyber-Risk Classification Framework
Known software vulnerabilities listed within the NVD are used to create the BN. This data contains threat descriptions, product types, CVSS base attributes and a resultant base severity score for 104,210 software vulnerabilities from May 1990 to the present. The CVSS attributes are categorised into base, temp and environmental groups. The base metric group contains the intrinsic characteristics of a vulnerability that are constant over time and user environments (Mell et al., 2007). A base score is computed using a combination of qualitative exploitability and impact variables. The temporal group represents the changing of a vulnerability over time (i.e., at first there may be no remediation available, but over time an official fix becomes available). A temporal score updates the base score using the temporal variables if known. The environmental group provides context to the vulnerability and alters the score to highlight the features specific to the user’s environment. For example, a successful breach into a CAVs steering functionality may have a higher impact than that into its windscreen wipers control module. The environmental score denotes the overall CVSS severity score, and updates the temporal score using context-specific variables. This CVSS severity score ranges between from 0 to 10. It quantifies the potential severity of a known vulnerability. In 2015, First (2018b) released version 3 of the CVSS. The updates included removing environmental group variables Collateral Damage Potential and Target Distribution and replacing them with mitigating factors in the event of a scope change. The Authentication base variable was also replaced by two variables; Privileges Required and User Interaction. The states within some of the attributes changed also (Hanford, 2013). Both CVSS v2 and v3 vulnerability scores were extracted from the NVD. Of the 104,310 vulnerabilities, 6669 were deleted as they contained no useful information. 73,555 of the remaining cases only contained v2 group attributes, while 24,086 vulnerabilities were scored using both v2 and v3 scoring systems. For CVSS v2, the most probable state for each variable was: Access Vector = Network (70%), Access Complexity = Low (58%), Authentication = None (90%). Confidentiality/Integrity/Availability Impact were all equal to Partial at 47%, 51% and 43% respectively. Similarly, for CVSS v3 the most probable states for Attack Vector, Attack Complexity, Privileges Required and User Interaction were equal to Network (70.43%), Low (89%), None (72%) and None (59%) respectively. The only significant change in state observations were to Confidentiality/Integrity/Availability Impact, where the most probable state was equal to High determined by 59%, 51% and 63% of the total observations respectively.