On 6/18/19 3:45 PM, Trevor Vaughan wrote:
At some point, these should probably be changed to correlate with the Vulnerability Severity Assessment Scale as outlined in the NIST 800-30 since it is well defined, a public standard at no cost, and 0-100 which lines up with most people's internal "gut feeling".

Sounds reasonable. Looks like "TABLE D-6: ASSESSMENT SCALE – RANGE OF EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES" seems most applicable [0]. Is that what you were thinking?

Worried the broader 800-30 requires advanced multidimensional calculus.... yes, could result in better ratings than the DISA scale, but if its to hard to use... nobody will use it.

[0] Page 68 @ https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Open-scap-list mailing list

Reply via email to