Confidentiality, Integrity, and Availability Requirements

Description

These values are taken directly from CVSS, and this section paraphrases the description in the CVSS Guide [ref]. These metrics measure the security requirements of the software under development. Each security requirement has three possible values: Low, Medium, High, and Not Defined.

Data Collection

To choose a value for each context factor, consider the most sensitive data that passes through, or is kept by, the software being evaluated. For example, a web browser may access highly confidential personal information such as bank account or medical record data, to which a High Confidentiality Requirement would apply.

Metric Value Description

• Low (L) Loss of [confidentiality

  integrity

  availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

• Medium (M) Loss of [confidentiality

  integrity

  availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

• High (H) Loss of [confidentiality

  integrity

  availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).

• Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.