A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies

  • Milda Petraityte
  • Ali DehghantanhaEmail author
  • Gregory Epiphaniou
Part of the Advances in Information Security book series (ADIS, volume 70)


Various researchers have shown that the Common Vulnerability Scoring System (CVSS) has many drawbacks and may not provide a precise view of the risks related to software vulnerabilities. However, many threat intelligence platforms and industry-wide standards are relying on CVSS score to evaluate cyber security compliance. This paper suggests several improvements to the calculation of Impact and Exploitability sub-scores within the CVSS, improve its accuracy and help threat intelligence analysts to focus on the key risks associated with their assets. We will apply our suggested improvements against risks associated with several Android and iOS applications and discuss achieved improvements and advantages of our modelling, such as the importance and the impact of time on the overall CVSS score calculation.


CVSS Risk management Risk calculation Vulnerability Exploitability 


  1. 1.
    A. Shameli-Sendi, R. Aghababaei-Barzegar, and M. Cheriet, “Taxonomy of Information Security Risk Assessment (ISRA),” Comput. Secur., vol. 57, pp. 14–30, 2016.Google Scholar
  2. 2.
    W. Ahsford, “Sony data breach: 100m reasons to beef up security,” 2011. [Online]. Available: [Accessed: 14-May-2016].
  3. 3.
    H. Li, R. Xi, and L. Zhao, “Study on the Distribution of CVSS Environmental Score,” pp. 1–4, 2015.Google Scholar
  4. 4.
    L. Allodi and F. Massacci, “Comparing vulnerability severity and exploits using case-control studies,” (Rank B)ACM Trans. Embed. Comput. Syst., vol. 9, no. 4, 2013.Google Scholar
  5. 5.
    PCI SSC, “Payment Card Industry (PCI) Card Production: Logical Security Requirements,” no. May. 2013.Google Scholar
  6. 6.
    PCI SSC, “Payment Card Industry (PCI) Data Security Standard: Technical and Operational Requirements for Approved Scanning Vendors (ASVs),” October, vol. 21, no. October. 2010.Google Scholar
  7. 7.
    ITU-T, “Series X: Data Networks, Open System Communications and Security. Common Vulnerability Scoring System,” 2011.Google Scholar
  8. 8.
    ITU-T, “Series X: Data Networks, Open System Communications and Security. Common Weakness Scoring System,” 2015.Google Scholar
  9. 9.
    MITRE.ORG, “CVE,” 2016. [Online]. Available: [Accessed: 04-Sep-2015].
  10. 10.
    L. Gallon, “On the impact of environmental metrics on CVSS scores,” Proc. - Soc. 2010 2nd IEEE Int. Conf. Soc. Comput. PASSAT 2010 2nd IEEE Int. Conf. Privacy, Secur. Risk Trust, pp. 987–992, 2010.Google Scholar
  11. 11.
    A. A. Younis and Y. K. Malaiya, “Comparing and Evaluating CVSS Base Metrics and Microsoft Rating System,” no. 1, 2015.Google Scholar
  12. 12.
    P. Toomey, “CVSS – Vulnerability Scoring Gone Wrong,” 2012. [Online]. Available: [Accessed: 03-Jan-2016].
  13. 13.
    C. Frühwirth and T. Männistö, “Improving CVSS-based vulnerability prioritization and response with context information,” 2009 3rd Int. Symp. Empir. Softw. Eng. Meas. ESEM 2009, pp. 535–544, 2009.Google Scholar
  14. 14.
    P. Toomey, “CVSS – Vulnerability Scoring Gone Wrong | Neohapsis Labs on,” 2012. [Online]. Available: [Accessed: 14-May-2016].
  15. 15.
    C. Eiram and B. Martin, “The CVSSv2 Shortcomings, Faults, and Failures Formulation.” pp. 1–13, 2013.Google Scholar
  16. 16.
    S. Zhang, X. Ou, and D. Caragea, “Predicting Cyber Risks through National Vulnerability Database,” Inf. Secur. J. A Glob. Perspect., vol. 24, no. 4–6, pp. 194–206, Nov. 2015.Google Scholar
  17. 17.
    FIRST, “CVSS v2 Complete Documentation,” 2007. [Online]. Available: [Accessed: 16-May-2016].
  18. 18.
    FIRST, “CVSS v3.0 Preview,” 2014.Google Scholar
  19. 19.
    British Standard Institution (BSI), “ISO/IEC 27001:2013 - Information technology - Security techniques - Information security management systems Requirements,” Br. Stand. Online, no. December 2015, 2015.Google Scholar
  20. 20.
    D. R. Thomas, Beresford, Alastair R., and A. Rice, “Security Metrics for the Android Ecosystem,” in Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, 2015, pp. 87–98.Google Scholar
  21. 21.
    F. N. Dezfouli, A. Dehghantanha, B. Eterovic-Soric, and K.-K. R. Choo, “Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms,” Aust. J. Forensic Sci., 2015.Google Scholar
  22. 22.
    M. Damshenas, A. Dehghantanha, K.-K. R. Choo, and R. Mahmud, “M0Droid: An Android Behavioral-Based Malware Detection Model,” J. Inf. Priv. Secur., vol. 11, no. 3, Sep. 2015.Google Scholar
  23. 23.
    A. Dehghantanha, N. I. Udzir, and R. Mahmod, “Towards Data Centric Mobile Security,” IEEE, no. 7th International Conference on Information Assurance and Security (IAS), pp. 62–67, 2011.Google Scholar
  24. 24.
    N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, “Machine learning aided Android malware classification, Computers & Electrical Engineering.” [Online]. Available:
  25. 25.
    M. Petraityte, A. Dehghantanha, and G. Epiphaniou, “Mobile Phone Forensics: An Investigative Framework Based on User Impulsivity and Secure Collaboration Errors,” in Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications, 2016, pp. 79–89.Google Scholar
  26. 26.
    M. Najwadi Yusoff, A. Dehghantanha, and R. Mahmod, “Forensic Investigation of Social Media and Instant Messaging Services in Firefox OS: Facebook, Twitter, Google+, Telegram, OpenWapp, and Line as Case Studies,” in Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications, 2016, pp. 41–62.Google Scholar
  27. 27.
    F. Nourozizadeh, A. Dehghantanha, and K.-K. R. Choo, “Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms,” Aust. J. Forensics Sci., 2014.Google Scholar
  28. 28.
    T. Dargahi, A. Dehghantanha, and M. Conti, “Forensics Analysis of Android Mobile VoIP Apps,” in Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications, 2016, pp. 7–20.Google Scholar
  29. 29.
    M. Amine Chelihi, A. Elutilo, I. Ahmed, C. Papadopoulos, and A. Dehghantanha, “An Android Cloud Storage Apps Forensic Taxonomy,” in Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications, 2016, pp. 285–305.Google Scholar
  30. 30.
    K. Shaerpour, A. Dehghantanha, and R. Mahmod, “Trends in Android Malware Detection.,” J. Digit. Forensics, Secur. Law, vol. 8, no. 3, pp. 21–40, 2013.Google Scholar
  31. 31.
    I. Mohamed and D. Patel, “Android vs iOS Security: A Comparative Study,” 2015 12th Int. Conf. Inf. Technol. - New Gener., pp. 725–730, 2015.Google Scholar
  32. 32.
    Google, “Android Security: 2015 Year in Review,” 2015.Google Scholar
  33. 33.
    F. Daryabar, A. Dehghantanha, B. Eterovic-Soricc, and K.-K. R. Choo, “Forensic investigation of OneDrive, Box, GoogleDrive and Dropbox applications on Android and iOS devices,” Taylor Fr. Online, no. 0618 (March), pp. 1–28, 2016.Google Scholar
  34. 34.
    First, “Common Vulnerability Scoring System (CVSS-SIG).” [Online]. Available: [Accessed: 02-Jan-2016].
  35. 35.
    NIST, “National Vulnerability Database,” 2016. [Online]. Available: [Accessed: 05-Aug-2015].
  36. 36.
    Offensive Security, “Exploit Database,” 2016. [Online]. Available: [Accessed: 10-Aug-2015].
  37. 37.
    Vulnerability Lab, “Mobile Vulnerabilities,” 2016. .Google Scholar
  38. 38.
    Security Focus, “Symantec Connect,” 2016.Google Scholar
  39. 39.
    W. C. for S. R. Methods, “Randomized Block Designs,” 2006. [Online]. Available:
  40. 40.
    R. Pastor-Satorras, C. Castellano, P. Van Mieghem, and A. Vespignani, “Epidemic processes in complex networks,” Rev. Mod. Phys., vol. 87, no. 3, pp. 1–62, 2015.Google Scholar
  41. 41.
    E. Valdano, L. Ferreri, C. Poletto, and V. Colizza, “Analytical computation of the epidemic threshold on temporal networks,” arXiv Prepr., vol. 21005, no. 2, p. 19, 2014.Google Scholar
  42. 42.
    G. F. De Arruda, E. Cozzo, P. Tiago, F. A. Rodrigues, and Y. Moreno, “Multiple Transitions and Disease Localization in Multilayer Networks,” Final Draft. Submitt. Publ., pp. 1–18, 2016.Google Scholar
  43. 43.
    G. F. Brooks, J. S. Butel, and S. A. Morse, Medical Microbiology. 2015.Google Scholar
  44. 44.
    Scitable, “Host Response to the Dengue Virus,” Scitable, 2014. [Online]. Available: [Accessed: 14-May-2016].
  45. 45.
    A. Boianelli, V. K. Nguyen, T. Ebensen, K. Schulze, E. Wilk, N. Sharma, S. Stegemann-Koniszewski, D. Bruder, F. R. Toapanta, C. A. Guzmán, M. Meyer-Hermann, and E. A. Hernandez-Vargas, “Modeling Influenza Virus Infection: A Roadmap for Influenza Research,” Viruses, vol. 7, no. 10, pp. 5274–304, Oct. 2015.Google Scholar
  46. 46.
    R. Pastor-Satorras and A. Vespignani, “Epidemic spreading in scale-free networks,” Phys. Rev. Lett., vol. 86, no. 14, pp. 3200–3203, 2001.Google Scholar
  47. 47.
    R. Kaas, M. Goovaerts, J. Dhaene, and M. Denuit, Modern Actuarial Risk Theory, vol. 53. 2008.Google Scholar
  48. 48.
    D. Guegan and B. K. Hassani, “A modified Panjer algorithm for operational risk capital calculations,” J. Oper. Risk, vol. 4, no. 4, pp. 53–72, 2009.Google Scholar
  49. 49.
    L. Spencer and L. Re, “An Overview of the Panjer Method for Deriving the Aggregate Claims Distribution,” 2000.Google Scholar
  50. 50.
    Amin Azmoodeh, Ali Dehghantanha, Mauro Conti, Raymond Choo, “Detecting Crypto-Ransomware in IoT Networks Based On Energy Consumption Footprint”, Journal of Ambient Intelligence and Humanized Computing, DOI: 10.1007/s12652-017-0558-5, 2017Google Scholar
  51. 51.
    Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence”, IEEE Transactions on Emerging Topics in Computing, 2017 - DOI: 10.1109/TETC.2017.2756908Google Scholar
  52. 52.
    Dennis Kiwia, Ali Dehghantanha, Kim-Kwang Raymond Choo, Jim Slaughter, “A Cyber Kill Chain Based Taxonomy of Banking Trojans for Evolutionary Computational Intelligence”, Journal of Computational Science, 2017Google Scholar
  53. 53.
    Hamed HaddadPajouh, Ali Dehghantanha, Raouf Khayami, and Kim-Kwang Raymond Choo, “Intelligent OS X Malware Threat Detection”, Journal of Computer Virology and Hacking Techniques, 2017Google Scholar
  54. 54.
    Amin Azmoudeh, Ali Dehghantanha and Kim-Kwang Raymond Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning”, IEEE Transactions on Sustainable Computing, 2017Google Scholar
  55. 55.
    Mauro Conti, Ali Dehghantanha, Katrin Franke, Steve Watson, “Internet of Things Security and Forensics: Challenges and Opportunities”, Elsevier Future Generation Computer Systems Journal, DoI:, 201
  56. 56.
    Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, Zaiton Muda, and Mohd Taufik Abdullah, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Transactions on Sustainable Computing, DOI: 10.1109/TSUSC.2017.2687103, 2017.Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Milda Petraityte
    • 1
  • Ali Dehghantanha
    • 2
    Email author
  • Gregory Epiphaniou
    • 3
  1. 1.School of Computing, Science and Engineering, University of SalfordGreater ManchesterUK
  2. 2.Department of Computer ScienceUniversity of SheffieldSheffieldUK
  3. 3.School of Computer Science and Technology, University of BedfordshireBedfordshireUK

Personalised recommendations