Skip to Main Content
CVSS (Common Vulnerability Scoring System) is a framework scoring IT vulnerabilities. CVSS is composed of three metric groups: Base, Temporal, and Environmental. Although, the environmental score which gives risk of vulnerabilities in network environment of each user should be used for prioritizing actions, only base score is currently used. One of the reason for unused of environmental score is hard to score uniquely, because the criterion for determining ”Target Distribution (TD),” which is a parameter indicating impacted proportion, is vague. We propose a method for identifying the potentially-impacted area enabling TD measurement in networked systems in terms of three security objectives: confidentiality, integrity and availability. We also apply the method to some model cases of networked systems, and assess their TD. The results correspond to a popular wisdom that trilayer structure is more secure.