鑑別並評估存在於電腦資訊系統中的脆弱性，乃是資訊安全管理要項工作之一。資訊安全管理人員該如何在有限的管理資源中，決定風險處理的優先順序，以有效地降低組織整體資訊安全風險? Common Vulnerability Scoring System (CVSS)提供資訊安全管理人員、資訊安全服務供應商、軟體開發廠商、研究人員一個開放性的架構，以作為脆弱性風險與衝擊的溝通平台。CVSS乃是由Base、Temporal 以及Environmental三個量測群組所構成。由於組織皆具備其獨有的環境特性， Environmental量測群組則特別能反映出組織整體的脆弱性風險，因此Environmental量測群組乃是本研究的主要目標。在Environmental量測群組中，target distribution此一量測值，與組織整體的脆弱性風險值呈現出等比例關係。本研究的目標乃是在於鑑別影響target distribution量測的關鍵因素，從而藉由的參數的適當調整以計算出target distribution量測。本研究顯示，target distribution量測為0~25%時，可確保組織整體脆弱性風險降至低度風險等級。

One of the major tasks of IT management is to identify and assess vulnerabilities across disparate hardware and software platforms. How can IT managers prioritize these vulnerabilities and remediate those that pose the greatest risk? The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities among IT managers, security vendors, application vendors, and researchers. CVSS consists of three groups: Base, Temporal and Environmental.
Since the Environmental group which reflects the vulnerability characteristics that are unique to any user’s environment, this research emphasizes on the Environmental group.
The metric of target distribution in the environmental group approximates the proportion of systems that could be affected by the vulnerability. The goal of this research is to identify the key factors affecting the metric of target distribution and thereby tune the appropriate parameters in the formula for calculating the advisable target distribution metric for an organization to low down vulnerability risk . Results show that in the Environmental metrics group, the metric value of target distribution and vulnerability risk value of the organization show a proportional relationship , and low down the target distribution metric to 0~25% of an organization could make the vulnerabilities risk to Low Level.

[1]http://www.dhs.gov/files/committees/editorial_0353.shtm
[2]http://www.first.org/
[3]http://www.cert.org/
[4]http://www.first.org/cvss/links.html
[5]http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2012-0670
[6]樊國楨、林樹國、朱潮昌，「工業控制系統資訊安全風險評鑑實作初探」，資訊安全通訊，民國九十七年。
[7]http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
[8]http://www.cvedetails.com/product/159/Microsoft-All-Windows.htmlvendor_id=26
[9]經濟部標準檢驗局，經濟部標準檢驗局(2004)風險管理—詞彙—標準使用指導綱要，CNS 14889:2004-01-10。
[10]「中華民國資訊安全學會(2007)資安資訊分享與分析中心訮討會計畫」之「我國資安資訊分享與分析中心研析報告」，2007-12-03。
[11]樊國楨、朱潮昌、黃健誠，「資訊安全護理之四：軟體保證」，資訊安全通訊，民國一百年。
[12]樊國楨等，「資訊安全護理之三：資訊安全管理系統的連續性稽核初探」，資訊安全通訊，民國一百年。
[13]楊中皇、黃鵬羽，「異質性弱點資料庫整合與研究」，資訊科技國際研討會論文集，2009年。
[14]王秋艳、张玉清，「一种通用漏洞评级方法」，计算机工程Computer Engineering，第34卷第19期，2008年10月
英文
[15]JOHN T. CHAMBERS WORKING GROUP CHAIR CHAIRMAN AND CHIEF EXECUTIVE OFFICER CISCO SYSTEMS, INCORPORATED. VULNERABILITY DISCLOSURE FRAMEWORK FINAL REPORT AND RECOMMENDATIONS BY THE COUNCIL, JOHN W. THOMPSON WORKING GROUP CHAIR CHAIRMAN AND CHIEF EXECUTIVE OFFICERSYMANTEC CORPORATION
[16]DeLone, W. H., and McLean, E. R. (2003). The DeLone and McLean model of Information system Success: A Complete Guide to the Common Vulnerability Scoring System Version 2.0, 19(4), 9-30.
[17]Peter Mell, Karen Scarfone ,National Institute of Standards and Technology, Sasha Romanosky Carnegie Mellon University , June, 2007.
[18]Ayodele Oluwaseun Ibidapo, Pavol Zavarsky(2011). An Analysis of CVSS v2 Environmental Scoring. 2011 IEEE International Conference on Privacy, Security, Risk, and Trust, and IEEE International Conference on Social Computing
[19]Laurent Gallon, “On the impact of environmental metrics on CVSS score”, The Second IEEE International Conference on Privacy, Security, Risk and Trust, Minneapolis, Minnesota, USA, August 201.
[20]Karen Scarfone and Peter Mell, “An analysis of CVSS Version 2 Vulnerability Scoring”, National Institute of Standards and Technology (NIST), October 2009.