Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

An Empirical Study of a Vulnerability Metric Aggregation Method



Su Zhang, Xinming Ou, Anoop Singhal, John Homer


Quantifying security risk is an important and yet difficult task in enterprise network risk management, critical for proactive mission assurance. Even though metrics exist for individual vulnerabilities, there is currently no standard way of aggregating such metrics. We developed a quantitative model that can be used to aggregate vulnerability metrics in an enterprise network, with a sound computation model. Our model produces quantitative metrics that measure the likelihood that breaches can occur within a given network configuration, taking into consideration the effects of all possible interplays between vulnerabilities. In order to validate the effectiveness scalability and accuracy) of this approach to realistic networks, we present the empirical study results of the approach on a number of system configurations. We use a real network as the test bed to demonstrate the utility of the approach, showing that the sound computation model is crucial for interpreting the metric result.
Proceedings Title
Mission Assurance and Critical Infrastructure Protection
Conference Dates
July 18-21, 2011
Conference Location
Las Vegas, NV, US
Conference Title
2011 World Congress in Computer Science


attack detection, attack graphs, computer networks, security risk


Zhang, S. , Ou, X. , Singhal, A. and Homer, J. (2011), An Empirical Study of a Vulnerability Metric Aggregation Method, Mission Assurance and Critical Infrastructure Protection, Las Vegas, NV, US, [online], (Accessed May 26, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created August 17, 2011, Updated October 12, 2021