Network Vulnerability Exposure Calculator
Quantifies your network's vulnerability exposure by combining asset value, threat likelihood, vulnerability severity (CVSS-based), and control effectiveness into a single actionable risk score.
Formula
Step 1 – Normalize CVSS:
CVSS_norm = CVSS_Base_Score / 10
Step 2 – Residual Vulnerability:
RV = CVSS_norm × (1 − Control_Effectiveness)
Represents how much of the raw vulnerability survives after controls are applied.
Step 3 – Temporal Factor (logarithmic):
TF = ln(Exposure_Window_days + 1) / ln(366), capped at 1
Models diminishing marginal risk increase over time; reaches ~1 at one year.
Step 4 – Raw NVE:
NVE_raw = Asset_Value × Threat_Likelihood × RV × (1 + TF)
Step 5 – Normalize to 0–10 scale:
NVE = (NVE_raw / 20) × 10
Maximum theoretical raw value = 10 × 1 × 1 × 2 = 20.
Risk Bands: Minimal < 2 | Low 2–4 | Moderate 4–6 | High 6–8 | Critical ≥ 8
Assumptions & References
- CVSS Base Scores are sourced from the NIST National Vulnerability Database (NVD) or your internal scanner (Nessus, Qualys, OpenVAS).
- Threat Likelihood should be estimated using threat-intelligence feeds, historical incident data, or the MITRE ATT&CK framework.
- Control Effectiveness is a composite score reflecting patch status, network segmentation, IDS/IPS coverage, WAF deployment, and access controls (0 = none, 1 = fully mitigated).
- The logarithmic temporal factor is inspired by CVSS Temporal metrics and reflects that unpatched vulnerabilities attract increasing attacker attention over time, but with diminishing marginal increase.
- Asset Value should align with your organization's Business Impact Analysis (BIA) or data classification policy.
- This model is aligned with NIST Cybersecurity Framework risk assessment guidance (SP 800-30 Rev. 1).
- NVE is a relative scoring tool. Absolute thresholds should be calibrated to your organization's risk appetite.
- CVSS v3.1 is assumed; CVSS v4.0 scores are also compatible as both use a 0–10 scale.