Graphing CVSS scores for reports and presentations

["Mitchell, Sean HE0" <smitchell () health gov sk ca>]

Hi List,

I am looking for ideas on how to visually represent a group of CVSS scores,
something easy to understand for management and non technical users.  These
visual representations generally appear in the recommendations section of a
report, and are listed one right after the other for all vulnerabilities
contained in the report.

Previously in our reports, we had our own internal ranking system.  Each
vulnerability was given a score calculated on impact, likelihood, measures
in place, availability, etc.  1-10 was green, 11-15 was orange, and 15-20
was red.  Anyone looking at the report can immediately understand that the
red need to be dealt with first.

The problem is representing the three areas of the CVSS score clearly:
While a vulnerability may get 'red' in the base area, it may be 'green' in
the environmental group.  On the other hand, something that is orange in the
base group may score 'red' in the environmental group, which leads to
difficulty in understanding the graphics.

When writing a report, how do you communicate the severity of the found
vulnerabilities? 

TIA

-sean


Sean Mitchell, 
Technical Security Analyst