System Management
π AIVSS Methodology Guide
Overview
This tool implements the AIVSS-SSVC methodology described in the accompanying research paper.
π Workflow Overview
- Create AI Systems: On the Dashboard, define each agentic AI deployment in your organization
- Assess AIVSS Factors: Click the Assess button on an AI system to evaluate 10 AI-specific risk factors against OWASP Agentic AI risks
- Manage Vulnerabilities: Use the Vulnerabilities tab to create a library of IT/OT vulnerabilities with CVSS scores
- Link & Map: In the Dashboard, click a System's Link Vuln button to connect vulnerabilities to affected AI systems and specific risk factors
- Prioritize Risks: Use the Prioritization tab to view automatically calculated priorities based on AIVSS status Γ CVSS severity
π AIVSS Maturity Model
The AIVSS Multifactor Maturity Model (more like an assessment coverage than a true maturity model) tracks the depth to which each AI system has been evaluated across 10 risk factors:
Four Status Levels
Parent-Child Factor Logic
Some factors (like "Tool Misuse") have subfactors. The parent factor automatically inherits the lowest maturity status of its children. This ensures that any immature subfactor assessment makes the parent factor immature as well.
π― Risk Prioritization Algorithm
The prioritization matrix follows the AIVSS-SSVC methodology (Appendix A, Table 7):
Step 1: Enumerate
Create all possible combinations of linked vulnerabilities Γ affected AIVSS factors.
Step 2: Filter
Remove combinations where status = "None" OR CVSS severity is "None". Low severity vulnerabilities remain in the prioritization.
Step 3: Sort
Sort the remaining items by:
- AIVSS Status (descending): Present > Unsure > Not Evaluated
- CVSS Severity (descending): Critical > High > Medium
Step 4: Number Sequentially
Assign priority numbers (1, 2, 3...) based on the sort sequence. Lower numbers indicate higher urgency. Priority captures the sequence of the resulting sortβnothing more. This represents a relative risk prioritization useful for assigning mitigation work and allocating resources.
π’ CVSS Integration
This tool uses a third party cvss4 JS library to calculate CVSS Base Scores from vector strings. This module does not support CVSS 2.0, but this could be added as the methodology is agnostic to the CVSS version. Supported versions:
- CVSS 3.0 & 3.1: Industry standard vulnerability scoring
- CVSS 4.0: Latest specification with enhanced metrics
Important: CVSS scores are ordinal values (ranked labels), not real numbers. The distance between 2.0 and 5.0 is not the same as 4.0 to 7.0. This is why the prioritization uses sorting and binning rather than arithmetic operations.
π‘ Best Practices
- Start Simple: Begin with 1-2 critical AI systems before expanding to your full portfolio
- Evaluate Systematically: Work through all 10 AIVSS factors for each system methodically
- Document Evidence: Keep external notes on why each factor was marked Present/None/Unsure
- Regular Updates: Re-evaluate as your AI systems evolve or new vulnerabilities emerge
- Cross-Functional: Involve AI engineers, security teams, and risk management in assessments
- Prioritize Action: Focus remediation efforts on Priority 1-3 risks first
π Further Reading
For complete technical details, consult the AIVSS-SSVC methodology paper and Appendix A. This tool implements the multifactor maturity model and CVSS integration framework described in that research.
Global Vulnerability Library
Purpose: Maintain a centralized repository of IT/OT vulnerabilities (CVEs) that impact your agentic AI systems. Each vulnerability is scored using CVSS (Common Vulnerability Scoring System) to establish traditional security severity. The methodology is agnostic to the CVSS version and you can mix versions.
Workflow:
- Add Vulnerabilities: Create entries for relevant CVEs from your vulnerability scanner or threat intelligence feeds
- Input CVSS Vector: Paste the complete CVSS vector string (v3.0, v3.1, or v4.0 format)
- Auto-Calculate Score: The system uses a third party cvss4 library to calculate the Base Score and severity rating
- Link to Systems: From the Dashboard, use "π Link Vuln" to connect vulnerabilities to affected AI systems
- From there you can specify which AIVSS risk factors are impacted by each vulnerability
π‘ Note: CVSS scores are ordinal values (ranked labels), not real numbers. The system uses proper ordinal sorting and binning as described in the AIVSS-SSVC methodology to avoid invalid arithmetic operations.
Risk Prioritization Matrix
Purpose: Automatically calculate relative risk priorities by combining AIVSS factor assessments (AI-specific risks) with CVSS vulnerability severity (IT/OT security risks). This implements the AIVSS-SSVC methodology described in Appendix A, Table 7.
- Enumerate: Create all vulnerability Γ factor combinations
- Filter: Remove "None" status OR "None" severity (Low severity is kept)
- Sort: By AIVSS status (Present > Unsure > Not Evaluated), then CVSS severity (Critical > High > Medium)
- Number: Assign sequential priorities (1, 2, 3...) based on sort order, plus categories (A-I) based on status Γ severity intersection
- Per System: View priorities for a single AI system in isolation. Use this to focus remediation efforts on one system.
- Across All Systems: Global enterprise view that re-sorts and re-numbers priorities across your entire AI portfolio. Use this to identify your most critical risks organization-wide.
π‘ Key Insight: Priority numbers (1, 2, 3...) are ordinal ranks from the sortβfocus on lowest numbers first. Category letters (A-I) group risks by status Γ severity type. See legend below for category definitions.
π Category Legend (A-I)
Categories represent the intersection of AIVSS Status Γ CVSS Severity. They provide a quick visual reference for the type of risk, complementing the sequential priority ranking. Categories are organized by status, with color intensity indicating severity.
Present Status (A-C)
Status: Present
CVSS: Critical or High
Confirmed risk, high severity
Status: Present
CVSS: Medium
Confirmed risk, moderate severity
Status: Present
CVSS: Low
Confirmed risk, low severity
Not Evaluated Status (D-F)
Status: Not Evaluated
CVSS: Critical or High
Unevaluated, high severity vuln
Status: Not Evaluated
CVSS: Medium
Unevaluated, moderate severity vuln
Status: Not Evaluated
CVSS: Low
Unevaluated, low severity vuln
Unsure Status (G-I)
Status: Unsure
CVSS: Critical or High
Inconclusive assessment, high severity
Status: Unsure
CVSS: Medium
Inconclusive assessment, moderate severity
Status: Unsure
CVSS: Low
Inconclusive assessment, low severity
π‘ Note: Categories provide consistent grouping based on status Γ severity combinations, while Priority numbers reflect the actual sort order within and across categories. Use categories for thematic grouping and priorities for work sequencing.