Common Vulnerability Scoring System (CVSS), the Common Weakness Scoring System (CWSS), the Common Configuration Scoring System (CCSS), and so forth. All of these scoring systems do improper math on nonmathematical objects for the purpose of aggregating some concept of risk. These wouldn’t have the same problems as a risk matrix, but they introduce others—such as the mathematical no-no of applying operations like addition and multiplication to ordinal scales. As the authors have stated it in presentations on this topic, it is like saying “Birds times Orange plus Fish times Green equals High.”
...more
