MASTER Assignment
Using ArchiMate and Bills of Materials to assess an organization’s specific CVSS Environmental Metrics – A Methodology
Type : Master M-CS
Period: June - November, 2025
Student : Bakker, T.P. (Thijmen, Student M-CS)
Date Final project: November 26, 2025
Supervisors:
Abstract:
With the increasing reliance on technology in organizations, the potential for vulnerabilities to be inadvertently exposed is growing, placing greater strain on Security Operations Centers (SOCs). Effectively managing SOC workloads requires an accurate assessment of the severity of newly discovered vulnerabilities. However, existing frameworks for evaluating the organizational impact of vulnerabilities, based on how software is specifically deployed, typically require manual analysis and difficult-to-obtain information.
This thesis proposes an extension to the Common Vulnerability Scoring System (CVSS) to automate and contextualize vulnerability assessment. The approach integrates ArchiMate Enterprise Architecture models with CycloneDX Software Bills of Materials (SBOMs) to deterministically re-evaluate the CVSSv4.0 Base metric group through the Environmental metric group. A novel Data Sensitivity extension is introduced to enrich the Confidentiality impact metric, implemented using the official CVSS Special Interest Group (CVSS SIG) extension framework.
A specialized Business Impact Assessment (BIA) method is developed to quantify the CVSS CIA (Confidentiality, Integrity, Availability) Requirement metrics, while additional methods leverage SBOM data to automate re-assessment of base metrics before requiring vulnerability-specific details. The results include (1) a new form of BIA, (2) a methodology and data schema for environmental-specific metric assessment, and (3) a formal extension to the CVSS standard that enables more efficient vulnerability prioritization and time management within SOC operations.