nerdexam
Cisco

210-255 · Question #122

How is confidentiality defined in the CVSS v3.0 framework?

The correct answer is C. confidentiality of the information resources managed by a software component due to a. In CVSS v3.0, confidentiality impact is defined in terms of the information resources managed by a software component that are affected by a successfully exploited vulnerability.

Security Monitoring

Question

How is confidentiality defined in the CVSS v3.0 framework?

Options

  • Aconfidentiality of the information resource managed by person due to an unsuccessfully exploited
  • Bconfidentiality of the information resource managed by a person due to a successfully
  • Cconfidentiality of the information resources managed by a software component due to a
  • Dconfidentiality of the information resource managed by a software component due to an

How the community answered

(15 responses)
  • A
    7% (1)
  • C
    87% (13)
  • D
    7% (1)

Why each option

In CVSS v3.0, confidentiality impact is defined in terms of the information resources managed by a software component that are affected by a successfully exploited vulnerability.

Aconfidentiality of the information resource managed by person due to an unsuccessfully exploited

This choice incorrectly references a person instead of a software component and describes an unsuccessful exploit, whereas CVSS measures impact from successful exploitation.

Bconfidentiality of the information resource managed by a person due to a successfully

This choice incorrectly attributes the confidentiality impact to a person rather than a software component, which is not consistent with CVSS v3.0 terminology.

Cconfidentiality of the information resources managed by a software component due to aCorrect

CVSS v3.0 scopes its metrics around software components, not people, because the scoring system is designed to measure the technical impact on the vulnerable software and any components it manages. Confidentiality is therefore measured as the impact on information resources managed by a software component resulting from a successful exploit. Using 'software component' is the precise CVSS v3.0 terminology that distinguishes it from broader or human-centric definitions.

Dconfidentiality of the information resource managed by a software component due to an

This choice correctly references a software component but incorrectly describes an unsuccessful exploit, whereas CVSS v3.0 confidentiality impact is defined in terms of successful exploitation.

Concept tested: CVSS v3.0 confidentiality impact metric definition

Source: https://www.first.org/cvss/v3.0/specification-document

Topics

#CVSS v3.0#confidentiality metric#vulnerability scoring#software components

Community Discussion

No community discussion yet for this question.

Full 210-255 Practice