Basically there are 4 different scales which are available to measure things:

- Nominal scale - Assigning data to named categories or levels.
- Ordinal scale - A Nominal scale but the levels have a defined order.
- Interval scale - An Ordinal scale but the difference between, or units, of each level are well defined.
- Ratio scale - An Interval scale but with a non-arbitrary zero-point.

Sometimes we have an Ordinal scale that looks like an Interval or Ratio scale, for instance when we assign a numeric value to the levels e.g. ask people how much they like something on a scale of 1 to 5. But this is still an Ordinal scale, and although we can assume that the difference between each level is a constant amount, nothing actually makes that true. Thus calculating the average amount that people like something e.g. 2.2, is often a meaningless number.

When reading about this I was reminded of the way vulnerabilities are categorised and how we would so dearly like to be able to assign numbers to them so we can do some math and reach some greater insight into the nature of the vulnerabilities we have to deal with. The Common Vulnerability Scoring System (CVSS) suffers essentially from this problem; vulnerabilities are assigned attributes from certain (ordered) categories, and then a complicated formula is used to derive a number in a range from 1 to 10. It is basically optimistic to think that a complicated formula can bridge the theoretical problem of doing math on values from an Ordinal scale. I wouldn't necessarily go to the other extreme and say it makes CVSS totally without merit - just that it's not the metric you likely wish it was.

## No comments:

## Post a Comment