Today, computer networks face intelligent attackers who combine multiple vulnerabilities to penetrate networks with destructive impact. The overall network security cannot be determined by simply counting the number of vulnerabilities. Due to the less predictable nature of software flaws the authors can't measure the security risk of unknown vulnerabilities. This affects to security metrics, because a safer configuration would be of little value if it were equally vulnerable to zero-day attacks. In this paper, instead of just measuring how much such vulnerability would be required for compromising network assets they can also attempting to rank unknown vulnerabilities.