# CVSS-like Scoring System Each metric (bold) comes with meaning, value range and corresponding [CVSS](https://www.first.org/cvss/specification-document) metric if any. ### 1. Base Metric Group #### Exploitability - **Propogation channels**: - Corresponding CVSS metric: *Attack Vector* - Meaning: How can the misinfo got spread. Usually, the more channels, the more severity. - Value Range: 0-10, based on how many channels are involved during propagation. - **Difficulty to distinguish** - Corresponding CVSS metric: *Attack Complexity* - Meaning: How deceptive can the misinfo be? (This includes both how true is the misinfo, and how good it sugar-coated itself.) - Value Range: 0-10 ( or not deceptive at all, only a small part is deceptive, most part is deceptive, the entire campaign is deceptive). - **Targeted people**: - Corresponding CVSS metric: *Privileges Required* - Meaning: Is the misinfo targeting average people, or targeting specific groups? - Value Range: 0-10, based on how many groups of people are targeted. (Maybe: high, medium, low/none) - **Relevance** - Corresponding CVSS metric: *User Interaction* - Meaning: How relevant is the misinfo? Is it close to target group's life so that they will definately spend time reading the misinfo, or it is not relevant/funny enough so that most people may neglect it? - Value Range: 0-10 - **Campaign Focus** - Corresponding CVSS metric: *Scope* - Meaning: What is the objective/pupose/aim of such misinfo campaign? Are they planning to cause large harm/impact? - Value Range: 0-10, depending on 1) how many targets, 2) are these targets malicious - **Actors** - Corresponding CVSS metric: N/A - Meaning: Who initiated such misinfo campaign? - Value Range: 0-10, based on how many actors and how strong these actors are (e.g. government actors are stronger than conspiracy group) #### Impact Thoughts: In CVSS, this metric group describes the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. To make a comparable metric group for misinfo campaigns, I think we need to consider: 1. chronological analysis: harm / impact already happend + will / may happen; 2. Harm level: Humanity (all human) -> Civilization (Most human) -> Country (Bil people) -> City (Mil) -> Neighborhood (less than K); 3. Affairs influenced: Health? Lives? Economy? Mental? Political? etc. - **Existing Impact** - Meaning: Impact already happend - Value Range: 0-10 (or the humanity to neighborhood measurement) - **Potential Impact** - Meaning: Impact will/may happen, by analysing potential victims. - Value Range: 0-10 (or the humanity to neighborhood measurement) - **Harm level** - Meaning: How bad are the overall harm and loss, including life loss, economy loss, political loss, science loss (maybe?). - Value Range: 0-10 (or we could use estimated economic loss number instead) (high/low) - **Affected affairs** - Meaning: What kinds of affairs are affected? Health? Lives? Economy? Mental? Political? etc. - Value Range: 0-10 - **Exposure**: - Meaning: How many people are actually affected by misinfo? - Value Range: 0-10 (or goes by the similar humanity to neighborhood measurement) ### 2. Temporal Metric Group Current state of misinfo exploits and remediation level. - **Exploit Chance** - Corresponding CVSS metric: *Exploit Code Maturity* - Meaning: The likelihood of the misinfo used for malicious purpose. - Value Range: 0-10 (or Low/Medium/High) - **Remediation Difficulty** - Corresponding CVSS metric: *Remediation Level* - Meaning: The difficulty/hope of fighting against the misinfo by proper rumor refuting. - Value Range: [Not Defined, Unavailable, Workaround, Temporary Fix, Official Fix] - **Report Confidence** - Corresponding CVSS metric: *Report Confidence* - Meaning: The degree of confidence in the existence of the misinfo and the confidence in the report. - Value Range: 0-10 (or [Not Defined, Confirmed, Reasonable, Unknown]) ### 3. Environmental Metric Group These metrics enable customization of the score, makes it more flexible. - **Information Requirements**: - Corresponding CVSS metric: *Security Requirements* - Meaning: Based on **Impact Metrics**, but could override the existing metrics. - Value Range: [Not Defined, Low, Medium, High]