CVSS has been one of the mainstay tools for estimating risk.
It’s less frequently used in computer viruses, but even less used in human-to-human transmission of a DNA virus. However, why not? In a computer world, there are networks, hosts, and a malware/virus travels across the network to incapacitate hosts.
The same things apply to human networks, while humans are hosts, and user is the almighty.
Base Metric Group
Attack Vector (AV)
Easy OTA transmission to another human with close contact (see below)
Attack Complexity (AC)
A close contact is defined as one of the followings:
- Any person who had contact (within 1 meter) with a confirmed case during their symptomatic period, including 4 days before symptom onset.
COMMENT: contact does not have to be direct physical contact.
- Any social or health care worker, who provided direct personal or clinical care, or examination of a symptomatic or asymptomatic confirmed case of COVID-19 or within the same indoor space, when an aerosol generating procedure was implemented.
- Any person who has resided in the same household (or other closed setting) as the primary COVID-19 case.
Privileges Required (PR)
The virus doesn’t require any authorisation from you.
User Interaction (UI)
The vulnerable human can be exploited without interaction from the almighty.
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.
All integrity is lost when attacked by the coronavirus as it inserts itself into our DNA string, and started reproducing itself via our own resources. Human’s immune system will start reacting to the intrusion. Currently, 52.7% has recovered, 3.38% are dead, and the rest 43.92% is uncertain.
The ill person loses all availability until the immune system start reacting to the intrusion.
Exploit Code Maturity (E)
The virus has highly matured code to attack human.
Remediation Level (RL)
There is no cure nor vaccine.
Report Confidence (RC)
Plenty of confirmed and dead patients.
Security Requirements (CR, IR, AR)
Not Defined (X)
Modified Base Metrics
Not Defined (X)
The same values as the corresponding Base Metric (see Base Metrics above), as well as Not Defined (the default).
Qualitative Severity Rating Scale
For some purposes it is useful to have a textual representation of the numeric Base, Temporal and Environmental scores. All scores can be mapped to the qualitative ratings defined in the table below.
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0 - 10.0
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H gives us a base score of 9.3 which is Critical.
Self Isolation for 14 Days
A self isolation could be interpreted as reducing the attack vector to “Local” since you’ll only get infected by people close to you. This is not total isolation.
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H gives you a base score of 9.0 which is still Critical.
Pandemic would change the attack vector to “Network” since the expectation of a pandemic is that everyone will get infected.
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H gives you a base score of 10.0 which is the highest possible.