People First Cybersecurity Assessment Proposal

CITE

• (C)ivilian (I)nternet (T)hreat (E)valuation
• (REP)ort - CITE-REP -> The JSON file, in the repo below
• CITE-SEC -> The "People First" Methodology, here
• CITE -> The Lua script, Algo, and draft CITE-REPs

Status: RC Draft Revision: 1: 2023 Revision: 2: 12-01-2025

Purpose

This is meant to provoke free thinking, challenge assumptions, bring intense discussions, and inspire new modalities, corrections, directions, and approaches. An attempt to combine Philosophy with Logic with regards to the safety and well-being of the species in the perspective of Communication(s) and Energy as Utilities to be provided as a Human Right and a neccessary components of Civilization growth.

Executive Summmary

Having been a practicing Multi-domain rogue Cybersecurity Expert for decades, including with Security Clearance and remote RSA Satellite keyfob access to the National Computer Center, RTP, I've realized that the CVSS scoring and CVE DB by themselves are unsatisfactory in the most fundamental ways for the average Civilian. Historically single CVE scores in the 9-10 range have little to no effect on Information Space users or on Earth's population¹ while having oversized impact on Government and Corporate Policy in reaction to them.

This new system attempts to anticipate Civilization Impacting Exploit Chains and assist Open Source Intelligence in remediating them before they happen. The algorithm was tested using CITE-SEC proposed values for WannaCry and Regin.

A new IEEE Spectrum Magazine Cover Editorial releaesd November 23, 2025 is the perfect preface to this article. If you have the time and want a full understanding I highly recommened you read Trillions Spent and Big Software Projects Are Still Failing before you read this article. It's a kinda watershed moment in Engineering in my view.

Keys

• Criminal first security solutions are not fit for non-criminals
• This proposed evaluation system is "People First"
• This proposed evaluation system is "Civilian First"
  • Civilians around the world are using a United States Department of Defense Network (DARPA, ARPA --> MIT, Harvard)²,³ for all Internet Activity.
  • Arguably most digitally networked data exchange is done "off the web" using Fiber Optic⁴, WAN, Microwave, and Satellite equipment that is not connected to or firewalled from "The Internet".
  • Arguably the total amount of digitally networked data exchanged above is much higher than the Civilian Internet data exchanged in terms of petabytes.
  • Most of the above data is Military, Intra-Governmental, Inter-Governmental, and Financial.
• Business/Corporate CIA impact has been removed
  • Instead the greater and final degree of impact is used; you.
• Privacy is Security and Security is Privacy
  • It is a biologically hardwired feature of homo sapiens to equate loss of privacy with survival/extinction response.
    • This feature is currently trying to be behaviorally re/deprogrammed from homo sapiens
  • Privacy/Confidentiality is a fundamental measure of Security
  • The primary violators of Privacy/Confidentiality are the entities in control of Cybersecurity Policy
• Time must an important factor in threat analysis
• Current FIRST CVSS is low precision and common
  • With single decimal precision, tens of thousands of vulnerabilities have the same score, this should be impossible.
  • Does not aggregate to meaningful statistics over time
• Current FIRST CVSS is Corporate and Governance Policy focused, some of the primary threat actors against Civilians and Citizens.
• CVSS-B measures Severity, not Risk
  • CITE-SEC scoring system focuses on Risk, by assessing correlated Threats, as a preventative measure.
  • Preventative measure are always less impactful, more affordable, and less degrading.
  • CVSS-BTE is competitive as it is not a "common" evaluation and is specific to environment.
    • The NIST NVD is strongly encouraged to make CVSS=BTE v.40 it's primary rating along with providing the consumer a method to calculate this score type.
• Sub-scores are Qualitatively Evaluated by a Cybersecurity Expert

Explanation

As we are quickly approaching sea changes in the way computer security is handled resulting in reduced prevention control for Information Systems (broadly inclusive; routers, networks, libraries) and privacy for end users where little to no effect of these vulnerabilities for these end users was experienced despite months of unmitigated exploitability remediated by Corporate Policy Practices of too much, too late - I'm introducing a Multiplex Information Space Security Scoring System that is people first.

Principle

The foundational principle in effect is that neither Government nor Corporate Security reactive solutions should have 0 impact on the end user. What is fit for criminals is not fit for non-criminals. There are thousands and laws and policies to handle cyber criminls and every surveillance tool imagineable to catch them. This philosophy and ensusing methodology espouses maximum prevention resulting in maximum end user functionality and control gain.

Flame - the most sophisticated malware strain ever created. Discovered by Kaspersky and linked to the Equation Group (a codename for the US NSA), Flame was described as the most advanced and sophisticated malware strain ever created. It eventually lost this title when Kaspersky found Regin two years later in 2014, but Flame's discovery revealed the technical and capabilities gap between the cyber arsenal of the United States and all the other tools employed by other nation-state groups. A subsequent report by the Washington Times claimed that Flame was part of the same arsenal of hacking tools as Stuxnet, and was primarily deployed against Iran. The malware hasn't been sighted since but it's discovery is still considered today as a major point in the escalation of cyber-espionage operations all over the world.

Refutation

That features must be balanced against security is a false dilemma and in the end this false dilemma works for criminals, not against them. One can recognize this as apparent in any new Engineering project that, in essence, criminality is built-in, which is then retarding creation. Contrary to public perception and media coverage, the impact of unaffiliated "hackers groups" is next to non-existant. Cyberattacks with real impact are almost always well funded⁵ by a criminal syndicate, a Corporation, Intelligence Agency⁶, or most often a Nation-State. The technical world wide web has multitudinous steps where massive traces are left. The most effective attacks come from non-consumer networks such as from Military Bases. The exception to this and well studied is malevolent insider attacks from employees or those otherwise who gained insider access, often physical. In the end, in review of cases so far in history, those malevolent insiders proven spies, operatives, or free agents has been extremely difficult to determine through court records and for Government around the world to provingly determine⁷,⁸.

Methodology

Premises:

1. A vulnerability is never alone and to score it alone is ignorant
2. CITE addresses threats that do currently exist but are of an unknown future attack composition
3. Remediated threats are removed when the vulnerability can no longer be exploited in it's defined compositional matrix
   1. Removal of threats reduces cognitive workload, IT output, and business expense, there is no database, only the highest priority threats with potential impact to Civilization.
   2. Every CITE-REP should be prioritized for immediate Cyberdefense mitigation and then permanent neutralization.
4. The longer a vulnerability to an exploit chain goes unaddressed, the higher the score.
5. 0 impact is impossible
6. Undefined values are incalculable and therefore not modeled

This methodology does not: Provide basis point scores but rather relies on analysis of cybersecurity experts for individual score basis.

This methodology does: Evaluates total risk by scoring threats in vulnerabilities to exploits encompassing systems of systems; the modern world.

New Modals

• Exploit Chain (discrete functioning facets of the combined components)
  • Exploit Chain Map
    • Image of the exploit chain relationships and processes
  • Exploit Chain Time To Impact
    • Exploit Dwell Time
      • Kaspersky Lab, two modules named ‘hopscotch’ and ‘legspin’ (2003) were designed as standalone tools that seem to predate the Regin platform by several years.⁹
      • Number of weeks a discretely functioning chain component have been used in an attack
    • Stages
      • Number of discrete pre-requisite exploit states resulting in a function neccessary to endpoint progression.
  • Exploit Chain Requirements
    • Technical facets a vulnerable target has which allow exploitation.
  • Exploit Chain Propagation
    • Number of components used to continue a threat
• Complexity (Inverse to Remediation)
  • Layers/Nodes/Matrix of Complexity
    • How many information space types were used. Firewall exploit > Router exploit > OS exploit > SSH exploit > OS exploit (root) > DB exploit > Ransom = 6
• Classification
  • Worm, Virus, Dropper
• Target Requirements
  • Environment specific requirements
• Timed
  • Attack needs to be used during a certain window of opportunity, specific date, or specific set of cirumstances, e.g. Firewall maintenance (1 highly time sensitive, 10 anytime)
• Common Operating Systems available to target
  • UNIX
  • Linux
  • BSD
  • Windows
  • MacOS
  • Industrial

Scoring Values

• 1-10
  • From least impactful to worst outcome for Civilization
• n
  • Quantitatively measured per category, facet count

Scale, Non-normalized

1. 1-10 Nominal Civilization Impact
2. 10-40 Recognizable Civilization Impact
3. 40-60 Meaningful Civilization Impact
4. 60-80 Critical Civilization Impact
5. 80-90 Catastrophic Civilization Impact
6. 90-100 Cataclysmic Civilization Impact
7. 100+ Comparitive Catalyclysmic Civilization Impact

Wannacry Example Scoring

• Classifications: Ransomware, Worm, Trojan
• Form: Dropper
• Insertion Vector: Backdoor, Kernel-mode
• Components: EternalBlue, DoublePulsar
• Characteristics: Encryption (RSA-2048, AES-128-CBC), Encrypted key file, TOR, URI, Crypto
• Complexity: Multi-mode components with encrytion, modular, multi-step, propagating, did not involve hardware/firmware = 8
• Target Requirements: SMB, Internet Access = 2
• Weeks Vulnerable: The number of weeks that all components of the attack have available and at least one component used, successfully or not.
  • Microsoft was given EternalBlue advisory by the NSA on approximately Feburary 1st, 2017 knowing it had been exploited, Microsoft then released a patch on March 14th = 6
• Common and Intuitive valuation
  • Threat
    • Timed = 10
  • Vulnerability
  • Impact
• Exploit Chain:
  • dwellTime: Shadowsbrokers released April 8, 2017 - May 12th, 2017 infection = 5 (weeks)
  • stages: EternalBlue > DOUBLEPULSAR > Infected > DoublePulsar > Encryption = 5
  • requirements: EternalBlue, DOUBLEPULSAR = 2
  • propagation: DOUBLEPULSAR, URI, TOR, RDP = 4
  • targetOperatingSystemTypes: Windows = 1

Possible Future Features

• Add Civilization/National/Regional/Hemispherical, National Debt, Financial Exchange Damage, Public Infrastructure Damage, Economic Damage, each
• Account for Environmental Conditions, Global Socio-Economic Conditions

CVSS Alternatives

• https://osv.dev/
• https://github.com/google/osv-scanner
• https://ossf.github.io/osv-schema/
• vuXML tool
  • Cron fetches vulnerability filea, vulnerabilities reported in BSD email to Sysadmin comparing entries in the installed package db Vs report.

References

https://github.com/xcp3r/WannaCry

Footnotes