Field Journal #007: Original IP — Building, Not Borrowing
From the QIF Field Journal
State: Evaluating whether to adopt CVSS — the Common Vulnerability Scoring System — for rating BCI threats. It’s the industry standard. It’s what everyone uses. It would be the safe, credible choice.
Observation: I said no. And the moment I said it, something shifted.
CVSS was designed for IT vulnerabilities — buffer overflows, SQL injection, privilege escalation. Stretching it to score “memory erasure via hippocampal stimulation” is like scoring earthquake damage with a car crash severity scale. The domains are fundamentally different. A “critical” CVSS score means data breach or system compromise. A “critical” BCI threat means someone’s motor cortex fires involuntarily, or their memories get rewritten, or their sense of self destabilizes. These aren’t the same category of harm.
So I chose to build QIF’s own taxonomy. Its own scoring system. Its own language. NISS — Neural Impact Scoring System — instead of CVSS. Original architecture that honors what makes BCI threats unique: they target cognition, identity, and bodily autonomy, not servers and databases.
This decision changed what QIF is. Before, it was “applying security concepts to BCIs.” After, it’s “building a new security discipline.” The first borrows authority. The second earns it.
Attempt to explain: There’s a trap in academic and industry work where adopting existing frameworks feels safer because it borrows credibility. Everyone knows CVSS. Reviewers know CVSS. Saying “we use CVSS” is a shortcut to legitimacy. But when the domain is genuinely new, borrowed frameworks carry borrowed assumptions. CVSS assumes a network-connected device with confidentiality, integrity, and availability as the three pillars. A BCI threatens cognitive sovereignty. The pillars don’t transfer.
I also think there’s a pattern across this journal: Entry 002 was about seeing two things as one. Entry 003 was about governance before definition. Entry 004 was about protocols from scratch. And now this — taxonomy from scratch. Each time, the temptation is to reuse something existing. Each time, the domain demands something new. The pattern is: when the physics is novel, the framework must be novel.
Connected to:
- Entry 004 — neural protocols from scratch instead of adapting HTTP
- Entry 003 — you can’t answer “who governs brain data?” using a framework designed for server patches
- QIF-DERIVATION-LOG Entry 43 — full NISS specification and taxonomy
Mood: Conviction. Like drawing a line in the sand and knowing it’s the right line.
This entry is part of the QIF Field Journal, a living, append-only research journal documenting first-person observations at the intersection of neurosecurity, BCI engineering, and neurorights. The journal exists because neural privacy is a right, not a feature. Tools like macshield protect digital identity on networks; this research works toward protecting cognitive identity at the neural interface.
Written with AI assistance (Claude). All claims verified by the author.