awesome-copilot/skills/impediment-prioritization/references/scoring-rubric.md

Scoring Rubric — Anchoring Examples

Anchor examples for each criterion at scores 1, 5, and 10. Use these to calibrate estimates. Interpolate for intermediate scores.

All scales are 1–10. See the main SKILL.md for formal definitions and the prioritization formula.

Anchors are drawn from multiple domains — pick the row closest to your countermeasure's character and adjust. If your domain isn't represented, reason by analogy.

---

Return on Investment (ROI)

1 = low efficiency gain to the step and value stream. 10 = high efficiency gain.

Score	Platform / DevEx	Security	SRE / Ops	App Dev / Governance
1	Cosmetic repo metadata cleanup (description, topics) on low-traffic repos.	Rotating a credential no service actually uses.	Renaming a dashboard widget.	Renaming variables to fix a lint warning nobody reads.
5	Adding CODEOWNERS to the top-20 most-active repos — targeted review coverage.	Enabling MFA for a single high-privilege admin group.	Adding SLO alerting to one tier-2 service.	Documenting API contracts for one service via OpenAPI.
10	Enforcing 2FA org-wide, enabling secret scanning + push protection, or shipping a CI pipeline to a team that previously merged untested.	Enforcing SSO + MFA enterprise-wide; removing standing admin rights.	Auto-remediating the top-2 pager-driving alert classes.	Replacing a failing manual approval gate with automated policy-as-code.

Cost to Implement

1 = inexpensive (minutes of admin time). 10 = very expensive (multi-quarter program, new licenses, dedicated headcount).

Score	Platform / DevEx	Security	SRE / Ops	App Dev / Governance
1	Flipping an org-level toggle — single admin, < 1 hour, no purchase.	Enabling a free advisory scanner in alert-only mode.	Adjusting an alert threshold.	Adding a CONTRIBUTING.md.
5	Rolling out org-wide rulesets across 50–200 repos — cross-team coordination, a week of engineering, no new SKU.	Implementing a secrets manager for one business unit.	Standing up centralized logging for a mid-size estate.	Refactoring a shared library used by ~10 services.
10	Enterprise-wide GHAS rollout on unlicensed repos — new seat purchase, procurement, security-team ownership, training funded for months.	Replacing identity provider; zero-trust program.	Multi-region active/active rearchitecture.	Re-platforming a monolith to services; multi-quarter, funded team.

Ease of Deployment

1 = extremely hard to deploy. 10 = very easy to deploy.

Score	Platform / DevEx	Security	SRE / Ops	App Dev / Governance
1	GHES → GHEC migration with custom SAML, self-hosted runners, LFS. Deep cut-over planning, downtime windows.	Enforcing SSO for the first time on a large enterprise without a grace period.	Live database engine swap with zero downtime.	Breaking API change across hundreds of downstream consumers.
5	Enabling Dependabot across all active repos — technically simple, operationally non-trivial (PR triage capacity, owner education).	Rolling out EDR agents to a mid-size fleet.	Adding distributed tracing to existing services — library upgrades + coordination.	Moving a shared config to a feature-flag service across ~20 services.
10	Adding a CODEOWNERS file or enabling auto-delete head branches on a single repo — one commit / one checkbox, immediate effect, trivial rollback.	Toggling secret scanning alerts on one repo.	Adjusting a retry policy in one service.	Adding a README section or a single lint rule.

Risk Factor

1 = low risk to the value stream. 10 = very high risk.

Score	Platform / DevEx	Security	SRE / Ops	App Dev / Governance
1	Enabling secret scanning in alerts-only mode. No developer-facing block; worst case is noisy alerts.	Adding a passive audit log export.	Adding a new dashboard; read-only.	Adding optional documentation.
5	Rolling out required status checks on default branches — can block releases if CI is flaky; recoverable by loosening rules or fixing CI.	Enforcing MFA on a subset of admins with a grace period.	Changing autoscaling thresholds — could over/under-provision temporarily.	Introducing a new required review policy.
10	Changing SAML SSO provider or enforcing SSO estate-wide without a grace period. Can lock users out and halt merges across the value stream.	Rotating all production secrets simultaneously without staged cutover.	Cut-over migration of the primary datastore with no parallel run.	Removing a widely-used public API version with no deprecation window.

---

Calibration Tips

• Cross-check: If ROI is 10 but Cost is also 10, the Priority formula still rewards it when Ease is high and Risk is low. That's intentional — high-leverage, high-investment work remains visible.
• Don't anchor Cost on license price alone. Human-capital time (security triage, onboarding, change management, review burden) dominates most rollouts.
• Risk ≠ Cost. A cheap change (toggle enforcement) can carry very high Risk if staged poorly.
• Ease ≠ ROI. A one-click change with low ROI still ranks modestly; the formula only pushes it up if Risk is also very low.
• Estimate explicitly. When you don't have data or user-confirmed context, score against the anchor and mark the rationale (estimated).
• Domain mapping. If your item doesn't match any column, pick the closest analog (scale of blast radius, reversibility, and human-hours is what matters — not the technology).