The approach to risk scoring that's being used is described here: https://owasp.org/www-project-top-ten/2017/Note_About_Risks

In this draft, the text in the Exploitability, Prevalence, Detectability, and Impact table at the top of each category doesn't match the methodology very well.

Currently, the text in the likelihood boxes is a bit mixed up. Some list prevalence factors in the exploitability box. Others don't describe the prevalence factors at all. Most of the detectability descriptions focus on detection of exploits (with logging etc...) rather than factors related to detecting vulnerabilities. The technical impact descriptions are mostly okay - maybe revisit with CIAA in mind.

• Exploitability is supposed to describe how easy is it for expected threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), exploits published (9)

• Prevalence is supposed to describe how widespread this class of vulnerability is. Data would be very helpful here.

• Detectability is supposed to describe the awareness of this vulnerability and how difficult it is to discover. Practically impossible (1), difficult (3), easy (7), automated tools available (9)

• Technical Impact should estimate the magnitude of the damage to confidentiality, integrity, availability, and accountability if this vulnerability were to be exploited.

Note that we should probably continue the practice of having an empty box at the beginning for "threat agent" since we can't know about a user's specific threat profile. And an empty box for business impact out as it is impossible to gauge without context. So there should be six total boxes.