Control Strategies
Means host Gateway has more than one cellular network interface. |
|
If subnet LogicalSubnet uses a AAA service control access, supplicant device Host can connect if it has a SIM card containing a key provisioned by the AAA system. |
The host device Host enforces an access control policy for a stored copy of Data. |
|
The data service Service enforces an access control policy for a stored copy of Data. |
|
Data Data is static data inserted into the system on deployment and not altered subsequently by any process in the system. This control strategy is used to negate modelling error threats that detect cases where data is not created by any process. |
The use of resources by host Host are limited to the level specified in a service level agreement with the hosting data centre DataCentre. |
|
The use of resources by host Host are limited to the level specified in a service level agreement with the hosting data centre DataCentre. |
|
The (virtual) device Host is operating as a cluster, which allows automatic scaling in the number of instances to meet the load placed upon the host. This must be configured in advance, so it is a blocking strategy not a contingency plan or run-time threat response. |
|
CSG-AutoSuspendUntrustworthyClientAccess-Implementation-Runtime |
Access to service Service by client Client has been automatically disabled to prevent authenticated attacks by compromised clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires Service to be managed by a suitable adaptation framework. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
Access to service Service by client Client may be automatically disabled to prevent authenticated attacks by compromised clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client may be automatically disabled to prevent authenticated attacks by impersonated clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
The sending of data Data from FlowsFrom to FlowsTo has been automatically disabled to prevent leaking of data. This strategy represents activation of a contingency plan at runtime, and can be enabled to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires FlowsFrom to be managed by a suitable adaptation framework. The Disabled Data Flow control should be deselected if and when the flow of data is enabled once again. |
|
CSG-AutoSuspendUnauthenticClientAccess-Implementation-Runtime |
Access to service Service by client Client has been automatically disabled to prevent authenticated attacks by impersonated clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires Service to be managed by a suitable adaptation framework. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
Access to service Service by client Client has been automatically disabled to prevent the service forwarding excessive requests or becoming overloaded itself. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires Service to be managed by a suitable adaptation framework. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
|
Access to service Service by client Client may be automatically disabled to prevent the service forwarding excessive requests or becoming overloaded itself, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
The flow of data Data from FlowsFrom to FlowsTo has been automatically disabled to prevent corrupt or malicious content (including malware) from disrupting the receipient FlowsTo. This strategy represents activation of a contingency plan at runtime, and can be enabled to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires FlowsTo to be managed by a suitable adaptation framework. The Disabled Data Flow control should be deselected if and when the flow of data is enabled once again. |
|
The flow of data Data from FlowsFrom to FlowsTo can be automatically disabled to prevent corrupt or malicious content (including malware) from disrupting the receipient FlowsTo. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Automated provisioning is specified at process Process but this is an inappropriate control selection because user Human is using the process interactively. |
|
Faulty instances of the process Process can be detected by monitoring, halted, and a replacement provisioned automatically. |
|
Faulty instances of the virtual device Host can be detected by monitoring, halted, and a replacement provisioned automatically. |
|
The sending of data Data from FlowsFrom to FlowsTo can be can be automatically disabled to prevent leaking of data. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
Process Process uses homomorphic encryption technology to perform calculations on data Data in an encrypted domain, allowing it to process the data without first decrypting. |
|
Process Service uses homomorphic encryption technology to perform calculations on data Data in an encrypted domain, allowing it to process the data without first decrypting. |
|
Process Service uses homomorphic encryption technology to process queries on data Data in an encrypted domain, allowing it to serve the data without decrypting it. |
|
Database service Service stores data using Parquet format, enabling it to run queries by selective decryption of the stored data Data, whether this is done locally or at a remote data store. This imposes far less overheads, as the amount of data that must be decrypted is small. |
|
The sending of data Data from FlowsFrom to FlowsTo has been disabled by the manager ProcessManager of FlowsFrom to prevent leaking of data. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user ProcessManager who is responsible for managing process FlowsFrom. The Disabled Data Flow control should be deselected only when the flow of data is enabled again. |
|
The flow of data Data from FlowsFrom to FlowsTo has been disabled by the manager ProcessManager of FlowsTo to prevent corrupt or malicious content (including malware) disrupting the process. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user ProcessManager who is responsible for managing process FlowsTo. The Disabled Data Flow control should be deselected only when the flow of data is enabled again. |
|
The flow of data Data from FlowsFrom to FlowsTo can be temporarily blocked by the manager ProcessManager of sending process FlowsFrom to prevent leaking of data. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Processes Service and Client share data Data in encrypted form, but use keys to encrypt or decrypt between transfer and processing, implying a need for the keys used with Data to also be shared. |
|
The flow of data Data from FlowsFrom to FlowsTo can be temporarily blocked by the manager ProcessManager of recipient process FlowsTo to prevent corrupt or malicious content (including malware) from disrupting the process. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
The flow of data Data from FlowsFrom to FlowsTo has been disabled. This control strategy represents a permanent restriction introduced by design, or a temporary situation created following activation of a contingency plan. In the latter case, this control strategy should not itself be selected, because its controls will be fulfilled by the contingency plan activation strategy. |
|
Makes it possible to check if the stored copy of Data on Host has been altered by an unauthorised process. |
|
The data Data flowing between processes FlowsFrom and FlowsTo is encrypted by the two processes (i.e. not relying on transport level encryption). |
|
The copy of Data stored on Host is encrypted. |
|
Process Service has a key for encrypting or decrypting data Data. |
|
The data Data flowing between processesFlowsTo and FlowsTo is encrypted end-to-end (i.e. not relying on transport level encryption), and FlowsFrom has the key needed to encrypt the data for transmission. |
|
The data Data flowing between processes FlowsFrom and FlowsTo is encrypted end-to-end (i.e. not relying on transport level encryption), and FlowsTo has the key needed to decrypt the data on arrival. |
|
Makes it possible to check that a copy of Data flowing from FlowsFrom to FlowsTo has not been accidentially or deliberately altered by an intermediary or in transit. |
|
The data Data sent by FlowsFrom to Process is encrypted end-to-end (i.e. not relying on transport level encryption). |
|
The data Data sent by Process to FlowsTo is encrypted end-to-end (i.e. not relying on transport level encryption). |
|
The stored copy of Data is protected by creating multiple copies across a cluster of instances of Host. |
|
Process Process has a key for encrypting or decrypting data Data. |
The jurisdiction Jurisdiction is subject to the GDPR. |
|
The person DataSubject is a citizen or resident of a state that is subject to the GDPR. |
|
Processing of Data under GDPR Art 6.1d (protection of vital interests). The Vital Interests control means process Process has analysed by the relevant experts and documented the case for it being considered necessary to protect the vital interests of the data subject or another natural person. |
|
Organisation Operator has Privacy Shield status under the GDPR, i.e. they are committed to respect and uphold the GDPR when handling personal data from EU citizens and residents, even though they are based outside the EU. |
|
The jurisdiction RemoteJurisdiction is subject to the GDPR. |
|
The flow of data Data between FlowsFrom and Process has been analysed by legal experts and found to be compliant with the GDPR. |
|
The jurisdiction Jurisdiction is subject to the GDPR. |
|
Processing of Data under GDPR Art 6.1b (performance of a contract), Art 6.1c (to comply with regulation), Art 6.1e (in the public interest) or Art 6.1f (legitimate interests). The Governance control means process Process has analysed by the relevant experts and documented the case for it being considered lawful under one of these provisions. Access to the data must still be logged by its storage device SHost. |
|
Processing of special category data Data to protect vital interests must have the consent of the data subject DataSubject if they are in a position to make a consent decision. One must check their competence to make such a decision, and provide a consent interface to support this if they can. The data Data must then be protected by a policy managed according to their consent decision(s) and linked to their data, with an enforcement point at Service, the process accessing their data. If the subject cannot provide a consent decision, it is legal to proceed, so there should be a way to bypass the enforcement point only in that case via a break the glass protocol. Finally, access to the data must be logged (including use of this override). |
|
Processing of personal data by consent is legal if the subject DataSubject is old enough (16+ or a lower limit in some states). The user interface for role DataSubject should include measures to ensure this. Competence Check represents a check whether DataSubject is old enough to provide consent, Guardian Consent signifies that reasonable efforts must be made to get authorisation from their legal guardian where this proves not to be the case. |
|
Processing of Data under GDPR Art 6.1d (protection of vital interests). The Vital Interests control means process Process has analysed by the relevant experts and documented the case for it being considered necessary to protect the vital interests of the data subject or another natural person. Access to the data must still be logged by its storage device SHost. |
|
The flow of data Data from FlowsFrom to Process can be temporarily disabled by the manager Human1 of FlowsFrom to prevent a breach of GDPR regulations by its transmission to Process. This strategy represents a contingency plan, which can be used to prevent such a breach, but it may also trigger other threats representing possible side effects. |
|
Processing of Data by consent of the data subject DataSubject, where they have control over the device SHost providing the data, and so can enforce restrictions consistent with their own consent decisions. It is still necessary to have a consent interface, but policy enforcement is up to the data subject. |
|
Processing and/or storage of Data by consent of the data subject DataSubject, by including a means for them to express consent via their interface to the system, maintaining an access control policy for Data based on their consent decisions, and enforcing the policy using an enforcement point in the data access path at Service. |
|
Processing of special category data Data to protect vital interests must have the consent of the data subject DataSubject if they are in a position to make a consent decision. One must check their competence to make such a decision, and provide an interface that explains the purpose of processing. Enforcement can be handled by the DataSubject if they control the storage device, consent being inferred if they allow access. If they are not able to provide a consent decision, it is legal to take their device and access it outside their control. |
|
The flow of data Data from FlowsFrom to Process has been disabled by Human1 to prevent a breach of the GDPR. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user Human1 who is responsible for managing the service FlowsFrom. |
The IoT controller device Controller can be disabled if it becomes unreliable, to prevent it causing problems in the physical environment where it operates. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it will trigger threats representing the resulting loss of availability. |
|
This strategy represents a state in which IoT controller device Controller is suspended due to using a contingency plan. It is used as a trigger for threats representing side effects, and should not be used for any other purpose. |
|
The IoT controller device Controller has been set to operate within safety limits in response to an interruption in real-time control inputs, such that it poses no danger to the physical system it regulates. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device. The Safe IoT Controller control shoud be deselected only when the restrictions on Controller have been lifted. |
|
The IoT controller device Controller has been disabled when it becomes unreliable, to prevent it causing problems in the physical environment where it operates. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device. The Disabled Host control should be deselected only when the host has been restarted. |
|
The IoT controller device Controller is regulating a physical system where it is not necessary to get real-time updates to control input data, due to the nature of the IoT application. This control strategy does not represent a contingency plan to constrain Controller at run-time, but should be used to signal that the IoT application is not sensitive to temporary interruption in the flow of control inputs. |
|
The IoT device Sensor implements a process for measurement of a physical system where it is not necessary to get real-time updates to control input data, due to the nature of the application. This control strategy does not represent a contingency plan but indicates that the application is not sensitive to interruptions in control inputs. |
|
The IoT controller device Controller can be set to operate within safety limits such that it poses no danger to the physical system it regulates, even without real-time control inputs. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it may trigger other threats, or produce some loss of efficiency or function in the physical system. |
Bluetooth mesh routing is disabled in device Gateway, preventing it routing between its Bluetooth connections from FromHost to ToHost. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The default configuration for most Bluetooth enabled hosts is to have mesh routing disabled, but the model must assume it is enabled unless the control is selected, or potential threats may be overlooked. |
|
Tethering (or reverse tethering) is disabled between device Host and IP subnet LogicalSubnet via the USB/Bluetooth connection with device Gateway, so cannot be used by attackers. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The default configuration for most devices is for tethering disabled, but the model must assume it is enabled unless controls are selected to signify otherwise, or potential threats may be overlooked. |
|
Simple Secure Pairing (SSP) is used between RemoteHost and Host, following the Numeric Comparison or PassKey association model, in which the connection is confirmed by the user by entering a shared key or confirming successful sharing of such a key by the two devices. |
|
Simple Secure Pairing (SSP) is used between RemoteHost and Host, following the Just Works association model with user confirmation at Host. This is effective in preventing spoofing in insecure locations, but depends on there being one secure location where the numerical comparison can be made safely, and then the result stored for subsequent use. |
|
Simple Secure Pairing (SSP) is used between RemoteHost and Host, following the Just Works association model with user confirmation at RemoteHost. This is effective in preventing spoofing in insecure locations, but depends on there being one secure location where the numerical comparison can be made safely, and then the result stored for subsequent use. |
Device Host is physically monitored to rapidly detect if it has been physically removed, altered or substituted, so its manager HostManager can address any physical compromise. This strategy represents a contingency plan included in the system operating policies and practices, e.g. to repair or replace the affected device. Activation of the plan restores normal service, but if the device was stolen the attacker still has possession of the original which could still be misused. |
|
Device Host having found to be physically removed, altered or substituted, action has been taken by its manager HostManager to restore normal service. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Host which may need repair or replacement. |
|
The software for process Process has been assessed and certified to be secure by independent experts. The process is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations. |
|
To prevent passive snooping in radio network LogicalSubnet, one can configure the network to use encrypted radio communication in LogicalSubnet. |
|
Device Host can be remotely wiped by its user Human if the device is lost or stolen, permanently removing accounts, security keys and data. This strategy represents a contingency plan |
|
Device Host is configured securely: passwords or other authentication are set up including resetting default passwords for all user and administrator accounts, auto-run features disabled to prevent execution without user authorisation for files from removable storage or from the internet, and unnecessary software and especially network accessible services removed or disabled. |
|
Remote access service Service runs a restricted shell on SHost, such that remote users cannot gain full access to the host, and can only run specific application processes on SHost (those controlled by Service). |
|
Device Host is configured to prevent alteration of its software by physical insertion during its boot sequence. |
|
Device Gateway having found to be physically removed, altered or substituted, action has been taken by its manager HostManager to restore normal service. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Gateway which may need repair or replacement. |
|
Uses hardware security on device Host to bootstrap a protected enclave in which Process can execute without interference even by someone with admin rights at Host. |
|
Device Host has been remotely wiped by its user after being stolen. To implement this at runtime, signal the device user Human that the action should be taken. The control strategy is used to model the effect this should have so it can be considered as an option in current (runtime) decision support calculations. To activate it at runtime, signal user Human who is responsible for the device. Then deselect the ManualActionTaken control and restore the asserted Possession TWL of Host once the action has been confirmed. |
|
Device Gateway is physically monitored to rapidly detect if it has been physically removed, altered or substituted, so its manager HostManager can address any physical compromise. This strategy represents a contingency plan included in the system operating policies and practices, e.g. to repair or replace the affected device. Activation of the plan restores normal service, but if the device was stolen the attacker still has possession of the original which could still be misused. |
|
The software for process Process has been tested and certified to be secure by independent experts. The process is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations. |
|
Device Host is a personal device dedicated to one user, who will protect it from some types of attacks involving physical access. This particular strategy relates to threats that are blocked, affording slightly less than perfect protection because the user may be overcome by force or become temporarily less than vigilant. |
|
Device Host is a personal device dedicated to one user, who will protect it from some types of attacks involving ongoing physical access or evident alteration of the device. For these threats, the protection level is very good because a momentary lapse in attention from the user is not sufficient to allow the attack. |
|
The client Client authenticates the service Service using an asymmetric cryptographic challenge against a public key registered to the service operator through a trusted means such as X509. |
|
The software and hardware at device Host has been tested and certified to be secure by independent experts. The device is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations. |
|
Represents a situation in which software patches have been applied manually by HostManager to eliminate vulnerabilities in process Service. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager. |
|
Use a systematic procedure for regular security patching of software used (including hosted process Service) on device SHost, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply patches immediately for Service should the need for them become urgent. |
|
Represents a situation in which software patches have been applied manually by HostManager to eliminate vulnerabilities in process Process. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager. |
|
Use a systematic procedure for regular security patching of software used (including hosted process Process) on device Host, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply patches immediately for Process should the need for them become urgent. |
|
Represents a situation in which software patches have been applied manually by HostManager to eliminate vulnerabilities in device Host. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager. Then deselect the SoftwarePatched control and restore the asserted Extrinsic TW levels of Host once the update has been confirmed. |
|
Use a systematic procedure for regular security patching of software used (including hosted processes) on device Host, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply patches immediately should the need for them become urgent. |
|
If user Human forgets their (strong) password, service Service provides a way for them to reset it using an out of band communication (e.g. email or sms). |
|
Access to device Host is controlled, by authenticating authorised users using a password. |
|
If subnet LogicalSubnet uses a EAP.TLS to control access, supplicant device Host can connect if it has an X509 certified (or similarly trusted) asymmetric key pair. |
|
Device Host is a personal device dedicated to one user, who has been trained in basic security and will protect it from some types of attacks involving physical access. Similar to personal device protection, but more effective due to the user being able to maintain vigilance and avoid physically uncontrollable situations. |
|
Processes Client and Service have secure access to a shared key used to encrypt and decrypt data Data for transfer via file or network. |
|
Spam filtering functionality is installed on the email user agent MUA (a mail client or a webmail service). |
|
The software for process Process has been independently tested and verified to meet functional requirements. The process is therefore unlikely to contain bugs that cause a malfunction. This does not prevent bugs that are present from causing problems, so this is a prior mitigation only which is ignored in current (run-time) risk calculations. |
|
Control access to subnet LogicalSubnet using authentication via X509 or otherwise trusted public-private key pairs. The gateway device Gateway providing the network has an (X509 certified) key, and a means to verify (X509 certified) keys registered by authorised supplicants. You should also specify that supplicant devices have (X509 certified) key pairs or they will be unable to connect. |
|
The XSS Sanitisation control means the service Service has been implemented using an XSS-safe language and framework including XSS detection code scanners. |
|
Access to a service requires authentication using an asymmetric cryptographic challenge during a TLS connection establishment by Client, based on an X509 or other trusted public key belonging to the authorised user. Here the client Client is acting as a proxy for its host device, so the key is actually installed on CHost. |
|
Access to a service requires authentication using an asymmetric cryptographic challenge during a TLS connection establishment by Client, based on an X509 or other trusted public key belonging to the authorised user. |
|
The user Human has no access to email from any device used by them while engaged in the system. |
|
Users in the role Human are trained to avoid most common cyber security errors by using only strong passwords, recognising malicious emails, and the importance of physical security including the use of screen locking for fixed devices that cannot be carried on the person. |
|
Users in the role Human choose a password which is registered with the system allowing access to interactive host Host that authenticates using the password. |
|
Users in the role Human are trained to avoid basic cyber security errors associated with the use of passwords. |
|
Service Service has been disabled by the manager of its host HostManager to prevent a known vulnerability being exploited by an attacker. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing device Host where Service is running. The Disabled Process control should be deselected only when the process has been restarted. |
|
Service Service may be temporarily disabled by the manager of its host HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Process Process may be temporarily disabled by the manager of its host HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Process Process has been disabled by the manager of its host HostManager to prevent a known vulnerability being exploited by an attacker. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing device Host where Process is running. The Disabled Process control should be deselected only when the process has been restarted. |
|
The hardware and software for device Host has been independently tested and verified to meet functional requirements. The device is therefore unlikely to contain bugs that cause a malfunction. This does not prevent bugs that are present from causing problems, so this is a prior mitigation only which is ignored in current (run-time) risk calculations. |
|
Process Process may be temporarily disabled by the manager of its host HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Device Host has been disabled by its manager HostManager to prevent a known vulnerability being exploited by an attacker. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device. The Disabled Host control should be deselected only when the host has been restarted. |
|
Device Host may be temporarily disabled by its manager HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Service Service may be temporarily disabled by the manager of its host HostManager to prevent a known vulnerability being exploited in a cross-site scripting attack. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Process Service has been disabled by the manager of its host HostManager to prevent it being exploited in a cross-site scripting attack. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing device SHost where Service is running. The Disabled Process control should be deselected only when the process has been restarted. |
|
Service Service may be temporarily disabled by the manager of its host HostManager to prevent a known vulnerability being exploited in a cross-site scripting attack. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Process Process may be temporarily disabled by the manager of its host HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Process Process has been disabled by the manager of its host HostManager to prevent it being exploited after being infected by malware. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device hosting Process. The Disabled Process control should be deselected only when the process has been restarted. |
|
Process Process may be temporarily disabled by the manager of its host HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Device Host may be temporarily disabled by its manager HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Device Host has been disabled by its manager HostManager to prevent it being exploited after being infected by malware. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device. The Disabled Host control should be deselected only when the host has been restarted. |
|
Device Host may be temporarily disabled by its manager HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Use a systematic procedure for updating software used (including hosted processes) on device Host. |
|
Device Host may be temporarily disabled by its manager HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
If subnet LogicalSubnet uses a pre-shared key to control access, supplicant device Host can connect if it has the pre-shared key. |
|
Signifies that the management of device Host is omitted because it is out of scope, e.g. because its management does not form part of the system. Note that this means modelling error threats to detect unmanaged devices will be ignored, but threats that could be addressed by a system manager will still apply to the unmanaged devices. |
|
Control access to subnet LogicalSubnet using a (usually remote) AAA service that verifies keys provisioned in SIM cards to authorised supplicants. You should also specify SIM cards be used by supplicant devices or they will be unable to connect. |
|
Access to service Service is controlled, by authenticating authorised users using a strong password, which is supplied each time by the user Human. This is a trigger condition for the potential risk that the user may forget the strong password. |
|
Users in the role Human choose a password which is registered with the system allowing access to Service. |
|
Users in the role Human choose a password which is registered with the system allowing access to Service. |
|
The quality of passwords to authenticate users of service Service is checked whenever the password is set or changed, e.g. using standards like NIST-800-63. |
|
Access to a service Service requires a password, which was supplied originally by the user Human and stored by the client Client in a secure password store. |
|
Access to a service Service requires a password, which was supplied originally by the user Human and stored by the client Client in a secure password store. |
|
Transport layer security is implemented by both Client and Service for communication between them. This prevents passive snooping in the network, including gateway devices, but it does not prevent service impersonation attacks. That can be prevented by also using service authentication via a trusted key (e.g. X.509 or equivalent). |
|
The service Service controls access by requiring users to authenticate with a password. |
|
Access to a service Service requires a password, which is stored by the client process Client on its host CHost. |
|
Access to service Service is controlled, by authenticating authorised users using a password and a separate key sent to them via a separate (out of band) means. |
|
Access to a service Service requires the user Human to supply a password, and then enter a key which is sent to them via a separate channel into their client application Client. |
|
Access to service Service is controlled, by authenticating authorised users using a one time key created using a client-side authentication device provided to them. |
|
Access to service Service is controlled, by authenticating authorised users during the TLS connection against a known public key registered via a trustworthy means such as X509. |
|
Access to a service Service requires a one time key, generated using a one time key device which itself requires a password entered by the user Human, who then types the one time key into their client application Client. |
|
Access to service Service is controlled by authenticating user Human based on their registered usage characteristics captured by the device CHost. |
|
Users in the role Human are issued with a 2-factor authentication key they can use to verify their identity and access host Host. |
|
Access to device Host is controlled, by authenticating authorised users using a 2-factor system involving possession of a physical key or dongle, such as a chip and PIN card. |
|
Represents a situation in which software patches have been applied manually by HostManager to address functional bugs in device Host. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager. Then deselect the SoftwarePatched control and restore the asserted Intrinsic TWL of Host once the update has been confirmed. |
|
Use a systematic procedure for regular updating of software used (including hosted processes) on device Host, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply updates immediately should the need for them become urgent. |
|
Control access to subnet LogicalSubnet using a pre-shared key. This is installed at the device Gateway providing the network, which also verifies that supplicants have the same key, preventing unauthorised access. You should also specify shared keys for supplicant devices or they will be unable to connect. |
|
Access to device Host is controlled, by authenticating authorised users using biometrics. |
|
Host device Host is configured with an automated screen lock activated after a suitably short period of inactivity, requiring user Human to re-authenticate before resuming a session. |
|
Anti-malware software is installed on device SHost and kept up to date by regular software patches, and so can detect and prevent the execution of malicious code. |
|
Anti-malware software is installed on device Host and kept up to date by regular software patches, and so can detect and prevent the execution of malicious code. |
|
The number of login attempts at service Service is limited, and user accounts locked when there are too many unsuccessful login attempts, or too many login attempts within a short period. |
|
The number of login attempts at device Host is limited, and user accounts locked when there are too many unsuccessful login attempts, or too many login attempts within a short period. |
|
Access to service Service is controlled by authenticating user Human based on their registered usage characteristics captured by the device CHost. |
|
Physical access to host Gateway is controlled by being situated where it can be under constant surveillance in a location that is continuously occupied at times when attacks may occur. |
|
Users in the role Human have a biometric ID such as a fingerprint registered with the system, enabling them to pass a biometric ID check to access host Host. |
|
Access to process Process is controlled by authenticating user Human based on their registered usage characteristics captured by a personal device Host. |
|
Physical access to host Host is controlled by being situated where it can be under constant surveillance in a location that is continuously occupied at times when attacks may occur. |
|
To prevent network spoofing, a gateway Gateway providing the network can use an X509 (or otherwise trusted) key pair, verified by the supplicant device Host. |
|
To prevent network spoofing, a gateway Gateway providing the network can use an X509 (or otherwise trusted) key pair, verified by the supplicant device Host. |
|
To prevent network spoofing, a gateway Gateway providing the network and the supplicant device Host can use a pre-shared key that can be verified by Host. |
|
To prevent network spoofing, a gateway Gateway providing the network and the supplicant device Host can use a pre-shared key that can be verified by Host. |
|
The process Process was found to have reliability or availability issues, and action has been taken by the manager HostManager of its host device to correct the problem. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Process. |
|
The process Process is monitored for reliability and availability, and if problems are found, the manager HostManager of its host device Host can take corrective action while waiting for updated software. This strategy represents a contingency plan included in the operating policies and practices if certain threats should arise, e.g. to roll back software to an older but more reliable version. |
|
The device Host was found to have reliability or availability issues, and action has been taken by its manager HostManager to correct the problem. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Host. |
|
If the instances of a class of devices Host are independent of each other, having admin rights does not allow control of resourcing of Host instances. |
|
If the instances of a class of devices Gateway are independent of each other, having admin rights does not allow control of resourcing of Gateway instances. |
|
Means mobile host Gateway has more than one Wired LAN network interface. |
|
Means host Gateway has more than one WiFi LAN network interface. |
|
Persons in the role HostManager responsible for managing Host are screened by their employer Employer before being given that role. This ensures they are more trustworthy than one would expect given the population or community from which they are recruited. |
|
The device Host is monitored for reliability or availability, and if problems are found, its manager HostManager can take corrective action while waiting for updated software or hardware. This strategy represents a contingency plan included in the system operating policies and practices, e.g. to roll back software to an older but more reliable version or switch to a stand-in device from a different hardware vendor. |
|
The software and hardware at device Host has been assessed and certified to be secure by independent experts. The device is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations. |
|
The process Process is configured to run with low priority, so it cannot overload its host Host, although this means if overloaded it will likely become unavailable instead. This can be configured in advance to block the threat, or implemented as a run-time response to an overload by signalling the manager HostManager of the process host Host. |
|
Data stored on physical device PhysicalHost are encrypted, so data cannot be accessed by physically extracting and reading storage devices from PhysicalHost, as an alternative to logging into the device. |
|
Device Host is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action. |
|
This strategy represents a state in which Host has been disabled, used as a trigger for threats representing side effects. It should not be used for any other purpose. |
|
Process Process is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action. |
|
Process Process is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action. |
|
Device Gateway is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action. |
|
Indicates provision of network LogicalSubnet is disabled at device Gateway, meaning the subnet is not available to potential attackers. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where provision of a subnet is possible but would not be used in practice is where a mobile device provides a WiFi hotspot, which it could do in any location, but the user will keep the hotspot functionality switched off in some locations. |
|
The software for process Process has been analysed by independent experts using formal methods and shown to be free of bugs. It is therefore guaranteed to work correctly for arbitrary (even malicious) inputs. However, this is only possible for simple processes. Note that it does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations (although in principle no vulnerabilities should ever be found). |
|
Host Host is locked or built into the physical environment Space such that neither it nor any of its internal storage media can be removed or altered without destroying them. |
|
The software for device Host has been analysed by independent experts using formal methods and shown to be free of bugs. It is therefore guaranteed to work correctly for arbitrary (even malicious) inputs. However, this is only possible for simple devices. Note that it does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations (although in principle no vulnerabilities should ever be found). |
|
Indicates provision of network RadioSubnet is disabled at device Gateway, meaning the subnet is not available to potential attackers. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where provision of a subnet is possible but would not be used in practice is where a mobile device provides a WiFi hotspot. The control applies to the hotspot implementation, so affects provision of the hotspot in one location, making it possible to indicate that the user would keep the hotspot functionality switched off in that location. |
Filter DDoS messages to a target in the core network. This normally has to be arranged through the Internet connection service provider, so it is modelled by assigning the corresponding control to the final interface to the Internet. |
|
If device Gateway blocks unsolicited connections into private subnet ToSubnet, port forwarding is used to allow access to services by legitimate clients. This strategy may represent a run-time adaptation in response to a threat, or a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. |
|
Signifies that device Host will not connect to subnet LogicalSubnet even though such a connection is implied by the system model. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where a connection is possible but is not used is where a mobile device connects to a cellular network which could be done in any location, but the user will avoid it in some locations. |
|
Apply a default firewall rule at host Host to drop messages sent to the host from subnet LogicalSubnet, unless they are service requests or responses. |
|
Apply a default firewall rule at gateway host Gateway to drop messages sent via the gateway from FromSubnet to ToSubnet, unless they are service requests or responses. |
|
Limit the bandwidth for each remote source of communication destined for the network address of Host on LogicalSubnet. |
The physical space Space is patrolled at frequent intervals to ensure it is free of intruders. Note this does not prevent intrusion, e.g. to steal a device, but it does prevent some types of attacks where the intruder would need uninterrupted access, e.g. use of a device in the space for a significant period. |
|
Access to physical space Space is controlled by means of physical locks, to which authorised users have a key. |
|
Users in the role Human are issued with a physical key enabling them to access space Space. |
|
Inconsistent controls to resolve treatment of hosts with no explicit location. Used only as a trigger for modelling error threats. |
|
Access to physical space Space is controlled, and authorised users verified using physical ID such as a passport or ID card issued by a trusted authority. |
|
Users in the role Human have physical ID such as an ID card or passport, registered with the system. |
|
Indicates that threats to Host from space Space should be considered, even though Host has no explicit location and is inferred to be in the global public space (the World). This control strategy is a way to specify that despite Host having no explicitly defined location, physical security is in scope, and the device is considered to be physically insecure. It addresses modelling error threats but not security threats to Host from Space. |
|
Access to physical space Space is controlled, and authorised users verified using a chip and pin (2 factor) key card issued by a trusted authority. |
|
Indicates that private space Space is secured physically by measures not included in the system model. The threat of intrusion into Space by malicious outsiders into Space will be ignored, though insider attacks by those authorised to be in Space will not. Note that this represents an expectation, and so is a prior mitigation only which is ignored in current (run-time) risk calculations. |
|
Access to physical space Space is controlled by means of physical locks to which only authorised users have a key, and is also continuously occupied at times when physical intrusion is feasible (e.g. at night). |
|
Users in the role Human are issued with a 2-factor authentication key they can use to verify their identity and access space Space. |
|
Users in the role Human have a biometric ID such as a fingerprint registered with the system, enabling them to pass a biometric ID check to access space Space. |
|
Access to physical space Space is controlled, and authorised users verified using biometrics registered by a trusted authority. |
|
Indicates that threats from as well as to the space Space can be ignored, i.e. that the risk model intentionally does not consider physical attacks from Space. This is only permitted if Space is the inferred global public space (the World) used when no locations are asserted in the model. This control strategy is a way to specify that physical security is out of scope for devices with no explicitly specified location(s), i.e. that they are considered physically secure. |
It is acceptable that the control data Data is inferred. |
|
It is acceptable that the sensed data Data is inferred. |
|
Signals that the data asset Data is not related to a human data subject, thus addressing modelling error threats representing the possibility that the relationship to a data subject has been overlooked. |
|
Signals that the IoT asset Thing is not related to a human data subject, thus addressing modelling error threats representing the possibility that the relationship to a data subject has been overlooked. |
Firewall rules that normally allow access from client Client to service Service may be temporarily switched off by manager HostManager of the service host SHost if the network path is subject to snooping. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Firewall rules that normally allow access to service Service on specific network path(s) have been switched off by its host manager HostManager. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, user HostManager who is responsible for managing host SHost should arrange for firewall policies to be switched off, ideally as close as possible to subnet LogicalSubnet from where the risk arises.The Disable Service Channel control should be deselected only when access is enabled again. |
|
Firewall rules that normally allow access to service Service on specific network path(s) may be temporarily switched off by its host manager HostManager. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client is disabled by the process manager ServiceManager to prevent authenticated attacks by compromised clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager ServiceManager. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
|
Access to service Service by client Client may be temporarily disabled by the process manager ServiceManager to prevent authenticated attacks by compromised or impersonated clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it also triggers other threats representing side effects of the policy change, based on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client is disabled by the process manager ServiceManager to prevent authenticated attacks by impersonated clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager ServiceManager. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
|
Firewall rules that normally allow access to service Service on specific network path(s) may be temporarily switched off by its host manager HostManager. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client may be temporarily disabled by its manager ServiceManager to prevent authenticated attacks by impersonated clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Firewall rules that normally allow access from client Client to service Service have been switched off by manager HostManager of the service host SHost to prevent snooping. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, user HostManager who is responsible for managing SHost should arrange for firewall policies to be switched off. The Disable Service Channel control should be deselected only when access is enabled again. |
|
Firewall rules that normally allow access to service Service by clients on otherwise blocked network paths are switched off to prevent an attack. This strategy may represent a run-time adaptation in response to a threat, or a permanent restriction introduced by design or in accordance with an operational policy or user preference to avoid accessing Service over certain networks. It also triggers threats representing side effects that would be caused by such a restriction where they affect all available network paths used by a client. |
|
Access to service Service by client Client is disabled by the process manager ServiceManager to prevent the service forwarding excessive requests or becoming overloaded itself. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager ServiceManager. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
|
Change from: Access to service Service by client Client may be temporarily disabled by the process manager ServiceManager to prevent the service forwarding excessive requests or becoming overloaded itself, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it also triggers other threats representing side effects of the policy change, based on how likely it is that the contingency plan will need to be activated. |
|
Signifies that Service can be considered immune to a confused deputy attack that does not involve exploitation of a software vulnerability. This should be used when Service is programmed in such a way that it can only access a back-end service for specific clients. Do not use this if access to back-end services require OIDC- or OAuth-style tokens issued to the client - in that case add the OIDC/OAuth service along with the appropriate relationships from the client and to the back-end service(s). |
|
Firewall rules that normally allow access to service Service by clients on otherwise blocked network paths are switched off. This strategy represents a permanent restriction introduced by design or in accordance with an operational policy or user preference to avoid accessing Service over certain networks. It may also arise as a side effect of a run-time response to a more specific threat. In either case, it triggers threats representing side effects that would be caused by such a restriction where they affect all available network paths used by a client. |
|
Apply a default firewall rule at host Host to drop messages sent to services running on the host from subnet LogicalSubnet. This strategy may represent a run-time adaptation in response to a threat, or a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction, which affect access to services running on Host but not other uses of its connection to LogicalSubnet. |
|
Access to service Service by client Client is disabled. This control strategy represents a permanent restriction introduced by design, or a temporary situation created following activation of a contingency plan. In the latter case, this control strategy should not itself be selected, because its controls will be fulfilled by the contingency plan activation strategy. |
|
The service Service has a whitelist of network addresses from which it accepts client requests, and all the network interfaces from which requests may come have addresses that are fixed or in a restricted range not available to attackers. |
|
An application firewall is used at Proxy to protect Process from remote vulnerability exploits. |
|
Firewall rules that normally allow access from client Client to service Service may be temporarily switched off by manager HostManager of the service host SHost if the network path is subject to snooping. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
Persons fulfilling the role Human are screened by their employer Employer before being given that role. This ensures they are more trustworthy than one would expect given the population or community they come from. |
|
The employer Employer has multiple employees able to fulfil the role Human. |
The virtual subnet VirtualSubnet uses encryption to prevent anyone reading communications via access at the physical layer. |