Trustworthiness Attributes

Control	Trustworthiness of the actor or process managing a host (including control over access to the host) while it is connected to the system and fulfilling its system role (i.e. in some context).
ExploitTW	Free of software vulnerabilities that are accessible to attackers.
UserTW	Trustworthiness of users with access to the shell or having the rights of a process on a host while the host is connected to the system and fulfilling its system role (i.e. in some context).

Authenticity	The data (which may be embedded in an IoT device) is what it claims to be, i.e. it is neither forged nor altered in a way designed to induce false behaviour in other assets consuming the data.
Confidentiality	Signifies that data (which may be embedded in an IoT device) is only accessible to authorised users.
Integrity	The data (which may be embedded in an IoT device) is correct and fit for purpose.
Timeliness	Represents a state in which a data asset is up to date, or a process or human has up to date inputs.

Decrypted	An attribute of stored or flowing copies of data, signifying that the data is accessible in unencrypted form. Considered a trustworthiness attribute as it precludes loss of availability where a process lacks a suitable decryption key, and used to model side effects of encryption controls.
Encrypted	An attribute of stored or flowing copies of data, signifying that the data is accessible in encrypted form. Considered a trustworthiness attribute as it prevents loss of confidentiality unless the key is compromised, and used to model side effects of encryption controls.

Underload	Represents the spare capacity at a Data Centre.
TrojanTW	The host has no back doors inserted into its operating system or other software running on the host. If back doors are present, this also makes processes running on the host vulnerable.
ResourceTW	Provisining is controlled by a trustworthy process or administrator.
OutOfService	The asset is not currently engaged or being used within the system, and hence cannot be exploited by attackers.
NetworkUserTW	Trustworthiness of users with access to an abstract or logical network subnet.
NetworkControl	Control over routing within an abstract or logical subnet.
IntrinsicTW	Free of functional software bugs that cause errors or crashes without external provocation.
Health	Free of self-propagating malware.
ExtrinsicTW	Free of software vulnerabilities in processes and devices that are likely to be discovered by potential attackers.
DefaultTW	Modelling artefact: an attribute that is always set to the lowest trustworthiness level, and used as a cause for threats that are triggered entirely by the use of security controls.
Capacity	Represents the total capacity at a Data Centre, or more accurately, the level of trust that it will be able to handle any demand placed on it by automatically provisioned for hosts and processes.

BandwidthManaged	Signifies that bandwidth used by message flows through an interface can be restricted based on their source and/or destination addresses.
ChannelConfidentiality	Applies to a network or a communication channel between processes, signifying that messages cannot be intercepted and read in that network or channel.
ConnectionsBlocked	Applies to a communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets, signifying that by default, messages will be dropped.
NetworkAuthenticity	The connection from a supplicant device is not an imposter subnet.

OccupantTW	Trustworthiness of users with physical access to a space.
PhysicalControl	Control over the means of access to a space.

ServiceTW	The service accessed by a client is not controlled by a malicious actor.
ServiceChannelsBlocked	Applies to a communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets. Signifies that no exceptions were created to allow client-service connections and messages to tunnel through a default deny routing policy.
ServiceAuthenticity	The service accessed by a client is not an imposter.
ProxyUserTW	Only trustworthy clients can send requests via the client (which is a reverse proxy) to the related service.
AnonUserTW	Only trustworthy users can send messages to a service from the direction of a specific client. This relates to any message so it includes messages sent anonymously, prior to authentication. It is not related to which users can access the service. Consequently, the calculated level will often be low, and this is not necessarily a cause for concern.
ClientTW	The client accessing the related service is not controlled by an untrustworthy actor. This pertains to the trustworthiness of those able to access the service as the client (i.e., after authentication).
ClientAuthenticity	The client accessing the related service has a reliable means of authentication which can be verified by the service. This is not related to the trustworthiness of those able to access the service, only the trustworthiness of those in possession of client credentials.
DeputyUserTW	The client is clear on what requests it should send to the service on behalf of its own clients.

OwnerControl	A device or a process running on the device is still controlled by a trustworthy actor or process in some context after the device has been stolen by an attacker.
Possession	Attribute signifying that a (mobile) device is in the hands of the right user.

Astuteness	The ability to detect attempts by other agents to induce inappropriate action through deception.
Availability	The asset is able to carry out its function within the system, including being accessible by other assets that need to interact with it.
Benevolence	Free of malicious motives or desires to cause adverse effects without external provocation.
Competence	Ability to carry out reliably the functions of a user role within the system.
Reliability	Means the asset will perform tasks correctly, with no functional errors, assuming the asset is not supplied with corrupt or inaccurate information as input (in the case of Human or Process assets).
Trust	Propensity of a Stakeholder (usually a Human) to engage with and fulfil their role in a system.

Extrinsic-VN-TW	Free of software vulnerabilities that can be accessed from a remote network.
Extrinsic-VL-TW	Free of software vulnerabilities that can be accessed from a local shell or via physical access.
Extrinsic-VA-TW	Free of software vulnerabilities that can be accessed only from the local network, requiring access to either the broadcast or collision domain of the vulnerable software.
Extrinsic-U-TW	Free of software vulnerabilities whose exploitation would allow an attacker user level access.
Extrinsic-QI-TW	Free of software vulnerabilities that allow injection of queries into a trusting back-end process.
Extrinsic-A-TW	Free of software vulnerabilities whose exploitation would compromise asset availability.
Extrinsic-I-TW	Free of software vulnerabilities whose exploitation would compromise integrity or authenticity of data.
Extrinsic-C-TW	Free of software vulnerabilities whose exploitation would compromise confidentiality.
Extrinsic-AU-TW	Free of software vulnerabilities that can be accessed without authentication.
Extrinsic-W-TW	Free of software vulnerabilities whose exploitation would allow insertion of self-propagating malware.
Extrinsic-M-TW	Free of software vulnerabilities whose exploitation would allow an attacker to take control.
Extrinsic-XS-TW	Free of software vulnerabilities that allow injection of malicious scripts into a client process.