Package Network

Engagement by an asset in the system, which is usually desirable, but means the asset is open to attack, abuse or misuse (and hence it is modelled as a potential threat consequence).

Reduction in the capacity of a Data Centre to handle demands placed on it by automatically provisioned for hosts and processes.

Untrusted, potentially malicious agents gained admin rights in some system context.

Modelling artefact, corresponding to the trustworthiness attribute DefaultTW, which is already set by default to the lowest trustworthiness level.

Deterioration in the quality and/or integrity of software engineering used to implement the asset, such that it will contain more software vulnerabilities likely to be discovered by an attacker.

Deterioration in the quality and/or integrity of software engineering used to implement the asset, such that it will contain more functional software bugs that cause errors or crashes without external provocation.

Untrusted, potentially malicious agents can contorl routing within the abstract or logical subnet.

Untrusted, potentially malicious agents have access to the abstract or logical network subnet, i.e. they can access a connected host that may or may not be part of the modelled system.

Untrusted, potentially malicious agents can control the provisining of or allocation of resources to the asset.

Untrusted, potentially malicious agents gained user rights in some system context.

Insertion into the asset of malicious, self-propagating software.

The asset is being used or requested more than allowed or expected.

The total load on a Data Centre.

Insertion of a back door into a host operating system or other software stored and running on a host.

Discovery by potential attackers of one or more vulnerabilities in software associated with the affected host or process.

The number of login attempts at device Host is limited, and user accounts locked when there are too many unsuccessful login attempts, or too many login attempts within a short period.

The number of login attempts at service Service is limited, and user accounts locked when there are too many unsuccessful login attempts, or too many login attempts within a short period.

Anti-malware software is installed on device Host and kept up to date by regular software patches, and so can detect and prevent the execution of malicious code.

Anti-malware software is installed on device SHost and kept up to date by regular software patches, and so can detect and prevent the execution of malicious code.

Host device Host is configured with an automated screen lock activated after a suitably short period of inactivity, requiring user Human to re-authenticate before resuming a session.

Access to device Host is controlled, by authenticating authorised users using biometrics.

Users in the role Human have a biometric ID such as a fingerprint registered with the system, enabling them to pass a biometric ID check to access host Host.

Use a systematic procedure for regular updating of software used (including hosted processes) on device Host, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply updates immediately should the need for them become urgent.

Represents a situation in which software patches have been applied manually by HostManager to address functional bugs in device Host. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager. Then deselect the SoftwarePatched control and restore the asserted Intrinsic TWL of Host once the update has been confirmed.

Access to device Host is controlled, by authenticating authorised users using a 2-factor system involving possession of a physical key or dongle, such as a chip and PIN card.

Users in the role Human are issued with a 2-factor authentication key they can use to verify their identity and access host Host.

Access to service Service is controlled by authenticating user Human based on their registered usage characteristics captured by the device CHost.

Access to service Service is controlled by authenticating user Human based on their registered usage characteristics captured by the device CHost.

Access to a service Service requires a one time key, generated using a one time key device which itself requires a password entered by the user Human, who then types the one time key into their client application Client.

Access to service Service is controlled, by authenticating authorised users using a one time key created using a client-side authentication device provided to them.

Access to a service Service requires the user Human to supply a password, and then enter a key which is sent to them via a separate channel into their client application Client.

Access to service Service is controlled, by authenticating authorised users using a password and a separate key sent to them via a separate (out of band) means.

Access to a service Service requires a password, which is stored by the client process Client on its host CHost.

The service Service controls access by requiring users to authenticate with a password.

Transport layer security is implemented by both Client and Service for communication between them. This prevents passive snooping in the network, including gateway devices, but it does not prevent service impersonation attacks. That can be prevented by also using service authentication via a trusted key (e.g. X.509 or equivalent).

Access to a service Service requires a password, which was supplied originally by the user Human and stored by the client Client in a secure password store.

Access to a service Service requires a password, which was supplied originally by the user Human and stored by the client Client in a secure password store.

The quality of passwords to authenticate users of service Service is checked whenever the password is set or changed, e.g. using standards like NIST-800-63.

Users in the role Human choose a password which is registered with the system allowing access to Service.

Users in the role Human choose a password which is registered with the system allowing access to Service.

Access to service Service is controlled, by authenticating authorised users using a strong password, which is supplied each time by the user Human. This is a trigger condition for the potential risk that the user may forget the strong password.

Access to service Service is controlled, by authenticating authorised users during the TLS connection against a known public key registered via a trustworthy means such as X509.

Physical access to host Gateway is controlled by being situated where it can be under constant surveillance in a location that is continuously occupied at times when attacks may occur.

Physical access to host Host is controlled by being situated where it can be under constant surveillance in a location that is continuously occupied at times when attacks may occur.

Access to process Process is controlled by authenticating user Human based on their registered usage characteristics captured by a personal device Host.

The process Process is configured to run with low priority, so it cannot overload its host Host, although this means if overloaded it will likely become unavailable instead. This can be configured in advance to block the threat, or implemented as a run-time response to an overload by signalling the manager HostManager of the process host Host.

Device Gateway is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action.

Device Host is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action.

This strategy represents a state in which Host has been disabled, used as a trigger for threats representing side effects. It should not be used for any other purpose.

Process Process is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action.

Process Process is disabled to prevent it being involved in an attack. This strategy represents a run-time adaptation in response to a threat, which may or may not be following some contingency plan. It also triggers threats representing side effects that would be caused by such an action.

Indicates provision of network RadioSubnet is disabled at device Gateway, meaning the subnet is not available to potential attackers. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where provision of a subnet is possible but would not be used in practice is where a mobile device provides a WiFi hotspot. The control applies to the hotspot implementation, so affects provision of the hotspot in one location, making it possible to indicate that the user would keep the hotspot functionality switched off in that location.

Indicates provision of network LogicalSubnet is disabled at device Gateway, meaning the subnet is not available to potential attackers. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where provision of a subnet is possible but would not be used in practice is where a mobile device provides a WiFi hotspot, which it could do in any location, but the user will keep the hotspot functionality switched off in some locations.

Host Host is locked or built into the physical environment Space such that neither it nor any of its internal storage media can be removed or altered without destroying them.

The software for device Host has been analysed by independent experts using formal methods and shown to be free of bugs. It is therefore guaranteed to work correctly for arbitrary (even malicious) inputs. However, this is only possible for simple devices. Note that it does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations (although in principle no vulnerabilities should ever be found).

The software for process Process has been analysed by independent experts using formal methods and shown to be free of bugs. It is therefore guaranteed to work correctly for arbitrary (even malicious) inputs. However, this is only possible for simple processes. Note that it does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations (although in principle no vulnerabilities should ever be found).

The software and hardware at device Host has been assessed and certified to be secure by independent experts. The device is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations.

Data stored on physical device PhysicalHost are encrypted, so data cannot be accessed by physically extracting and reading storage devices from PhysicalHost, as an alternative to logging into the device.

Persons in the role HostManager responsible for managing Host are screened by their employer Employer before being given that role. This ensures they are more trustworthy than one would expect given the population or community from which they are recruited.

Means host Gateway has more than one WiFi LAN network interface.

Means mobile host Gateway has more than one Wired LAN network interface.

Signifies that the management of device Host is omitted because it is out of scope, e.g. because its management does not form part of the system. Note that this means modelling error threats to detect unmanaged devices will be ignored, but threats that could be addressed by a system manager will still apply to the unmanaged devices.

If the instances of a class of devices Gateway are independent of each other, having admin rights does not allow control of resourcing of Gateway instances.

If the instances of a class of devices Host are independent of each other, having admin rights does not allow control of resourcing of Host instances.

The device Host is monitored for reliability or availability, and if problems are found, its manager HostManager can take corrective action while waiting for updated software or hardware. This strategy represents a contingency plan included in the system operating policies and practices, e.g. to roll back software to an older but more reliable version or switch to a stand-in device from a different hardware vendor.

The device Host was found to have reliability or availability issues, and action has been taken by its manager HostManager to correct the problem. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Host.

The process Process is monitored for reliability and availability, and if problems are found, the manager HostManager of its host device Host can take corrective action while waiting for updated software. This strategy represents a contingency plan included in the operating policies and practices if certain threats should arise, e.g. to roll back software to an older but more reliable version.

The process Process was found to have reliability or availability issues, and action has been taken by the manager HostManager of its host device to correct the problem. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Process.

To prevent network spoofing, a gateway Gateway providing the network and the supplicant device Host can use a pre-shared key that can be verified by Host.

To prevent network spoofing, a gateway Gateway providing the network and the supplicant device Host can use a pre-shared key that can be verified by Host.

To prevent network spoofing, a gateway Gateway providing the network can use an X509 (or otherwise trusted) key pair, verified by the supplicant device Host.

To prevent network spoofing, a gateway Gateway providing the network can use an X509 (or otherwise trusted) key pair, verified by the supplicant device Host.

Control access to subnet LogicalSubnet using a (usually remote) AAA service that verifies keys provisioned in SIM cards to authorised supplicants. You should also specify SIM cards be used by supplicant devices or they will be unable to connect.

Control access to subnet LogicalSubnet using a pre-shared key. This is installed at the device Gateway providing the network, which also verifies that supplicants have the same key, preventing unauthorised access. You should also specify shared keys for supplicant devices or they will be unable to connect.

If subnet LogicalSubnet uses a pre-shared key to control access, supplicant device Host can connect if it has the pre-shared key.

Control access to subnet LogicalSubnet using authentication via X509 or otherwise trusted public-private key pairs. The gateway device Gateway providing the network has an (X509 certified) key, and a means to verify (X509 certified) keys registered by authorised supplicants. You should also specify that supplicant devices have (X509 certified) key pairs or they will be unable to connect.

If subnet LogicalSubnet uses a EAP.TLS to control access, supplicant device Host can connect if it has an X509 certified (or similarly trusted) asymmetric key pair.

Access to device Host is controlled, by authenticating authorised users using a password.

If user Human forgets their (strong) password, service Service provides a way for them to reset it using an out of band communication (e.g. email or sms).

Use a systematic procedure for regular security patching of software used (including hosted processes) on device Host, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply patches immediately should the need for them become urgent.

Represents a situation in which software patches have been applied manually by HostManager to eliminate vulnerabilities in device Host. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager. Then deselect the SoftwarePatched control and restore the asserted Extrinsic TW levels of Host once the update has been confirmed.

Use a systematic procedure for regular security patching of software used (including hosted process Process) on device Host, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply patches immediately for Process should the need for them become urgent.

Represents a situation in which software patches have been applied manually by HostManager to eliminate vulnerabilities in process Process. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager.

Use a systematic procedure for regular security patching of software used (including hosted process Service) on device SHost, and have a contingency plan included in the system operating policies and practices for HostManager to manually apply patches immediately for Service should the need for them become urgent.

Represents a situation in which software patches have been applied manually by HostManager to eliminate vulnerabilities in process Service. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Note that this should only be considered if a suitable software patch is available. To implement this at runtime, signal the responsible user HostManager.

The software and hardware at device Host has been tested and certified to be secure by independent experts. The device is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations.

The software for process Process has been tested and certified to be secure by independent experts. The process is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations.

Device Host is a personal device dedicated to one user, who will protect it from some types of attacks involving ongoing physical access or evident alteration of the device. For these threats, the protection level is very good because a momentary lapse in attention from the user is not sufficient to allow the attack.

Device Host is a personal device dedicated to one user, who will protect it from some types of attacks involving physical access. This particular strategy relates to threats that are blocked, affording slightly less than perfect protection because the user may be overcome by force or become temporarily less than vigilant.

Device Host is a personal device dedicated to one user, who has been trained in basic security and will protect it from some types of attacks involving physical access. Similar to personal device protection, but more effective due to the user being able to maintain vigilance and avoid physically uncontrollable situations.

Device Gateway is physically monitored to rapidly detect if it has been physically removed, altered or substituted, so its manager HostManager can address any physical compromise. This strategy represents a contingency plan included in the system operating policies and practices, e.g. to repair or replace the affected device. Activation of the plan restores normal service, but if the device was stolen the attacker still has possession of the original which could still be misused.

Device Gateway having found to be physically removed, altered or substituted, action has been taken by its manager HostManager to restore normal service. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Gateway which may need repair or replacement.

Device Host is physically monitored to rapidly detect if it has been physically removed, altered or substituted, so its manager HostManager can address any physical compromise. This strategy represents a contingency plan included in the system operating policies and practices, e.g. to repair or replace the affected device. Activation of the plan restores normal service, but if the device was stolen the attacker still has possession of the original which could still be misused.

Device Host having found to be physically removed, altered or substituted, action has been taken by its manager HostManager to restore normal service. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To implement the plan at runtime, signal HostManager that the problem was detected with Host which may need repair or replacement.

The software for process Process has been assessed and certified to be secure by independent experts. The process is unlikely to contain exploitable bugs, though the assessment may become outdated so should be renewed from time to time. Note that this does not prevent bugs that are present being discovered and exploited by attackers, so it is a prior mitigation only which is ignored in current (run-time) risk calculations.

To prevent passive snooping in radio network LogicalSubnet, one can configure the network to use encrypted radio communication in LogicalSubnet.

Device Host can be remotely wiped by its user Human if the device is lost or stolen, permanently removing accounts, security keys and data. This strategy represents a contingency plan

Device Host has been remotely wiped by its user after being stolen. To implement this at runtime, signal the device user Human that the action should be taken. The control strategy is used to model the effect this should have so it can be considered as an option in current (runtime) decision support calculations. To activate it at runtime, signal user Human who is responsible for the device. Then deselect the ManualActionTaken control and restore the asserted Possession TWL of Host once the action has been confirmed.

Remote access service Service runs a restricted shell on SHost, such that remote users cannot gain full access to the host, and can only run specific application processes on SHost (those controlled by Service).

Device Host is configured to prevent alteration of its software by physical insertion during its boot sequence.

Device Host is configured securely: passwords or other authentication are set up including resetting default passwords for all user and administrator accounts, auto-run features disabled to prevent execution without user authorisation for files from removable storage or from the internet, and unnecessary software and especially network accessible services removed or disabled.

Uses hardware security on device Host to bootstrap a protected enclave in which Process can execute without interference even by someone with admin rights at Host.

The client Client authenticates the service Service using an asymmetric cryptographic challenge against a public key registered to the service operator through a trusted means such as X509.

Processes Client and Service have secure access to a shared key used to encrypt and decrypt data Data for transfer via file or network.

The hardware and software for device Host has been independently tested and verified to meet functional requirements. The device is therefore unlikely to contain bugs that cause a malfunction. This does not prevent bugs that are present from causing problems, so this is a prior mitigation only which is ignored in current (run-time) risk calculations.

The software for process Process has been independently tested and verified to meet functional requirements. The process is therefore unlikely to contain bugs that cause a malfunction. This does not prevent bugs that are present from causing problems, so this is a prior mitigation only which is ignored in current (run-time) risk calculations.

Use a systematic procedure for updating software used (including hosted processes) on device Host.

Spam filtering functionality is installed on the email user agent MUA (a mail client or a webmail service).

Device Host may be temporarily disabled by its manager HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Device Host has been disabled by its manager HostManager to prevent it being exploited after being infected by malware. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device. The Disabled Host control should be deselected only when the host has been restarted.

Device Host may be temporarily disabled by its manager HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Process Process may be temporarily disabled by the manager of its host HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Process Process has been disabled by the manager of its host HostManager to prevent it being exploited after being infected by malware. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device hosting Process. The Disabled Process control should be deselected only when the process has been restarted.

Process Process may be temporarily disabled by the manager of its host HostManager to prevent it being exploited should it become infected by malware. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Service Service may be temporarily disabled by the manager of its host HostManager to prevent a known vulnerability being exploited in a cross-site scripting attack. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Process Service has been disabled by the manager of its host HostManager to prevent it being exploited in a cross-site scripting attack. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing device SHost where Service is running. The Disabled Process control should be deselected only when the process has been restarted.

Service Service may be temporarily disabled by the manager of its host HostManager to prevent a known vulnerability being exploited in a cross-site scripting attack. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Device Host may be temporarily disabled by its manager HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Device Host has been disabled by its manager HostManager to prevent a known vulnerability being exploited by an attacker. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing the device. The Disabled Host control should be deselected only when the host has been restarted.

Device Host may be temporarily disabled by its manager HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Process Process may be temporarily disabled by the manager of its host HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Process Process has been disabled by the manager of its host HostManager to prevent a known vulnerability being exploited by an attacker. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing device Host where Process is running. The Disabled Process control should be deselected only when the process has been restarted.

Process Process may be temporarily disabled by the manager of its host HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Service Service may be temporarily disabled by the manager of its host HostManager to prevent vulnerabilities being exploited by potential attackers. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it may triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

Service Service has been disabled by the manager of its host HostManager to prevent a known vulnerability being exploited by an attacker. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user HostManager who is responsible for managing device Host where Service is running. The Disabled Process control should be deselected only when the process has been restarted.

Users in the role Human are trained to avoid basic cyber security errors associated with the use of passwords.

Users in the role Human choose a password which is registered with the system allowing access to interactive host Host that authenticates using the password.

Users in the role Human are trained to avoid most common cyber security errors by using only strong passwords, recognising malicious emails, and the importance of physical security including the use of screen locking for fixed devices that cannot be carried on the person.

The user Human has no access to email from any device used by them while engaged in the system.

Access to a service requires authentication using an asymmetric cryptographic challenge during a TLS connection establishment by Client, based on an X509 or other trusted public key belonging to the authorised user.

Access to a service requires authentication using an asymmetric cryptographic challenge during a TLS connection establishment by Client, based on an X509 or other trusted public key belonging to the authorised user. Here the client Client is acting as a proxy for its host device, so the key is actually installed on CHost.

The XSS Sanitisation control means the service Service has been implemented using an XSS-safe language and framework including XSS detection code scanners.

The subnet uses an AAA service not included in the model for network authentication and access control based on SIMs. Used for high level abstrations representing public cellular networks.

The asset (device or service) has an enforcement point (PEP) preventing unauthorised access. Normally used in conjunction with an authentication mechanism.

The device has software installed that protects against malware.

Represents measures to restrict the number or rate of authentication attempts, and to lock out users on a permanent or temporary basis when these limits are reached.

The user has undergone basic training in password security and device protection before acting in the specified role.

The host has a means to authenticate authorised users using biometrics.

The host has a means to authenticate authorised users using a chip and pin card.

The host represents a class of identical hosts that form a scalable cluster. The control indicates that multiple hosts can be used at the same time to run a process or store a data asset, either to scale up performance or provide extra resilience.

The process captures usage characteristics, allowing the user identity to be verified by a suitable authentication service against a previously registered profile.

The user has continuous authentication identification characteristics registered with a continuous authentication verification service in the system.

The service has a means to verify the identity of a device user based on continuous authentication data sent by the device.

The device has been independently tested and certified as secure to a suitable evaluation assurance level.

The host device has been disabled. This is not a contingency plan but a state reached after activation of a contingency plan. It should be selected in current risk calculations to determine the effect of disabling the host, or when runtime monitoring detects the host is not running.

The process has been disabled. This is not a contingency plan but a state reached after activation of a contingency plan. It should be selected in current risk calculations to determine the effect of disabling the process, or when runtime monitoring detects the process is not running.

Disable a network (logical subnet). Most commonly used to prevent provision of an abstract subnet (e.g. a hotspot) by a mobile device when the device is in a specific location (with the control applied to the logical subnet representing implementation in that location). Note that control strategies involve controls at the providing host, so this is only possible where there is such a host.

Applied to a host providing a logical subnet, this control signifies that provision of networking by the host can be disabled.

The subnet uses encryption below OSI Layer 3, established via the CCMP protocol from IEEE.802.11i or equivalent.

The process or host software has been formally verified and found to be correct.

The algorithms used by the process are capable of performing calculations on encrypted data.

Data storage devices on the host that are used to store application data are encrypted. This does not protect data when the host is running as decrypion keys ust be available to running processes. However, it does prevent access to data by removing storage devices from a host, e.g. after it has been stolen.

The host is monitored to detect any software problems (errors or crashes).

The host is actually a set of instances whose provisioning is independent of their management.

The process has a way to access a shared key required to access encrypted data.

The host or process is monitored to detect any overload situations.

The host creates a log of its activities.

The priority of the process has been lowered to prevent it overloading its host. This may mean the process will become unavailable, however.

Means the host can connect to multiple WiFi LANs at the same time.

Means the host can connect to multiple wired LANs at the same time.

The human has a device for generating a one-time key by entering a PIN.

The process has a means to verify a one-time key generated by an authorised user.

The human has a way to obtain a one-time key sent to it by a separate (out of band) communication channel.

The process has a way to verify a one-time key sent to an authorised device or user via a separate (out of band) communication channel.

The human has registered a password for identification purposes, which may be stored in a process acting on their behalf.

The host or process has a way to check the quality of a password when set or changed by a user. For example, it may use checks as specified in NIST-800-63.

A service has a mechanism for self-service resetting of a user password.

The process has an encrypted password store, enabling its user to more easily recall and use strong passwords.

The host or process has a means to verify a password given by an authorised user.

The software for a host or process has been tested to check it is not vulnerable to certain attacks.

The host is a personal device, carried by and therefore monitored and protected by its only user.

The device is checked physically at suitable intervals to detect physical alteration or removal.

The device is physically protected by being built into its physical environment.

Signifies that the Physical Host can be under continuous visual observation within the Space where it is located. Physically large hosts will normally be observable, but for smaller hosts this depends on where in the space they are located.

The process is monitored to detect any software problems (errors or crashes).

The mobile device has a means to delete stored data which can be triggered remotely by its authorised user, e.g. if the device is lost or stolen.

Signifies that a process has restricted access to the shell on its host. A user with full control over such a process cannot exploit its rights in arbitrary ways. When applied to a desktop or login service (which are intended to provide access to the shell), it means the shell itself is restricted, and can only be used to run specific applications. In this case, the remote access service controls other processes the user can access.

A screen lock is automatically started after a suitably short interval of inactivity to prevent access to an interactive device, requiring password authentication to resume the session.

The device has a secure BIOS and boot up sequence, ensuring its security cannot be bypassed by rebooting using an external (e.g. USB) boot device.

Removal of security vulnerabilities arising from insecure default configurations prior to entry of the affected device into the system.

The device provides a secure enclave, an area of memory that is accessible only by a specific process, and protected by hardware that allows cryptographic bootstrapping of trust in its contents.

The process is executed in a secure enclave provided by its host.

The human has undergone security training, going beyond basic password and device security and covering aspects such as malicious email threats, and physical security of mobile and fixed host devices.

The host has a shared key which can be used to prove its identity to others holding the same key.

The host or process has a means to verify possession of the shared key by another asset.

The process software has been independently tested and certified as secure to a suitable evaluation assurance level.

Represents the application of security patches to eliminate software vulnerabilities in a device or process. Should be used only for run-time decision support calculations.

Employ a well defined process for applying updates to the software running on the associated host.

The process software has been tested to verify that it functions correctly.

The email user agent process has a means to scan emails, mark potentially malicious or unwanted emails as spam, and prevent them being seen by a user via the usual channel.

The host may be temporarily taken out of service to prevent it being involved in an attack by automated malware to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack.

The process may be temporarily taken out of service to prevent it being involved in an attack by automated malware to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack.

The host may be temporarily taken out of service to prevent it being involved in an attack that exploits a vulnerability to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack.

The service may be temporarily taken out of service to prevent it being involved in an attack that exploits a vulnerability to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack.

The user has undergone training in operational security relevant to the system, e.g. when and how to impose restrictions on network connectivity or service access, and procedures to safeguard the system in response to threat intelligence, such as emergency application of (possibly untested) software patches. This control can only be applied to an Adult user.

The process implements transport layer encryption for its communications.

This control indicates that the management of a device is considered out of scope. It is used to tell SSM that where no manager is specified, that was deliberate and is not an oversight. Note that this only addresses the modelling error threat used to detect a possible oversight. It does not mean other threats that could be managed by a system manager are also ignored.

Applies to Humans in a system role, indicating that they should not use email while acting in that role.

The host or process has an asymmetric key pair, and the association with the public key is attested by a suitably trusted means, often but not necessarily via an X509 certification authority.

The host or process has a means to verify that an entity that initiated communication with it is the holder of a private key corresponding to a trusted public key association such as an X509 certificate.

The host or process has a means to verify that an entity it initiates communication with is the holder of a private key corresponding to a trusted public key association such as an X509 certificate.

The process is implemented using a framework that prevents cross-site scripting attacks.

A communication network that is implemented from a set of logical subnets.

A host, which may or may not be its own physical host.

A communication network that is accessible to attackers.

A process acting as an authentication client to gain access to a network or service.

A process providing authentication/authorisation services.

A host role, usually one running a client process.

A process acting as a client, i.e. initiating communication with a service.

A host role filled by some form of a cluster.

A host that users can log into and interacting with via a console.

A backbone network role.

A data centre role.

A host that provides a subnet and/or acts as a router between subnets.

A general process.

A host.

A context for access rights on a host.

A user role assigned to managing a host.

A network connectivity context for access rights on a host.

A WiFi network provided by a mobile device wherever it goes.

The Internet.

A host that is local to some other asset or phenomenon.

A logical subnet (i.e. a subnet that can be used for direct communication between connected hosts).

A login service (i.e. a process that supports shell access to a host).

A mobile client supporting login (i.e. a notebook, tablet or smartphone).

A process acting as a Mail User Agent.

A stakeholder role with legal responsibility for operation of part or all of a system.

A host that is not the first one found in a pattern.

A physical host.

A physical subnet.

A context for access rights of a process.

A process.

A user role assigned to managing a process.

A network connectivity context for access rights of a process.

A radio subnet.

A remote access client.

A remote access service.

A host that is remote from some other asset or phenomenon.

A remote access terminal process.

A host acting as a router.

A server.

A process acting as a service, i.e. open to communication requests from clients.

A user role assigned to managing a service.

A host in a role where it supports a virtual host or service.

A simple host.

A simple process.

A smart phone.

A logical subnet.

A trivial host unable to support shell access, e.g. a removable storage device or an IoT device.

A process that is so trivial it is not subject to some types of threats.

A wired local area network.

Base class for all network subnets, including real subnets (i.e. those over which messages can be sent or routed) and some that are not real but represent a set of (inferred) real networks and routers.

A simple process that runs on a host and handles authentication of that hosts to subnets that require it.

A simple process that provides authentication and authorization of client processes or devices connecting to other services and networks.

A collection of identical physical servers that can be managed as a cluster. A singleton Cluster in a system model represents multiple Server-class Hosts.

Common base class for any Host that represents a collection of Hosts.

A (physical) host with a user interface that also supports shell access, making it possible for users to log in. Attackers who can gain physical access could also exploit vulnerabilities and gain control over the device.

Represents a wide area, mostly wired network composed of several connected subnets that are not explicitly included.

A type of wired network router that provides connections with and within core networks.

A building or buildings containing physical hosts and networks that can itself be connected to other networks, and used to support virtual hosts and management via a cloud platform. Internal connections and resources will be inferred where necessary, if not added manually.

A (physical) host device that has no built in (physical) user interface, which means it cannot be used directly by a Human.

Represents an ESMTP Mail User Agent (MUA) process that is used interactively by its users.

Represents a general ESMTP Mail User Agent (MUA) process. It provides a means for attackers to send malicious content designed to trick its users. Used as a base class for assertible subclasses representing webmail services and desktop email clients, etc.

Represents an ESMTP Mail User Agent (MUA) process accessed remotely by users. This is either via a WebBrowser (which makes the MUA a webmail service) or an EmailClient (which makes the MUA an IMAP/POP service). The MUA provides a means for attackers to send malicious content designed to trick its users.

A Host that is always located in one fixed Space, i.e. it doesn't move around, and its network connections are thus persistent.

A parent class for devices that are able to run arbitrary processes and hold data with no problems. Distinct from SimpleHost devices, which are specialised to a particular purpose.

A process with significant complexity unable to run on a specialised device.

A common parent class for host-related access contexts.

A device that can store, process, transmit or receive data.

Represents accessibility for a host when in a specific location, with links to the host, location (space), and networks it can be connected to in that location.

Represents accessibility for a host when on a specific subnet, with links to the host, subnet, and locations (spaces) where it can be connected to in that subnet.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

A (physical) host with a user interface that allows users to interact with a process, but not to log into the host.

A base class for logical subnets that are purely internal within a single host.

Special type of PhysicalSubnet, used as an abstraction for the core and access networks that make up the global, public Internet. There is only one Internet, so only one of these should appear in each system model.

Common parent of L0 and L1 subnets, i.e. subnets that support communication within a single host or between two paired hosts.

An L0Subnet is one provided by a host for communication within that host. This covers API calls and socket level communication between hosted processes to emulated IP switching between virtual hosts. The key difference between this and L3 virtual networks is that intrusion on the network is impossible except by compromising a connected host.

Common parent of L2 and L3 subnets, i.e. subnets that support communication between different, unpaired hosts.

An OSI Layer 2 subnet is one supporting communication between connected devices.

An OSI Layer 3 subnet is one that supports addressing of messages between connected devices and devices that need not be connected to the same subnet.

A base class for any means of communication between hosts.

Supports remote access to command line functionality on its host. If the service controls the host, it has root privileges, enabling remote system admin. If the service controls other processes running on the host, it has the privileges assigned to those processes, and users can interact via a remote terminal client with those processes. A desktop service may be configured as a restricted workspace by enabling security controls such that it does not allow the user unrestricted access to the shell, but only to processes that are specified as being available to the login service.

A device that is mobile, but could be a Notebook, Smartphone, or Tablet. Used where different users may employ different types of client device, so the model cannot specify (or assume) a single type.

A Host that has no fixed location, and whose network connections are thus mostly non-persistent.

Base class for all network assets excluding host devices, including abstract and real subnets, network interfaces, routes through gateway hosts, and extended network paths.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

A mobile interactive computer, equipped with wireless and sometimes cellular network interfaces, able to run arbitrary applications, including client processes for accessing services over a network. Although designated as a PC, they are not always used as personal devices.

A common parent class for process-related access contexts.

A mobile or IoT device that is dedicated to a single user and carried wherever they go. It is possible for hosts of these types to be non-dedicated, but if a user both interacts with and manages them, they are considered dedicated.

A physical host device, that could therefore be physically as well as electronically attacked (unlike a VirtualHost).

A physical subnet is one that makes direct use of physical hardware.

Represents a process (usually implemented by software running on a Host) that can read, update or create data, or exchange data with other processes.

Represents accessibility for a process when running on a specific host in a specific location, with links to the process, host, location (space), and networks it can use for communication in that location, plus channels and paths that are accessible to a client or available for accessing a service when in that location.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

Represents accessibility for a process when running on a specific host on a specific subnet, with links to the process, host and subnet, and locations (spaces), where it can be connected to that subnet, plus channels and paths that are accessible to a client or available for accessing a service when it is connected.

A network that uses radio as its means of communication, and may therefore be snooped or jammed.

A remote access client is any process that can be used to run commands or otherwise interact with processes running in a shell on a remote host.

A remote access service is any process that can be accessed remotely and used to run commands or otherwise interact with processes running in a shell on its host.

Provides a means to access the command line on a remote host via a login service running on that host.

Represents the ability to use removable (e.g. USB) storage devices as a means to transfer data between hosts. Such devices therefore act a bit like networks, so in practice any threats are caused by the mechanism used to connect them to other hosts.

A very simple fixed device used to transmit and receive data between different locally connected subnets.

A fixed physical host used to run application processes that are accessed remotely over a network. If your server device is not headless, make it a Workstation.

A parent class for devices that support access via something equivalent to a shell, i.e. a means for users to run and control processes.

A parent class for devices that are specialised for a purpose, and are therefore not normally able to host arbitrary processes and data. As distinct from GeneralHost devices, which have no such limitations.

A process with limited complexity able to run on a specialised device.

A mobile physical host used to run apps that mostly act as clients for accessing services over a network.

A mobile physical host used to run apps that mostly act as clients for accessing services over a network, and which typically connects using near field communications to a router such as a smartphone.

Represents a text messaging client running on a phone that is used interactively by its users. The domain model assumes every smart phone will be running one of these clients, but they must be inserted by users if they run on other devices including tablets or PCs, etc.

Represents the ability of processes on a common host to communicate with each other using the loopback address.

A mobile physical host used to run apps, some of which run locally but many act as clients for accessing services over a network.

A device specialised to support functionality so limited that it does not support shell access, e.g. a USB thumb drive, IoT controller or IoT sensor.

A type of simple process that is so trivial that some types of threats arise so rarely they can be neglected, e.g. threats involving software bugs.

A base class for all host classification overlay parent classes.

A base class for all process classification overlay parent classes.

A base class for logical subnet classification overlay parent classes.

A locally connected physical network that uses radio communication.

A locally connected network in which connections between hosts are provided by physical wires.

A network that uses physical wiring as its means of communication.

A fixed physical host with a fully functional user interface, including a conventional PC, used to run interactive applications locally, as well as interactive client processes for accessing services over a network.

Represents the total capacity at a Data Centre, or more accurately, the level of trust that it will be able to handle any demand placed on it by automatically provisioned for hosts and processes.

Modelling artefact: an attribute that is always set to the lowest trustworthiness level, and used as a cause for threats that are triggered entirely by the use of security controls.

Free of software vulnerabilities in processes and devices that are likely to be discovered by potential attackers.

Free of self-propagating malware.

Free of functional software bugs that cause errors or crashes without external provocation.

Control over routing within an abstract or logical subnet.

Trustworthiness of users with access to an abstract or logical network subnet.

The asset is not currently engaged or being used within the system, and hence cannot be exploited by attackers.

Provisining is controlled by a trustworthy process or administrator.

The host has no back doors inserted into its operating system or other software running on the host. If back doors are present, this also makes processes running on the host vulnerable.

Represents the spare capacity at a Data Centre.