@@ -399,20 +399,13 @@ The following risks are delegated by the VPN product to other components within
(previously ## 4.6)
<mark>Editor's Note: Some common definition of user categories are proposed in clause 3.1 above for consistency across vertical standards. Users can include both integrators and end users (individual or group / consumer or organisation), as well as users with privileged rights or professional training such as administrators. Users can be professional users or consumers and may have different levels of cybersecurity knowledge. Both professional and less experienced users may also have disabilities and may be using assistive technology to access the product. In addition, where a product is used in a public space there may be indirect users who are impacted by the device and whose cybersecurity needs should be considered.</mark>
To ensure that the cybersecurity requirements address the specific threats faced by different market segments, the users of VPN products are categorized into groups based on their operational needs, level of cybersecurity expertise, and risk profiles. This categorization considers both direct end-users and integrators, and prioritizes the privacy, safety, and accessibility of the product for all individuals. These user groups directly correspond to the Use Cases (UC) detailed in Clause 4.6:
- Everyday Consumers and Vulnerable Groups (Refers to UC-1, UC-2): This group represents the general public, specifically including vulnerable populations such as children and the elderly, as well as individuals with limited cybersecurity knowledge. Their primary needs include securing personal traffic on untrusted networks and obfuscating online activity to avoid tracking. This segment requires highly accessible, secure-by-default configurations that accommodate users with disabilities who may rely on assistive technology to operate the product securely
- High-Risk Privacy Seekers (Refers to UC-3): This group represents individuals at a severe risk of targeted surveillance (e.g., privacy-conscious users operating in hostile environments). Their primary need is advanced privacy preservation to protect their personal safety, health, and human rights against capable adversaries and unsanctioned state actors.
- Small Organization Users (Refers to UC-4): This group represents users operating within smaller entities lacking dedicated, full-time network administration. Their primary need is establishing secure remote connections to necessary operational resources, heavily relying on manufacturer-managed services to prevent misconfigurations.
- Enterprise Integrators and Administrators (Refers to UC-5, UC-6, UC-7): This group represents professional users, integrators, and administrators with privileged rights and professional cybersecurity training. Their primary needs include securely connecting multiple endpoints to private corporate networks, managing complex VPN infrastructures, and conducting extensive traffic inspection for security purposes.
- Indirect Users: Where a VPN product (such as a VPN-enabled router) is deployed in a public space, the product design must also consider the cybersecurity needs, privacy, and safety of indirect users who are impacted by or whose traffic passes through the device
<mark>Editor’s Note: Definitions of users must not consider profession but shall rather be based on a characterisation of needs in a certain market segment (e.g., avoid “journalist” in favour of “privacy-conscious user”), covering also health, safety and accessibility of the product.</mark>
<mark>Editor’s Note: Should cover use by vulnerable groups where applicable, like children or elderly.</mark>