Add PII risk factor

Rationale: Different connectivity requirements create different risks and mitigations.

* **[CON-0]** Foreseeable use is a single endpoint connecting only to a public network

* **[CON-1]** Foreseable use is one or more endpoints connecting to other endpoints or hosts via a private network

* **[CON-1]** Foreseeable use is one or more endpoints connecting to other endpoints or hosts via a private network

* **[CON-2]** Foreseeable use is multiple endpoints connecting to each other via a private network, in addition to connecting to a public network

### C.2.10 RF-PII: Consequences of personally identifiable information compromise

Description: What the consequences of an attacker acquiring PII via the product are.

Rationale: Different consequences change the impact of compromise of PII stored or transmitted by the product.

* **[PII-0]** Foreseeable use is no or low consequences for compromise of PII stored or transmitted by the product

* **[PII-1]** Foreseeable use is moderate consequences for compromise of PII stored or transmitted by the product, e.g. financial or reputational loss

* **[PII-0]** Foreseeable use is high consequences for compromise of PII stored or transmitted by the product, e.g. loss of life or human rights

## C.3 Assumptions

### C.3.1 Platform

* High to Low: AUTH-3, AUTH-4, AUTH-5, CDST

### C.4.15 TH-CPII: Compromise of PII stored or transmitted by the product

Attacker may get unauthorised access to personally identifiable information stored or transmitted by the product.

| Risk factors                 | Likelihood | Security profiles      |

|------------------------------|------------|------------------------|

| PII = 2 & DATA = 2 & FUN = 2 | High       | SP-3,                  |

| all others                   | Medium     | SP-1, SP-2, SP-4, SP-5 |

Table: _Table C.25_

| Risk factors | Impact | Security profiles      |

|--------------|--------|------------------------|

| PII = 2      | High   | SP-3                   |

| all others   | Medium | SP-1, SP-2, SP-4, SP-5 |

Table: _Table C.26_

Requirements that mitigate this threat: AUTH, DMIN, CRYPT, AUTH, ROUT, DNSL, CDST, SCDL, SDEF, LOGG

All mitigations from TH-UEAC, TH-MITM, TH-LEAK, TH-PLNS, TH-PLNM, TH-UNAA, TH-CONF, TH-META, TH-RCOM, TH-USED apply (using those requirement's risk formula), in addition to:

Mitigations for Impact:

* Medium to Low: NPII-1

* High to Low: NPII-\*

## C.5 Mapping of use cases to risk factors and security profiles

| Use case | Description                 | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON | SP   |

|----------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|------|

| UC-1     | Individual consumer         | 1   | 0   | 0   | 0   | 2   | 2   | 2   | 0   | 0   | SP-1 |

| UC-2     | Privacy conscious household | 1   | 0   | 1   | 1   | 1   | 0   | 2   | 1   | 0   | SP-2 |

| UC-3     | Journalist or activist      | 1   | 1   | 2   | 2   | 2   | 2   | 2   | 1   | 0   | SP-3 |

| UC-4     | Small organisation          | 2   | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 1   | SP-4 |

| UC-5     | Large enterprise            | 2   | 2   | 2   | 2   | 0   | 1   | 2   | 2   | 2   | SP-4 |

| Use case | Description                 | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON | PII | SP   |

|----------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|------|

| UC-1     | Individual consumer         | 1   | 0   | 0   | 0   | 2   | 2   | 2   | 0   | 0   | 0   | SP-1 |

| UC-2     | Privacy conscious household | 1   | 0   | 1   | 1   | 1   | 0   | 2   | 1   | 0   | 1   | SP-2 |

| UC-3     | Journalist or activist      | 1   | 1   | 2   | 2   | 2   | 2   | 2   | 1   | 0   | 2   | SP-3 |

| UC-4     | Small organisation          | 2   | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 1   | 1   | SP-4 |

| UC-5     | Large enterprise            | 2   | 2   | 2   | 2   | 0   | 1   | 2   | 2   | 2   | 1   | SP-4 |

Table: _Table C.27 — Use cases mapped to risk factors and security profiles_

### C.6.2 Mapping of security profiles to risk factors

| Security profile | Description                 | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON |

|------------------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|

| SP-1             | Individual consumer         | 1   | 0   | 0   | 0   | 2   | 2   | 2   | 0   | 0   |

| SP-2             | Privacy conscious household | 1   | 0   | 1   | 1   | 1   | 0   | 2   | 1   | 0   |

| SP-3             | Journalist or activist      | 1   | 1   | 2   | 2   | 2   | 2   | 2   | 1   | 0   |

| SP-4             | Small organisation          | 2   | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 1   |

| SP-5             | Large enterprise            | 2   | 2   | 2   | 2   | 0   | 1   | 2   | 2   | 2   |

| Security Profile | Description                 | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON | PII |

|------------------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|

| SP-1             | Individual consumer         | 1   | 0   | 0   | 0   | 2   | 2   | 2   | 0   | 0   | 0   |

| SP-2             | Privacy conscious household | 1   | 0   | 1   | 1   | 1   | 0   | 2   | 1   | 0   | 1   |

| SP-3             | Journalist or activist      | 1   | 1   | 2   | 2   | 2   | 2   | 2   | 1   | 0   | 2   |

| SP-4             | Small organisation          | 2   | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 1   | 1   |

| SP-5             | Large enterprise            | 2   | 2   | 2   | 2   | 0   | 1   | 2   | 2   | 2   | 1   |

Table: _Table C.28 — Security profiles mapped to risk factors_