Risk evaluation tables update (ad056d7b) · Commits · STAN4CRA / EN 304 624 Public key infrastructure and digital certificate issuance software

EN-304-624.md

+46 −22

Original line number	Diff line number	Diff line
		@@ -2032,62 +2032,86 @@ As a remainder the 4 use cases define in the standard are:

		Figure C.1.1-4: Risk calculation matrix

		### C.1.4 Risk acceptance threshold
		### C.1.2 Risk acceptance threshold

		![Figure C.1.4-1: Risk acceptance threshold](media/RiskAcceptanceThreshold.png)
		![Figure C.1.2-1: Risk acceptance threshold](media/RiskAcceptanceThreshold.png)

		Figure C.1.4-1: Risk acceptance threshold
		Figure C.1.2-1: Risk acceptance threshold

		![Figure C.1.4-2: Risk factor int](media/RiskFactorInt.png)

		Figure C.1.4-2: Risk factor int

		## C.2 Risk Assessment
		### C.2.1 Estimate Risks (Risk factors)
		#### C.2.1.1 Likelihood risk factors

		![Figure C.1.2-1: Risk factor dep](media/RiskFactorDep.png)
		The following figures present the likelihood factors for the 4 use cases used to caclulate risks. They are categorised as follow :

		Figure C.1.2-1: Risk factor dep
		- Deployment factors
		- Network security factors
		- User Expertise
		- Operational security procedures
		- Interfaces exposure

		![Figure C.1.2-2: Risk factor net](media/RiskFactorNet.png)

		Figure C.1.2-2: Risk factor net
		![Figure C.2.1.1-1: Risk factor dep](media/RiskFactorDep.png)

		![Figure C.1.2-3: Risk factor user](media/RiskFactorUsr.png)
		Figure C.2.1.1-1: Risk factor dep

		Figure C.1.2-3: Risk factor user
		![Figure C.2.1.1-2: Risk factor net](media/RiskFactorNet.png)

		![Figure C.1.2-4: Risk factor ops](media/RiskFactorOps.png)
		Figure C.2.1.1-2: Risk factor net

		Figure C.1.2-4: Risk factor ops
		![Figure C.2.1.1-3: Risk factor user](media/RiskFactorUsr.png)

		![Figure C.1.2-5: Risk factor int](media/RiskFactorInt.png)
		Figure C.2.1.1-3: Risk factor user

		Figure C.1.2-5: Risk factor int
		![Figure C.2.1.1-4: Risk factor ops](media/RiskFactorOps.png)

		#### C.2.1.1 Impact risk factors
		Figure C.2.1.1-4: Risk factor ops

		![Figure C.1.3-1: Risk factor ava](media/ImpRiskFactorAvaactScale.png)
		![Figure C.2.1.1-5: Risk factor int](media/RiskFactorInt.png)

		Figure C.1.3-1: Risk factor ava
		Figure C.2.1.1-5: Risk factor int

		#### C.2.1.2 Impact risk factors

		The following figures present the impact factors evaluation for the 4 use cases used to caclulate risks. They are categorised as follow :

		- Availability
		- Integrity
		- Confidentiality
		- and Traceability


		![Figure C.1.3-1: Risk factor ava](media/RiskFactorAva.png)

		Figure C.1.3-1: Risk factor availability

		![Figure C.1.3-2: Risk factor in](media/RiskFactorIn.png)

		Figure C.1.3-2: Risk factor in
		Figure C.1.3-2: Risk factor integrity

		![Figure C.1.3-3: Risk factor conf](media/RiskFactorConf.png)

		Figure C.1.3-3: Risk factor conf
		Figure C.1.3-3: Risk factor confidentiality

		![Figure C.1.3-4: Risk factor tra](media/RiskFactorTra.png)

		Figure C.1.3-4: Risk factor tra
		Figure C.1.3-4: Risk factor traceability

		#### C.2.1.2 Impact risk factors

		## C.2.2 Evaluate Risks

		In this section we present the evaluation of the riks factors for each of the 4 use cases.

		In the table we evaluate the risks for each use cases related to threats defined in section 4. For each threats the list of associated risk factors values are assessed and for each combinaison of factors a maximum function is applied (the resulting impact or likelihood level is the maximum of all risk factors levels).

		The risk are then calculated and their applicability defined using the matrixes presented in Figure C.1.1-4 and Figure C.1.2-1.

		## C.2.4 Evaluate Risks
		![Figure C.2.2-1: Risk evaluation part 1](media/RiskFactorTra.png)

		Figure C.2.2-1: Risk evaluation part 1

		# Annex K (normative) [CRY] Cryptography
		V 0.3 (2025-12-07)