The risk factors identified by the risk assessment in Annex C are grouped into risk categories and assigned unique identifiers below.
**[USR]** Number of agents with unprivileged access to the network interface on the host system
**[LOC]** Number of agents with unprivileged access to the network interface on the host system
Affects likelihood
This measures how many agents on the host can access the network interface from the host using the normal unprivileged system interfaces such as TCP or UDP sockets. It assumes that raw sockets or access to the configuration functions of the network interface are only available to privileged users.
***[USR-L-0]** Effectively no agents
***[USR-L-1]** Only trusted agents with a formal approval system
***[USR-L-2]** Trusted agents within the home
***[USR-L-3]** Untrusted agents
***[LOC-L-0]** Effectively no agents
***[LOC-L-1]** Only trusted agents with a formal approval system
***[LOC-L-2]** Trusted agents within the home
***[LOC-L-3]** Untrusted agents
FIXME: need to express risk coming from host system due to likelihood of being hacked that is different between a small single purpose IoT device and a full personal computer
**[ACC]** Degree of access to attached network by untrusted entities
**[NET]** Degree of public access to attached network
Affects likelihood.
Rationale: The more unrestricted the access to the attached network is, the more likely a threat actor can send packets to the device.
***[NET-L-0]** Foreseeable use is in an isolated private network
***[NET-L-1]** Foreseeable use is in a private network with filtered connection to public network
***[NET-L-2]** Foreseeable use is in a public network
This measures how easy it is for untrusted entities to send packets that the network interface will receive from outside the host, such as a user or program on another host attached to the same network.
**[COM]** Complexity of functions
***[ACC-L-0]** Untrusted users have no or highly filtered access to attached network
***[ACC-L-1]** Untrusted users have somewhat filtered access to attached network
***[ACC-L-2]** Untrusted users have unfiltered access to attached network
Affects likelihood.
**[COM]** Complexity of network interface implementation
Rationale: More complex functions means increased likelihood of errors in the implementation and more attack surface.
***[COM-L-0]** Minimal features to send/recv packets
***[COM-L-1]** Some simple performance features
***[COM-L-2]** Encryption features on device
***[COM-L-2]** Encryption features on interface
***[COM-L-3]** Entire RTOS managing radio, PXE boot, remote management, or similar
**[ADM]** Effectiveness of administration
**[ADM]** Availability and skill of administration
Affects likelihood and impact.
Rationale: Skilled, fully resourced administration allows more risk transfer and can reduce the impact of incidents.
***[ADM-L-1]** Either unskilled or under-resourced administration
**[SYS]** Access to host system assets
Affects impact.
Measures the degree of access to the host system assets, such as memory, other devices, and system management functions. This is usually a property of the communications bus used to connect to the host system. E.g., a network interface connected by USB versions below 4.0 can only access system resources via the host USB stack software, but a network interface on a PCIe bus (including tunneled over USB 4.0) or a virtual network interface that has privileged access to the host system can write any part of host system memory.
***[SYS-L-0]** Limited access or access mediated by host software to host system resources
***[SYS-L-1]** Extensive access to host system resources
FIXME update use case/profile for above risk factor
**[REM]** Use of network interface for administration
Affects impact.
Measures how critical the network interface functions are for administration of the system.
***[REM-L-0]** Foreseeable use is as primary administrative interface
***[REM-L-1]** Foreseeable use is as secondary administrative interface
FIXME update use case/profile for above risk factor
**[DAT]** Sensitivity of data stored
Affects impact.
***[DAT-L-0]** Unimportant or no data
***[DAT-L-1]** Moderately important data
***[DAT-L-2]** Critical data
FIXME update use case/profile for above risk factor
**[FUN]** Sensitivity of functions
Affects impact
***[FUN-L-0]** Unimportant functions
***[FUN-L-1]** Moderately important functions
***[FUN-L-2]** Critical functions
FIXME update use case/profile for above risk factor
**[CON]** Connectivity to other devices
Affects impact
***[CON-L-0]** Little to no connectivity to other devices
***[CON-L-1]** Connected to a few devices on a private network
***[CON-L-2]** Connected to a public network
FIXME update use case/profile for above risk factor
**[INT]** Integration in device
Affects impact
***[ADM-L-0]** Professional administration, fully resourced
***[ADM-L-1]** Non-professional administration, professional but under-resourced, or mixed
***[INT-L-0]** Connected via external adapter
***[INT-L-1]** Connected via internal adapter requiring disassembly to change
***[INT-L-2]** Fully integrated and cannot be removed from device
FIXME use case of integrated NIC, what effects does this have on available mitigations and impact, require firmware updatable
FIXME update use case/profile for above risk factor
FIXME risk factor of DMA or VFIO where userspace can poke at NIC memory and some registers
**???** Something about persistence
### 4.5.2 Mapping of use cases to risk factors and security profiles
