@@ -590,13 +590,11 @@ FIXME prune this down to the most common use cases
### 4.5.1 List of risk factors
The manufacturer can satisfy the technical requirements in Section 5.2 by implementing one or more mitigations to reduce the associated risk, or by transferring the risk as appropriate. The manufacturer selects which mitigation(s) to use by determining the appropriate level of each risk factor in this section, via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the operating system.
Risk factors determine which mitigation(s) satisfy each of the technical requirements in Section 5.2. The manufacturer determines the level of each risk factor via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the operating system.
FIXME reference guidance on risk assessment when it exists.
The pre-defined Security Profiles in Section 6 list the appropriate mitigations for several common use cases.
Some risks may be transferred partially or fully to other components of the system or the user of the product. When that is the case, migitations that transfer the risk will be included as an option to fulfill a technical requirement, depending on the use case and risk factors.
Note: "account" refers to a user in the operating systems sense: a unique system identity associated with certain authorization and permissions. "User" refers to an entity that uses the device for some purpose. Users may have many accounts and accounts may have many users.
FIXME reference guidance on risk assessment when it exists.
