> List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases.
FIXME Do we have any assumptions that result in no difference in risk between different use cases? Or are they all just risk factors that vary by use case?
Assumptions can be updated to be less stringent as more use cases and mitigations are added to the standard.
### C.3.1 Proper platform
**[AS-PP]:** The platform the operating system runs on is trustworthy. The OS may choose to detect and/or correct hardware errors.
### C.3.2 Proper administrator
**[AS-PA]:** The operating system administrator is not intentionally hostile and is engaging in good faith efforts to administer the system properly.
### C.3.3 Attacker has limited physical access to operating system
**[AS-LP]:** An attacker will have only temporary physical access to the operating system.
### C.3.4 Attacker has limited resources
**[AS-LR]:** An attacker has the resources available to a small group of skilled individuals, without the backing of large corporations, nation-states, or immense wealth.
