Update numbering in Annex C.2

## C.2 Risk factors

### C.2.1 List of risk factors

### C.2.1 General comments regarding risk factors

Risk factors determine which mitigation(s) satisfy each of the technical requirements in clause 5.2. The manufacturer determines the level of each risk factor via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the operating system.

Risk factors determine which mitigation(s) satisfy each of the technical requirements in clause 5.2. 

Manufacturers determine the level of each risk factor via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the operating system.

Risk factors may increase the likelihood of an incident, increase the impact of an incident, or both. As a result, different mitigation strategies may be more or less relevant to different risk factors.

The overall risk related to each use case should be considered as a result of combining risk factors affecting both likelihood and impact of an incident.

The overall risk related to each use case should be considered, and is calculated by combining risk factors affecting both likelihood and impact of an incident.

#### C.2.1.x Number of User Accounts

### C.2.2 Number of User Accounts

**[RF-NUSR]:** The number of user accounts of end-users expected on the system, excluding administrator accounts.

* NUSR-1: foreseeable use is only one user account for an end-user

* NUSR-2: foreseeable use of the operating system is multiple user accounts for end-users

#### C.2.1.x User Account Concurrency

### C.2.3 User Account Concurrency

**[RF-CUSR]:** The number of user accounts expected to use the system concurrently, including administrator accounts if they are configurable or accessible by end-users.

* CUSR-1: foreseeable use of the operating system is small number of authenticated users simultaneously active on the operating system who are trusted not to actively attempt to compromise the system

* CUSR-2: foreseeable use of the operating system is multiple authenticated untrusted users simultaneously active on the operating system

#### C.2.1.x Potential for Collection of Personally Identifiable Information

### C.2.4 Potential for Collection of Personally Identifiable Information

**[RF-PPII]:** Potential for collection of personally identifiable information about an individual person.

* SNDT-0: foreseeable use includes no or incidental collection of PII

* SNDT-1: foreseeable use includes collection of moderate amounts of PII

* SNDT-2: foreseeable use includes collection of extensive amounts of PII by default

* PPII-0: foreseeable use includes no or incidental collection of PII

* PPII-1: foreseeable use includes collection of moderate amounts of PII

* PPII-2: foreseeable use includes collection of extensive amounts of PII by default

#### C.2.1.x Sensitivity of Data Stored

### C.2.5 Sensitivity of Data Stored

**[RF-SNDS]:** Sensitivity of data stored, as measured by impact of loss of its integrity, confidentiality, or availability.

* SNDS-1: foreseeable use includes storing moderate amounts of sensitive data

* SNDS-2: foreseeable use includes storing extensive amounts of sensitive data by default

#### C.2.1.x Sensitivity of Data Transmitted

### C.2.6 Sensitivity of Data Transmitted

**[RF-SNDT]:** Sensitivity of data transmitted, as measured by impact of loss of its integrity, confidentiality, or availability.

* SNDT-1: foreseeable use includes transmission of moderate amounts of sensitive data

* SNDT-2: foreseeable use includes transmission of extensive amounts of sensitive data by default

#### C.2.1.x Sensitivity of Functions

### C.2.7 Sensitivity of Functions

**[RF-SENF]:** Sensitivity of functions of device, as measured by impact of loss of its integrity, confidentiality, or availability.

* SENF-1: foreseeable use may provide arbitrary sensitive functions

* SENF-2: foreseeable use provides sensitive functions by default

#### C.2.1.x Physical Access by Threat Actors to the Device

### C.2.8 Physical Access by Threat Actors to the Device

**[RF-PHYS]:** Exposure of the device to physical access by users.

* PHYS-1: foreseeable use includes incidental exposure to untrusted users

* PHYS-2: foreseeable use is primarily by untrusted users, e.g. the general public

#### C.2.1.x Processing of Untrusted External Inputs

### C.2.9 Processing of Untrusted External Inputs

**[RF-UEIN]:** Exposure to untrusted external inputs that are processed by the platform.

* UEIN-1: may incidentally process untrusted external inputs

* UEIN-2: used primarily to process untrusted external inputs

#### C.2.1.x Probability of Loss of the Device

### C.2.10 Probability of Loss of the Device

**[RF-LOSS]:** Likelihood of loss or theft of the device, allowing threat actors unlimited physical access to the device.

* LOSS-1: foreseeable use is in a device with moderate loss likelihood

* LOSS-2: foreseeable use is in a device with a high loss likelihood, such as devices which are common targets of theft such as mobile phones

#### C.2.1.x Hardware Modifiability by End Users

### C.2.11 Hardware Modifiability by End Users

**[RF-HWMD]:** Likelihood that the hardware of the platform will be changed from its secure-by-default state.

* HWMD-1: foreseeable use includes hardware modifications by skilled administrators

* HWMD-2: foreseeable use includes hardware modification by unskilled users

#### C.2.1.x Software Modifiability by End Users

### C.2.12 Software Modifiability by End Users

**[RF-SWMD]:** Likelihood that the software on the platform (including firmware) will be changed from its secure-by-default state.

* SWMD-1: foreseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software

* SWMD-2: foreseeable use actively encourages and facilitates the installation of frequently malicious software

#### C.2.1.x Untrusted Peripheral Devices

### C.2.13 Untrusted Peripheral Devices

**[RF-DVCS]:** Likelihood of unstrusted peripheral devices being attached to the platform via a connection that is a plausible attack vector, such as by USB or PCI bus.

* DVCS-1: foreseeable use includes only trusted and safe peripheral devices

* DVCS-2: foreseeable use allows for arbitrary peripheral device attachment

#### C.2.1.x Access to a Public Network

### C.2.14 Access to a Public Network

**[RF-TNET]:** Likelihood that the device will initiate connections to public networks.

* TNET-1: foreseeable use allows internet access for only highly restricted functions, such as retrieving security updates

* TNET-2: foreseeable use allows for arbitrary access to a public network, such as by browsing the web

#### C.2.1.x Accessed From Untrusted Networks Including a Public Network

### C.2.15 Accessed From Untrusted Networks Including a Public Network

**[RF-FNET]:** Likelihood that the device will be exposed to incoming traffic from public networks.

* FNET-1: foreseeable use includes untrusted local networks but not the open internet

* FNET-2: foreseeable use includes being connected directly to the open internet

#### C.2.1.x Configurability

### C.2.16 Configurability

**[RF-CONF]:** Degree of security-relevant configuration change of the operating system necessary for use.

* CONF-1: foreseeable use involves operating system configuration changes only by skilled administrators

* CONF-2: foreseeable use of the operating system includes configuration changes by end-users

#### C.2.1.x Administration

### C.2.17 Administration

**[RF-ADMN]:** Availability and skill of administrators.

* ADMN-1: foreseeable use always has skilled administrators available on call

* ADMN-2: foreseeable use may involve unskilled administrators

#### C.2.1.x Support and Foreseeable Updates

### C.2.18 Support and Foreseeable Updates

**[RF-SUPP]:** How long the product is expected to be in use, and whether the product is expected to be updated throughout its life cycle.