Where do Common Criteria threats, policies, assumptions and objectives come from?

Question

When reading something dealing with Common Criteria for Information Technology Security Evaluation it is clear where ABC_DEF-type acronyms come from - they are thoroughly described in parts 2 and 3.

But where do Threats, Policy, Assumption (T.[SOMETHING], P.[SOMETHING], A.[SOMETHING_ELSE] and O.[SOMETHING]-type stuff) and their details come from? Is there a comprehensive list or do people just write anything they want in there?

Are you asking about "Security problem definition (ASE_SPD)" items in the Specification of Security Targets? — schroeder, Sep 19 '19 at 09:10
Then I'm confused, it's defined in Security problem definition (ASE_SPD). Can you expand on what your question is? — schroeder, Sep 19 '19 at 09:20
Are you asking if these items are pre-defined? They are not. — schroeder, Sep 19 '19 at 09:24
@schroeder "10.3 Security problem definition (ASE_SPD)" in ISO/IEC 15408-3-2008 is very short, under one page long, and states very general things like "The security problem definition shall describe the threats". So, from your comment I understand that there are no lists of "standard recognized threats" or something. — Eugene Ryabtsev, Sep 19 '19 at 09:27

score 1 · Accepted Answer · edited Jun 16 '20 at 09:49

According to the specification, these have no predefined list. These are defined as required for the situation.

A.6.2 Threats

291 This section of the security problem definition shows the threats that are to be countered by the TOE, its operational environment, or a combination of the two.

292 A threat consists of a threat agent, an asset and an adverse action of that threat agent on that asset.

293 Threat agents are entities that can adversely act on assets. Examples of threat agents are hackers, users, computer processes, TOE development personnel, and accidents. Threat agents may be further described by aspects such as expertise, resources, opportunity and motivation.

294 Threat agents may be described as individual entities, but in some cases it may be better to describe them as types of entities, groups of entities etc.

295 Examples of assets can be found in Section 7.1.

296 Adverse actions are actions performed by a threat agent on an asset. These actions influence one or more properties of an asset from which that asset derives its value.

297 Examples of threats are:

− a hacker (with substantial expertise, standard equipment, and being paid to do so) remotely copying confidential files from a company network;
− a worm seriously degrading the performance of a wide-area network;
− a system administrator violating user privacy;
− Someone on the Internet listening in on confidential electronic communication.

score 1 · Answer 2 · answered Sep 20 '19 at 12:21

Most of the time SPD (Security Problem Definition) that includes Threats and Assumptions is copied in its entirety from a PP (Protection Profile). It is only in cases when ST-only (i.e. no PP claims) evaluation is conducted is when you define your own Threats, Assumptions and Objectives. There are some rules for defining and mapping these, but existing CCv3.1R5 rules and evaluation activities are not sufficient to ensure coherent SPD. In general terms, in such situations CC practitioners are more concerned that these correctly map to each other than with what they actually say.

Where do Common Criteria threats, policies, assumptions and objectives come from?

2 Answers2