Annex II - Risk Assessment Spreadsheet

Asset Value Measurement Scale
Value Magnitude
1 Very Low
2 Low
3 Medium
4 High
5 Very High
Threat Value Measurement Scale

Value Description
1 Very Low
2 Low
3 Medium
4 High
5 Very High
Vulnerability Value Measurement Scale

Value Description
1 Very Low
2 Low
3 Medium
4 High
5 Very High
Information Security Risk Measurement Scale

Minimum Risk
1 2 3 4 5 6 7
Very Low Low Medium
Vulnerability
Value 1
Threat
Value 1 2 3 4 5
1 0 1 2 3 4
Asset Value
2 1 2 3 4 5
Asset Value
3 2 3 4 5 6
4 3 4 5 6 7
5 4 5 6 7 8
Metrics
[scales used to assess assets, vulnerabilties, threats and risks]
surement Scale
Maximum Risk
8 9 10 11 12 13
Medium High Very High
Risk Assessment Scale
2 3
1 2 3 4 5 1 2 3 4
2 3 4 5 6 3 4 5 6
3 4 5 6 7 4 5 6 7
4 5 6 7 8 5 6 7 8
5 6 7 8 9 6 7 8 9
6 7 8 9 10 7 8 9 10
4 5
5 1 2 3 4 5 1 2 3
7 4 5 6 7 8 5 6 7
8 5 6 7 8 9 6 7 8
9 6 7 8 9 10 7 8 9
10 7 8 9 10 11 8 9 10
11 8 9 10 11 12 9 10 11
5
4 5
8 9
9 10
10 11
11 12
12 13
Assets
[tangible or intangible: any devices, technologies, a
ID Asset Description or reference to above described Owner [involved actors / Value

elements organisations]
Intangible
A1 Automated reservation, check-in Controls the entrance of passengers into the Airport, airlines, citizens 4
and boarding procedure restricted area of the airport and finally to
the aircraft
A2 Electronic visa issuing process Process of getting a visa and linking with State, citizens 4
check-in [not mandatory at this stage]
A3 Luggage and goods handling Process for managing the flow of luggage Airlines, airport 3
and supplies to shops and airport operations
A4 Automated traffic management Getting to and from the airport; smart Airport, state, commercial 4
routing; does not include air traffic operators
management
A5 Passports and National ID cards Passports and national ID cards RFID- State/national authority 4
equipped, with digital photo and biometrics issuing it, citizen/passenger
(fingerprint). The devices may store the
following data:
- Personal data
- Biometrics, such as facial image, fingeprints
A6 Mobile ‘smart’ devices Small computing devices that allow the Citizen/passenger 4
transmission of voice and data. Functions For electronic boarding passes
integrated usually in one device: Mobile and /or visas, the owner could
phone, digital camera (working also as 2D also be the airline company
barcode reader), NFC reader/tag, Bluetooth, and state, respectively.
LCD (2D barcode can be displayed), GNSS
receiver. Smart phones, PDAs, laptops, e-
book reader etc. The devices may store the
following data:
- Personal data
- Personal preferences
- Location data
- Electronic boarding passes
- Electronic visa
They may also store and/or generate
- Non-personal data
- Passports and National ID cards
- Passenger Name Record data
A7 Health monitoring devices Allergy bracelet Citizen/passenger, airlines, 5

Implants / In body monitoring sensors. airports
Airline seat sensors. he devices may store
the following data:
- Personal data
- Health data
A8 Travel documents (paper) Paper versions of tickets and boarding Citizen/passenger, airline 3
passes. May contain the following data: company
- Personal data
- Location data
- Non-personal data
A9 RFID & barcode readers Readers in automatic check-in kiosks, State, Airport authorities, 4
security control, etc as well as passenger airlines, companies,
mobile devices passengers
A10 Credit Cards/Debit card/Payment RFID-enabled or not. Used to make Citizen/passenger, issuing 4
cards/'e-wallet' transactions. bank
A11 Other RFID cards Transport systems and small payments Issuing companies and 3
cards, frequent-flyer RFID-based cards. authorities, passengers
A12 Scanners & detectors Liquids and gels (LAG) detectors; Body Airports, State, Security 3
scanners companies
A13 Networks Wi-Fi, WiMax, conventional broadband, Service providers, including 4

ZIGBEE, smart dust mesh networks, etc airports and airlines
A14 State databases Database containing data on passengers State, International bodies 4
held by the State authorities for official (SIS, Interpol, Europol)
travel purposes.
A15 Commercial and other databases Databases containing data on passengers Companies, shops, travel 4
held by others not related to the State agencies
databases in A14.
A16 Temporary handset airport guides Device given to passengers to help them Airport management 2
navigate the airport and to provide
translation facility
A17 Luggage and goods The passengers’ luggage. Citizen/passenger, shops 3

A18 Check-in infrastructure Check-in desks, kiosks etc. Airlines, airport 3
A19 Airport facilities All the physical facilities of the airport; Shops, airports 3
includes also shops, stands, information
desks etc.
A20 Cars / vehicles Cars /vehicles used in the scenario Citizens / state 4
Assets
ny devices, technologies, applications, processes, data of value ]
Impact Areas
(as in worksheet "Impact Areas")
IA1 IA2 IA3 IA4 IA5 IA6 IA7 IA8 IA9
2 4 2 2 3 3 3 4 2
2 4 3 2 3 4 3 4 2
2 3 2 1 2 2 3 3 2
2 3 1 1 2 2 2 4 2
2 4 3 2 3 4 3 4 2
2 4 2 2 2 3 3 4 3
5 2 3 2 2 2 2 3 2
2 3 2 2 3 3 1 3 2
2 3 2 1 2 4 2 3 2
2 4 2 2 2 2 4 4 2
2 3 2 1 1 2 2 3 2
2 3 3 2 2 2 2 2 1
2 4 3 2 2 2 3 3 3
3 3 4 4 4 3 2 2 2
2 3 4 3 3 1 2 3 2
1 2 2 2 1 2 2 2 2
2 3 2 2 1 2 2 3 2
2 3 2 2 2 3 3 3 2
1 3 2 1 1 2 3 3 2
3 3 1 1 1 4 2 4 1
IA10 IA11
3 3
3 3
3 3
2 2
4 2
3 3
4 2
3 2
3 2
4 3
2 2
3 2
4 2
4 2
3 3
1 1
2 2
2 2
2 3
1 3
Impact Areas
[estimation of impact of the identified threats; it is closely related to the as
No. Impact
I01 Health / Life / Safety
I02 Time / efficiency

I03 Human rights
I04 Social values
I05 Legal and regulatory
I06 Mobility of individuals

I07 Financial / economical
I08 Comfort, convenience and ease of access
I09 Interoperability
I10 Trust
I11 Business activities

Impact Areas
of impact of the identified threats; it is closely related to the asset value, so you need to consider that]
Description
Refers to the physical and psychological condition of an individual; his/her physical and psychological well-being and absence of diseas
Time needed to check-in, security controls or boarding

Human rights, e.g. privacy, autonomy, non-discrimination, dignity
Social inclusion, e-inclusion, trusted human relationships, etc.
Existing legal regulatory framework needs to be respected. It foresees consequences for violations and for failure to fulfil the obligatio
foreseeen in it. It delineates the passenger rights. PNR is also based on bilateral/international agreements on the transfer of informati
passengers.
The ability and potential of people to move across countries.
Cost considerations for airlines, airports, companies and individuals
Smooth processes, services on demand, usability. The provision of services for people with usabilities
Interoperability between networks, sensors, devices, organisations, passengers and users is central to the scenario. An IoT like networ
depend on a high level of interoperability between all of the different contexts and situations in which devices will need to communica
However interoperable networks carry with them significant risks and issues, such as privacy, access controls, access to data, secondar
primary uses of data and data 'shelf' life. These would be apart from the technical problems such as standardisation in network protoc
example. Interoperable networks may also provide more room for fraud or other criminal activity in that compromising one part may
unauthorised access to another. The same is true if interoperability extends to interdependency in the case of failures and problems.
Trust is essential in all aspects of the scenario. Passengers must trust the information on their devices. Operators must trust personal d
provided, and information provided to them by other operators. Trust is also needed in the automated procedures by airlines and airp
operators. And border authorities must likewise trust in the systems to perform.
Implemented Controls
[existing safeguards etc. already in place and that need to be considered. These may
Existing Control Description

Control ID
C1 Multiple ways of getting to the airport (personal vehicle, buses, taxis, trains
etc): intermodality
C2 Comparison of individuals physical traits with those documented on a valid
official document (passport, national ID card, crew pass, personnel pass) for
identification and authentication purposes
C3 Automatic authentication of passengers by means of their biometric features
C4 Authorisation of passengers by a paper boarding pass and verified by the

airline personnel
C5 Authorisation of passengers by electronic boarding pass verified by the
departure control system of the airline
C6 Valid crew or airport personnel pass with digital photo
C7 Security checks in smart corridors with metal detectors, EDS and LAG
detectors
C8 Airport security monitoring and emergencies identification through the usage
of smart devices
of smart devices
of smart devices
C9 Departure Control System (DCS)
C10 Verification of only one person in the booth
C11 Global Entry System authentication for schengen visa holders using PNR
C12 Communication of the payment transaction record to the shuttle service

operator
C13 Sharing and co - ordination of traffic data
C14 Automobile's licence plate number capture by the digital video camera and
respective record storage
C15 Website RFID tags on purchased goods for identification of the rightful owner
C15 Website RFID tags on purchased goods for identification of the rightful owner
C16 Reception of purchased goods after scanning the boarding pass on a specific
reader inside the plane
C17 Reception of purchased goods after scanning the boarding pass on a specific
reader inside the plane
C17 Automated return of unused credit from TfL
C18 Flight confirmation during goods purchase
C18 Flight confirmation during goods purchase
C19 GPI RFID chip
C20 GA message for boarding
C21 Special seats embedded with pressure and temperature sensors on aircraft
C22 SMS record kept by taxi service as a proof

Implemented Controls
e and that need to be considered. These may be found in the assumptions for example]
Control Category Control Nature
Containment & Recovery Semi - automated
Preventive Manual
Preventive Automated
Preventive Manual
Detective Preventive Automated
Detective Corrective Automated
Deterrent Preventive Automated
Preventive Deterrent Automated
Detective Automated
Preventive Detective Automated

Corrective Automated
Corrective Preventive Automated
Detective Automated
Detective Automated
und in the assumptions for example]
Affected Assets
A1. Automated reservation, checking and boarding procedure
A19. Airport facilities
A18. Check-in infrastructure
A4. Automated traffic management

A3. Luggage and goods handling
A17. Luggage and goods
A10. Credit Cards/Debit card/Payment cards/'e-wallet'

A6 Mobile 'smart' devices
A7 Health monitoring devices
A4 Automated Traffic Management

Vulnerabilities
[of the tangible / intangible assets]
No Vulnerability Description Exposure [Metric

Values are 1-5]*
V1 Inappropriate design of procedures 3
V2 Excessive dependency on IT systems, network and external infrastructure 4
V3 Lack of back-up / failover procedures 3
V4 Lack of or low user awareness and/or training in procedures, use of devices, 2

security aspects etc
V5 Lack of usability / unfriendly user interface(s) of device(s) 3
V6 3
Lack of interoperability between devices and/or technologies and/or systems

V7 Collected data is insufficient or incorrect [lack of adequate controls at data 3
entry]
V8 Dependency on power systems 4
V9 Lack of or inadequate logical access (identification, authentication and 3

authorisation) and physical access controls
V10 Flawed/insufficient design and/or capacity of devices and systems 2
V11 Lack of adequate controls in biometrics' enrolment stage 3
V12 Lack of harmonisation and interoperability of procedures 2
V13 Lack of or inappropriate protection of RFID tags 2

V14 Lack of sufficiently skilled and/or trained personnel [airport, airline] 3
V15 Insufficient equipment 2
V16 Inappropriate expansion of the trust perimeter 2
V17 Lack of dependable sensors, GPS 2

V18 Lack of respect to the data minimisation and proportionality principles 2
V19 Lack of respect to the purpose limitation (finality principle) 4
V20 Lack of respect to the transparency principle 4
V21 Inappropriate / inadequate identity management 3
V22 Inadequacy of RF traffic regulations 2

V23 Over dependency on biometrics 2
V24 2
V25 Inherent features (size, material etc.): easy to lose, to be stolen and/or 3
copied (especially for RFID tags)
V26 Actual RFID range longer than standard 2
V27 RFID tags do not have a turn-off option 2
V28 Insufficient protection against reverse engineering 2
V29 Inadequate security measures of data storage (e.g. inadequate encryption 3

measures)
V30 Over-sensitivity of devices (generating many false alarms) 2
V31 Sensitivity to magnetic fields 2

V32 Devices & equipment used in unprotected environments 3
V33 High error rates of biometric identification (esp. face-based recognition) 3
V34 Communication of data over unprotected or publicly accessible channels 3
V35 Data linkability 3
V36 Lack of data correction mechanisms (as normally data subjects do not have 4
access to the databases)
V37 Failure of biometrics sensors 2

V38 Lack of common or harmonised legislation in EU Member States 3
V39 Insufficient protection of wireless networks and communication (weak or no 4
encryption etc.)
V40 Lack of respect to the legitimacy of data processing, e.g. consent 3
V41 Lack of respect to the data conservation principle 3
V42 Lack of respect to the rights of the data subject (such as the right for 2
rectification, blocking or deletion of data)
*Indicative values - the final vulnerability value is

estimated for every pair asset-vulnerability.
le assets]
Severity [Metric Vulnerability Assessment Comments / Additional Info

Values are 1-5]* Value*
4 2.4 This vulnerability could be due to lack of accountability, high
complexity of procedures, assigning extensive responsibilities to
end-users (in critical parts of the procedures), etc.
3 2.4 An excessive dependency arises when one relies on IT systems. It is

a sort of "mug's game" in the sense that virtually every system will
fail to a lesser or greater extent at some point or other.
3 1.8 When things do go wrong, there is no adequate back-up system in

place to take over. Availability/robustness has not been considered
in the system design, , or appropriate failure modes have not been
addressed.
4 1.6 This includes unfriendly authentication mechanisms, too frequent

requests for password change, too quick automatic log-offs, etc. This
vulnerability may also arise because there has not been sufficient
training given to staff in detecting and understanding security
threats.
3 1.8
This vulnerability is due to the difficulty of using device interfaces.
The interfaces are not intuitive or user friendly. It may arise from
excessive or unnecessary functionality options available to the
users. A device may be too complicated for ease of use.
4 2.4
A simple example of the lack of interoperability appears when the
RFID reader at the airport cannot write data to the RFID tag on
Akira's suitcase. This vulnerability is depending on the governance.
4 2.4
This vulnerability arises when systems do not collect enough or
appropriate data or garble the data they do collect. For example, the
data collected by passenger name records (PNR) may not be
sufficient to identify a terrorist or an improper entry on no-fly lists,
incorrect entries in relation to visa status, and mistaken
identification of individuals by commercial entities
3 2.4 If a natural disaster, for example, disrupts an airport's power

system, everything comes to a halt.
3 1.8
This vulnerability may refer to systems, devices, data access or
network access. This also includes authentication of RFID and RFID
readers, and since many RFIDs are writeable, this may increase the
vulnerability.
2 0.8
Poorly designed devices or systems may create a vulnerability,
whereby they are not sufficiently robust or resilient to withstand
attacks by hackers (for example) or they may not do what is
expected of them, especially at critical times.
2 1.2
Biometrics are not 100 per cent reliable. Part of the reason why they
are not may occur at the enrolment stage when an individual's iris
or fingerprints or other feature are scanned.
2 0.8 Security or other procedures may vary from one airport to another,
creating opportunities for evil-doers.
3 1.2
4 2.4 It's often been said that the weakest link in any system is human. If
personnel are inadequately trained, they become a vulnerability.
They need to be trained adequately to detect and understand
security threats and what to do in the event of a system
malfunction.
5 2 Airports with insufficient equipment may create a security

vulnerability. The vulnerability might also pose problems to the
efficient processing of passengers from check-in to boarding.
3 1.2 Too many people may have access to personal information. Often
the biggest threat comes from insiders.
3 1.2
2 0.8 The data collected and processed shall be adequate, relevant and
not excessive in relation to the purposes they are collected. An
example of such lack of respect to the data minimisation and
proportionality principles can be mentioned the case, when an LBS
system collects not only the information absolutely needed for the
provision of the service, but it also stores excessive information.
The need-to-know principle is not enforced by any means.
4 3.2 When the purpose limitation principle is not respected, more data
are collected and processed than is strictly necessary the specified
purpose. For instance, Christina's approximate physical location is
revealed to both the cell communication provider as well as the
navigation service that provides the map and traffic conditions
applications.
4 3.2 Lack of respect to the transparency principle means that the data
subject is not able to determine the relevant data processing
practices. In the IoT a lot of information is transmitted and
processed via automated processes, most of which remain
unnoticed by the data subject.
3 1.8 While the traffic and local map are being downloaded in real time,
Christina's approximate physical location is revealed to both the cell
communication provider as well as the navigation service that
provides the map and traffic conditions applications. Appropriate
identity management would protect Christina's privacy in this case.
4 1.6
2 0.8 Biometric identification has relatively high error rates (especially
automatic face recognition). Also modern biometric sensors
(especially fingerprint and iris sensors) are difficult to compromise
('liveness detection'), still is also possible to spoof them. Awareness
of imperfection of biometric systems is an important factor of
overall security [P. Rotter (ed.) Biometrics Deployment Study. Large-
scale biometrics deployment in Europe. Identifying challenges and
threats. JRC-IPTS report EUR 23564 EN 2008, ISBN 978-92-79-
10657-6. Available at: http://ftp.jrc.es/EURdoc/JRC48622.pdf
2 0.8
4 2.4 Inherent vulnerability of cards and devices (passports, RFID tags,
etc.): they are small in size, and they are easy to lose, be stolen
and/or copied.
3 1.2
Malicious RFID readers may be able to operate from a distance
several times longer than the intended range (Kirschenbaum &
Wool 2006). Moreover, shielding of RFID is often not possible.
2 0.8
Unlike mobile phones or PDAs, most RFID tags cannot be turned off
and are always ready to send data for a request received by radio
waves. This feature is an inherent vulnerability.
2 0.8
In RFID and contactless smart cards, due to limited resources, the
methods for protection against reverse engineering, such as dummy
structures, scramble buses and memory cells, etc., are rarely
applied. Active methods for detection of reverse engineering attack
are impractical in these devices.
1 0.6 In case RFID and contactless smart cards, due to limited resources,
manufacturers often apply light cryptography and proprietary
cryptographic methods.
2 0.8
Some devices are not 100 per cent reliable. They may produce
inaccurate results or make false positives or negatives.
3 1.2
3 1.8
Devices used by a great number of people every day [health issues
(e.g. infectious diseases spread by fingerprint scanners)]
3 1.8
Face-based identification has the highest social acceptance among
all biometric identification methods. Unfortunately, it has also high
error rates, which leads to many false alarms and/or false
acceptances.
3 1.8
3 1.8
Different databases or data stored at different locations serving

different purposes are / can be linked, thus enabling greater data
matching, data mining, profiling, data aggregation or social sorting.
Key question here is who is doing the linking and why - it could be
for security reasons (catching terrorists before they fly), but it could
also be for commercial exploitation by airlines, vendors, service
providers operating in the airport as well as by evil-doers seeking to
undermine air travel, airport systems or engaged in spoofing,
phishing, spamming.
3 2.4
Many entities are collecting personal data, but rather fewer of them
have procedures in place enabling individuals (data subjects) to see
what data they have about them. Procedures for correcting
incorrect data may not exist or may be cumbersome and
bureaucratic.
3 1.2
2 1.2
Although Member States have transposed the EU Data Protection

Directive, they have not done so in a fully harmonised way. In
addition, there are lacunae in the legislation so that some matters
are not addressed.
5 4
Due to limited resources, RFID tags often use light, proprietary
cryptography, which in some cases is not sufficient. Identifiers of
tags which are sent in the beginning of communication are not
encrypted at all (as a part of anti-collision protocol) and they may
be used e.g. for tracking of people.
4 2.4
The processing of personal data is supposed to be legitimate.
However, some data controllers and data processors may not have
obtained the informed consent of data subjects.
3 1.8 Personal data are supposed to be deleted when they are no longer
necessary for the purposes for which they were collected or
processed.
3 1.2
Data subjects are supposed to be given the opportunity to rectify
incorrect data or to block its further use. For instance, Akira wishes
to unsubscribe from "Hazukashi Not" service and to have his
account deleted.
Threats and Threa
[perceived threats that could exploit the identifi
Threat Agent
Threat
Threats (source of threat or person who
ID
initiates threat)
T1 Denial of service attack / flood / buffer overflow Vandals/terrorists/Corporate
raiders/professional criminals/hackers/
rogue; State
T2 Spoofing of credentials / bypass authentication Corporate raiders/professional

criminals/hackers
T3 Large-scale and/or inappropriate data mining and/or surveillance Marketing companies, online service
providers, malicious attackers
T4 Traffic analysis / scan / probe Corporate raiders/professional

criminals/hackers
T5 Man-in-the-middle attack Hacker
T6 Social engineering attack Hacker, criminal, terrorists
T7 Theft [of cards, devices etc] Malicious attacker
T8 Unauthorised access to / deletion / modification of devices / data etc. Malicious attacker
T9 Loss or misuse [of cards, devices etc] Passenger, airport and airline
personnel
T10 Use erroneous and/or unreliable data
T11 Procedures / instructions not followed Airport and airline personnel.
Passengers
T12 Non-compliance with data protection legislation Commercial establishments, State
T13 Function creep (data used for other purposes than the ones for which they Commercial establishments
were originally collected)
T14 Unauthorized check-in and boarding / identity theft Hacker, criminal, terrorist
T15 Cloning of credentials and tags (rfid related) Hacker
T16 Unauthorised access to other restricted areas (apart from boarding e.g. Hacker, criminal, terrorist
Control room, personnel's' offices)
T17 Side channel attack
T18 Blocking
T19 Jamming Hacker
T20 Fake / rogue rfid readers / scanning of rfid reader and /or tag
T21 Physical rfid tag destruction
T22 Malfunctioning/breakdown of systems /devices / equipment

n/a
T23 E-visa not accepted at check in system fault
T24 Worms, viruses & malicious code Hacker, rogue state
T25 Malicious attack on power systems Malicious attacker

T26 State surveillance on citizens State
T27 Trade union/labour strikes Labor union

T28 Adverse weather condition or other disaster n/a
T29 Ad hoc network routing attack Corporate raiders/professional

criminals/hackers
T30 Low acceptance of devices / equipment / procedures Passengers / citizens / airport & airline
personnel
T31 Data linkability Commercial establishments, State
T32 Profiling Commercial establishments, State
T33 Exclusion of the data subject from the data processing process Commercial establishments, State
T34 Trivialisation of unique identifiers Commercial establishments, State

reats and Threat Agents
hat could exploit the identified vulnerabilities of the assets]
TA Capacity
TA Motivation (knowledge Comments
etc.)
A denial of service attack is sabotage, aimed at disrupting a service for fun or to

Varies from achieve political or illegal goals. A DOS attack is sometimes known as a buffer
Medium low to high overflow attack or flooding..
Medium 4
This threat is a stepping stone to achieve next stage of sabotage or penetration.
The ease with which data can be collected, aggregated and mined coupled with the
To collect large volume of motivation of large financial paybacks make this a widespread threat. Roger Clarke
potentially personal coined the term dataveillance to describe the phenomenon of surveillance by means
sensitive data for market of data analysis. Both airports and governments may also have an interest in
analysis and profit making analysing data, to prevent terrorist related incidents, to develop more targeted
(H) 5 advertising.
This threat is often found in conjunction with or preparation for another attack aimed
at revealing protected sensitive operations. The threat gleans data implied in network
communication patterns. Traffic analysis requires special skill and knowledge to be
High effective.
This is one of the most common attack methods, especially for information collection.
However, such attacks on RFID and smart cards do not occur very often. Such attacks
are usually carried to appropriate others' identity rather than getting access to
To hijack network restricted areas or data, which is usually encrypted. Man-in-the-middle (or relay)
communication channel for attacks for contactless smart card has been theoretically analysed by Kfir and Wool
sensitive data collection (2005). For practical aspects, see Hancke (2005). Countermeasures such as distance
and misinformation feeding bounding based on response time (Hancke & Kuhn 2005; Reid et al. 2006) or signal-
and identity theft (HML) 4 to-noise rate (Fishkin & Roy 2003) are rarely applied.
To obtain sensitive Social engineering attacks are widespread and too-often effective. They play upon
information and system gullibility or human psychological weakness. Phishing could be regarded as a form of
penetration 4 social engineering.
There will always be evil-doers engaged in theft of others' property, be it smart cards,
Financial gain, criminal smart phones or whatever. Theft is not, of course, the only crime. Extortion, fraud and
activities (H) 4 many other crimes are common in cyberspace.
This attacks refers to unauthorized access to data stored on RFID, smart cards
(especially contactless) and personal devices. Also databases can be a subject of
attack though the network, as well as data can be illegally accessed and modified by
unauthorized personnel.
Loss or misuse of a card or device is also a common threat.
This threat arises when, for example, a passenger doesn't follow instructions and
makes a jam in the automated passport/immigration control or smart corridor.
This threat arises when governments and business do not comply with provisions of
data protection legislation and the principles stated therein, for example, regarding
data minimisation, purpose specification, proportionality, informed consent, access
4 to data by the data subject, etc.
Function creep occurs when data are used for other purposes than the ones for which
they were originally collected for. For example, in the air traffic scenario, a car rental
company doing some market analysis might approach an airport operator to gain
4 access to its data on airport parking.
For example, an attacker might use a fake fingerprint with a stolen passport to board
the plane.
An RFID clone can be either physically similar to the original tag or can be a notebook
with a special antenna. Cloning is relatively easy for basic tags but even some
advanced and apparently well protected tags with a challenge-response protocol
Medium-High Medium-High have been cloned (Juels 2005; Bono et al. 2005; Courtois et al. 2008).
This threat can arise as a result of stealing or cloning authorisation tokens (like smart
cards).
Smart cards or RFID tags may be subject to side channel attacks based on information
gained from physical implementation of a cryptosystem, like variations of power
consumption, time of computations or electromagnetic field (Bar-El 2003). It is often
combined with other cryptanalysis methods.
RFID or a GSM network can be blocked by exploiting vulnerabilities of information
exchange protocols. Blocking can be also useful as a way to protect consumers'
privacy (Juels, Rivest, Szydlo 2003).
System operation
interruption to futher Jamming is malicious interference of a radio transmission. It can result in denial of
achieve attack steps such as service and forcing a system to use fallback procedures. Large-scale jamming requires
spoofing or decoyed attacks extensive equipment setup and exposure of the transmission source. It is not
(L) 4 commonly practised unless with a clear and critical agenda.
RFID Tags can be read by any RFID reader. Therefore, rogue RFID readers can scan for
RFID and be used for unauthorized reading of information from a tag. As RFIDs often
have light cryptography schemes (if any), powerful back-end systems can break the
code in minutes, making the security protection ineffective. The range of a reader
may be extended several times beyond the standard communication distance, for
example ISO 14443 cards with standard range 10 cm can be scanned from 25-35 cm,
which is enough to read a card in someone's pocket. Main countermeasures are:
encryption, authentication of the reader, using short-range tags, shielding tags with
an anti-skimming material (e.g. aluminium foil) and moving sensitive information to a
protected database in the system's backend.
The easiest way to disrupt RFID systems is to physically destroy the tags. Destruction
becomes a serious issue when RFID tags are used as anti-theft protection. RFID tags in
e-passports can be destroyed by owners who have concerns about possible abuse of
their privacy - especially as an e-passport with a non-working RFID tag is still valid
(Wortham 2007).
This threat occurs when systems or devices malfunction due to
n/a n/a hardware/software/implementation errors.
Worms, viruses and malicious code are a part of our daily cyber life. They are a
prevalent and effective way of disrupting systems. Even very simple RFID tags, such as
Service disruption, system those used for tagging goods, can carry a malicious code (Rieback at al. 2006).
compromise, information
theft 4
This threat might be aimed at forcing a system to use fallback procedures, e.g., in
order to get unauthorised access to restricted areas.
Unjustified political agendas often lead to excessive surveillance on citizens. Every
To achieve unethical citizen described case (true or invented) dramatically decreases trust and acceptance of
control political agenda (H) 5 technology (especially biometrics, RFID).
This threat is of low probability but potentially high consequence. The destruction
wrought by natural disasters is difficult to predict. It could affect airport and
n/a n/a telecommunication (network) operations.
Initial attack step to further Personal mobile devices may create ad hoc networks in order to exchange data and
achieve cloning, man-in- information between users. These networks can be used by attacker to break into
the-middle attack, or personal devices and compromise the communication and information exchange
service interruption which between parties. For example, DOS attacks can flood ad-hoc networks; rogue
leads to system participants can de-route or compromise legitimate messages and information
compromise (M) 4 exchanges.
RFID is perceived by many people as a privacy threat. They have been called
"spychips" (Albrecht, McIntyre 2005). Most of the concerns presented during an EU
public consultation on RFID were related to privacy (Maghiros, Rotter, van Lieshout
2007). Also some biometrics have low social acceptance, especially fingerprints which
are commonly regarded as linked to criminal investigations.
The abundance of data collected and processed in the IoT and their storage in
4 databases (commercial and state) facilitate their linkability.
The abundance of data collected and processed in the IoT can lead to the creation of
user profiles (relating to consumer preferences, travelling habits, etc.).
4
The automatisation of the processes in the IoT threatens to exclude the data subject
from the data processing process.
4
The use of unique identifiers, such as the human fingerprint, is increasingly being
used for trivial transactions, such as in the case when Elena registers her fingerprint in
order to "secure" her boarding pass.
4
Threat Assessment
Value
3
4
3
5
4
Mapping of Assets and Vulnerabilities
Asset ID Assets
A1 Automated reservation, check-in and boarding

procedure

procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
procedure
A2 Electronic visa issuing process


A2
Electronic visa issuing process
A3 Luggage and goods handling

A4 Automated traffic management


A5 Passports and National ID cards





A6 Mobile ‘smart’ devices




A6
Mobile ‘smart’ devices


A8 Travel documents (paper)


A9 RFID & barcode readers




A10 Credit Cards/Debit card/Payment cards/'e-wallet'

A11 Other RFID cards




A12 Scanners & detectors





A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A13 Networks
A14 State databases
A14 State databases

A14 State databases
A14 State databases
A14 State databases

A14 State databases
A14 State databases
A14 State databases

A14 State databases
A14 State databases
A14 State databases
A14 State databases
A14 State databases

A14 State databases
A14 State databases

A14 State databases
A14 State databases
A14 State databases
A15 Commercial and other databases





A16 Temporary handset airport guides

A17 Luggage and goods


A18 Check-in infrastructure



A19 Airport facilities


A20 Cars / vehicles

A20 Cars / vehicles
A20 Cars / vehicles

A20 Cars / vehicles
A20 Cars / vehicles
A20 Cars / vehicles

A20 Cars / vehicles
A20 Cars / vehicles
A20 Cars / vehicles
A20 Cars / vehicles
A20 Cars / vehicles
A20 Cars / vehicles
A20 Cars / vehicles

A20 Cars / vehicles
A20 Cars / vehicles

A20 Cars / vehicles
Mapping of Assets and Vulnerabilities
Vulnerability Description
Vulnerability Value
V1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures,
assigning extensive responsibilities to end-users (in critical parts of the procedures) etc. 3
V10. Flawed/insufficient design and/or capacity of devices and systems

3
V12. Lack of harmonisation and interoperability of procedures
3
V14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]
4
V15. Insufficient equipment
2
V16. Inappropriate expansion of the trust perimeter
4
V18. Lack of respect to the data minimisation and proportionality principles
4
V19. Lack of respect to the purpose restriction principle (purpose limitation principle)
4
V2. Excessive dependency on IT systems, network and external infrastructure
3
V21. Inappropriate / inadequate identity management
3
V28. Inadequate security measures of data storage (e.g. inadequate encryption measures)
3
V3. Lack of back-up / failover procedures
4
V36. Lack of data correction mechanisms (as normally data subjects do not have access to the
databases) 3
V37. Failure of biometrics sensors
3
V38. Lack of common or harmonised legislation in EU Member States
4
V4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc
4
V39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)
2
V5. Lack of usability / unfriendly user interface(s) of device(s)
4
V6. Lack of interoperability between devices and/or technologies and/or systems
3
V7. Collected data is insufficient or incorrect [lack of adequate controls at data entry]
3
V8. Dependency on power systems
4
V10. Flawed/insufficient design and/or capacity of devices and systems
3
V9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical
access controls 3
V20. Lack of respect to the transparency principle
3
V41. Lack of respect to the data conservation principle
3
V42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or
deletion of data). 4
V8. Dependency on power systems 3
V12. Lack of harmonisation and interoperability of procedures 4

V14. Lack of sufficiently skilled and/or trained personnel [airport, ariline] 4
V3. Lack of back-up / failover procedures 4
V7. Collected data is insufficient or incorrect [lack of adequate controls at data entry] 3
V5. Lack of usability / unfriendly user interface(s) of device(s) 3
V23. Over dependency on biometrics 3
V6. Lack of interoperability between devices and/or technologies and/or systems 4
access controls 3
4
V38. Lack of common or harmonised legislation in EU Member States 3
V18. Lack of respect to the data minimisation and proportionality principles 4
V19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4
V35. High data linkability 3
V15. Insufficient equipment 2
V40. Lack of respect to the legitimacy of data processing, e.g. consent 4
V41. Lack of respect to the data conservation principle 4
V21. Inappropriate / inadequate identity management 3
V20. Lack of respect to the transparency principle 4
V13. Lack of or inappropriate protection of RFID tags 2
V25. Actual RFID range longer than standard 2
V2. Excessive dependency on IT systems, network and external infrastructure 3
V37. Failure of biometrics sensors 2
V22. Collision of tag traffic / Radio-frequency interference 2
V24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)
2
V17. Lack of dependable sensors, GPS 3
4
V20. Lack of appropriate user procedures, especially regarding the collection and processing of persona
data: lack of informed consent, insufficient definition of the purpose for which the data are collected for,
lack of transparency and data traceability (the user doesn't know when his data are being accessed, by 4
whom and why)

V11. Lack of adequate controls in biometrics' enrollment stage 3
3
2
access controls 2
V26. RFID tags do not have a turn-off option 3
V27. Insufficient protection against reverse engineering 3
4
V31. Devices & equipment used in unprotected environments 3
3
3
2
access controls 2
4
3
V10. Flawed/insufficient design and/or capacity of devices and systems 3
3
V34. Communication of data over unprotected or publicly accessible channels 4
4
2
3
V29. Over-sensitivity of devices (give many false alarms) 4
V30. Sensitivity to magnetic fields 4
4
3
4
4
access controls 3
2
V30. Sensitivity to magnetic fields 2
4
V21.Lack of appropriate user procedures, especially regarding the collection and processing of persona
lack of transparency (the user doesn't know when his data are being accessed, by whom and why) 4
3
4
V6. Lack of interoperability between devices and/or technologies and/or systems
3
access controls 2
V25. Actual RFID range longer than standard
4
V26. RFID tags do not have a turn-off option
3
V27. Insufficient protection against reverse engineering
3
4
V31. Devices & equipment used in unprotected environments
3
V13. Lack of or inappropriate protection of RFID tags
4
3
4
3
V22. Collision of tag traffic / Radio-frequency interference
2
4
V38. Lack of common or harmonised legislation in EU Member States
3
4
3
V40. Lack of respect to the legitimacy of data processing, e.g. consent
4
3
3
access controls 2
4
3


V32. Used by a great number of people every day [health issues (e.g. infectious diseases spread by
fingerprint scanners)] 4
V33. High error rates of biometric identification (esp. face-based recognition) 3
4
V29. Over-sensitivity of devices (give many false alarms) 3
3

4
access controls 4
V16. Inappropriate expansion of the trust perimeter 3
4

3
access controls 4
2
databases) 4

3
access controls 4
V20. Lack of appropriate user procedures, especially regarding the collection and processing of persona
lack of transparency and data traceability (the user doesn't know when his data are being accessed, by 5
whom and why)
2
databases) 4
4
2
3

3
access controls 3
V33. High error rates of biometric identification (esp. face-based recognition) 3
4
V16. Inappropriate expansion of the trust perimeter 4
4
access controls 3
V17. Lack of dependable sensors, GPS 3
3
4
Mapping of Vulnerabilities and Threats
Vulnerability Description
No
V1 Inappropriate design of procedures

Inappropriate design of procedures
V1

Inappropriate design of procedures
V1

Excessive dependency on IT systems, network and external infrastructure
V2
V2
V2
V2
V2
V2
V2
V3 Lack of back-up / failover procedures

Lack of or low user awareness and/or training in procedures, use of devices,
V4 security aspects etc
Lack of usability / unfriendly user interface(s) of device(s)
V5
V5 Lack of usability / unfriendly user interface(s) of device(s)

V6
V6
V6
V6
V6
Collected data is insufficient or incorrect [lack of adequate controls at data
V7 entry]
V7 entry]
V7 entry]
V7 entry]
V7 entry]
V8 Dependency on power systems
Lack of or inadequate logical access (identification, authentication and
V9 authorisation) and physical access controls
Flawed/insufficient design and/or capacity of devices and systems
V10
V10
V10
V10
V10
V10
V11 Lack of adequate controls in biometrics' enrolment stage

Lack of adequate controls in biometrics' enrolment stage
V11

V12 Lack of harmonisation and interoperability of procedures
Lack of harmonisation and interoperability of procedures
V12
V13 Lack of or inappropriate protection of RFID tags

Lack of sufficiently skilled and/or trained personnel [airport, airline]
V14
V14
V14
V14
V14
V14
V14
V14
V14
V14
V14
V14
V14
V14
V14
V15 Insufficient equipment

V15 Insufficient equipment
Inappropriate expansion of the trust perimeter
V16
V16 Inappropriate expansion of the trust perimeter

V16 Inappropriate expansion of the trust perimeter
V17 Lack of dependable sensors, GPS
V17 Lack of dependable sensors, GPS
Lack of respect to the data minimisation and proportionality principles
V18
V18
V18
V18
V18
V18
V18
V18
V19 Lack of respect to the purpose limitation (finality principle)

Lack of respect to the purpose limitation (finality principle)
V19

V19

V19

Lack of respect to the purpose restriction principle (purpose limitation
V19 principle)
Lack of respect to the purpose restriction principle (purpose limitation
V19 principle)
Lack of respect to the transparency principle
V20
V20 Lack of respect to the transparency principle

Lack of respect to the transparency principle
V20

V21 Inappropriate / inadequate identity management
Inappropriate / inadequate identity management
V21

V22 Inadequacy of RF traffic regulations
Inadequacy of RF traffic regulations
V22
Over dependency on biometrics
V23
V23 Over dependency on biometrics

V24 0
V24 0
V24 0
0
V24
V24 0
V24 0
V24 0
0
V24
V24 0
Inherent features (size, material etc.): easy to lose, to be stolen and/or copied
V25 (especially for RFID tags)
V26 Actual RFID range longer than standard
V27 RFID tags do not have a turn-off option
V27 RFID tags do not have a turn-off option
Insufficient protection against reverse engineering
V28
V28 Insufficient protection against reverse engineering
Inadequate security measures of data storage (e.g. inadequate encryption
V29 measures)
V29 measures)
V29 measures)
V30 Over-sensitivity of devices (generating many false alarms)
V31 Sensitivity to magnetic fields
Sensitivity to magnetic fields
V31

V32 Devices & equipment used in unprotected environments
High error rates of biometric identification (esp. face-based recognition)
V33
V33
V33
V33
Communication of data over unprotected or publicly accessible channels
V34
V34
V34
V34
V34
V34
V34
V34
Data linkability
V35
V35 Data linkability

Data linkability
V35
V35 Data linkability

Data linkability
V35
Lack of data correction mechanisms (as normally data subjects do not have
V36 access to the databases)
V37 Failure of biometrics sensors
Failure of biometrics sensors
V37

V38 Lack of common or harmonised legislation in EU Member States
Lack of common or harmonised legislation in EU Member States
V38


Insufficient protection of wireless networks and communication (weak or no
V39 encryption etc.)
V40 Lack of respect to the legitimacy of data processing, e.g. consent
Lack of respect to the legitimacy of data processing, e.g. consent
V40

V41 Lack of respect to the data conservation principle

Lack of respect to the data conservation principle
V41

Lack of respect to the rights of the data subject (such as the right for
V42 rectification, blocking or deletion of data).
Vulnerabilities and Threats
Threats Threat value
T6. Social engineering attack 4

T8. Unauthorised access to / deletion / modification of devices / data etc.
4
T11. Procedures / instructions not followed 3
T12. Non-compliance with data protection legislation 4
T13. Function creep (data used for other purposes than the ones for which they
were originally collected) 4
T14. Unauthorized check-in and boarding / identity theft 4
T27. Trade union/labour strikes 3
T1. Denial of service attack / Flood / Buffer overflow
3
T2. Spoofing of credentials / bypass authentication
5
T5. Man-in-the-middle attack
3
T22. Malfunctioning/breakdown of systems /devices / equipment
4
T24. Worms, viruses & malicious code
3
T25. Malicious attack on power systems
3
T28. Adverse weather condition or other disaster
4
T1. Denial of service attack / Flood / Buffer overflow 3
T7. Theft [of cards, devices etc] 4
T9. Loss or misuse [of cards, devices etc] 3
T22. Malfunctioning/breakdown of systems /devices / equipment 4
T23. E-visa not accepted at check in 3
T25. Malicious attack on power systems 3
T28. Adverse weather condition or other disaster 4
5
T6. Social engineering attack
4
T7. Theft [of cards, devices etc]
4
4
T9. Loss or misuse [of cards, devices etc]
3
T10. Use erroneous and/or unreliable data
4
T11. Procedures / instructions not followed
3
T12. Non-compliance with data protection legislation
4
T14. Unauthorized check-in and boarding / identity theft
4
T16. Unauthorised access to other restricted areas (apart from boarding e.g.
Control room, personnel's' offices) 3
4
T30. Low acceptance of devices / equipment / procedures
4
4
T10. Use erroneous and/or unreliable data 4
T30. Low acceptance of devices / equipment / procedures 4
3
4
3
4
4
4
4
3
4
T23. E-visa not accepted at check in
3
T25. Malicious attack on power systems 3
5
T3. Large-scale and/or inappropriate data mining and/or surveillance
4
3
4
4
4
3
4
4
T15. Cloning of credentials and tags (RFID related)
3
T17. Side channel attack
2
T18. Blocking
2
T19. Jamming
2
T20. Fake / rogue RFID readers / scanning of RFID reader and /or tag
3
T21. Physical RFID tag destruction
4
3
T29. Ad hoc network routing attack
2
3
3
4
4
T25. Malicious attack on power systems
3
T28. Adverse weather condition or other disaster
4
T2. Spoofing of credentials / bypass authentication 5
4
T4. Traffic analysis / scan / probe 3
T5. Man-in-the-middle attack 3
T15. Cloning of credentials and tags (RFID related) 3
T17. Side channel attack 2
T18. Blocking 2
T19. Jamming 2
T20. Fake / rogue RFID readers / scanning of RFID reader and /or tag 3
T21. Physical RFID tag destruction 4
5
4
3
4
4
3
4
4
3
4
4
4
3
T27. Trade union/labour strikes
3
4
4
4
T26. State surveillance on citizens
5
4
T31. Data linkability
4
T32. Profiling
4
T33. Exclusion of the data subject from the data processing process
4
4
4
T26. State surveillance on citizens 5
T32. Profiling
4
4
4
T31. Data linkability 4
T32. Profiling 4
T33. Exclusion of the data subject from the data processing process 4
4
T34. Trivialisation of unique identifiers 4
T18. Blocking 2
4
4
T21. Physical RFID tag destruction 4
4
3
3
4
3
3
4
4
T24. Worms, viruses & malicious code 3
4
4
3
4
3
T4. Traffic analysis / scan / probe
3
4
4
4
T19. Jamming
2
3
3
4
4
4
4
3
4
4
T32. Profiling 4
T34. Trivialisation of unique identifiers 4
3
T4. Traffic analysis / scan / probe
3
4
4
4
T19. Jamming
2
3
3
T29. Ad hoc network routing attack
2
5
T31. Data linkability 4
T32. Profiling 4
T32. Profiling 4
4
T31. Data linkability
4
T32. Profiling
4
4
T34. Trivialisation of unique identifiers
4
Identification & Assessment of R
(Asset-Threat-Vulnerability)
Asset
Asset ID Asset Description Value Vulnerability Description
A1 Automated reservation, check-in and V1. Inappropriate design of procedures - includes: lack of
boarding procedure accountability, high complexity of procedures, assigning extensive
4 responsibilities to end-users (in critical parts of the procedures)
etc.
etc.
etc.
etc.
etc.
etc.
etc.
A1 Automated reservation, check-in and V10. Flawed/insufficient design and/or capacity of devices and
boarding procedure 4 systems
A1 Automated reservation, check-in and
4
V10. Flawed/insufficient design and/or capacity of devices and
boarding procedure systems
4
4
4
4
4
boarding procedure
4
boarding procedure
4
boarding procedure
4
boarding procedure
4
boarding procedure
A1 Automated reservation, check-in and V12. Lack of harmonisation and interoperability of procedures
boarding procedure 4
4
boarding procedure
4
boarding procedure
4
boarding procedure
4
boarding procedure
A1 Automated reservation, check-in and V12. Lack of harmonisation and interoperability of procedures
boarding procedure
4

4
V14. Lack of sufficiently skilled and/or trained personnel [airport,
boarding procedure ariline]
A1 Automated reservation, check-in and V14. Lack of sufficiently skilled and/or trained personnel [airport,
boarding procedure 4 ariline]

4
4
boarding procedure 4 ariline]

4
4
4
4
4
4
4

4
4
4
4
boarding procedure
4
boarding procedure
A1 Automated reservation, check-in and V16. Inappropriate expansion of the trust perimeter

4
boarding procedure
4
boarding procedure
A1 Automated reservation, check-in and V18. Lack of respect to the data minimisation and proportionality
boarding procedure 4 principles
4
V18. Lack of respect to the data minimisation and proportionality
boarding procedure principles
4

4
boarding procedure 4 principles
4
V19. Lack of respect to the purpose restriction principle (purpose
boarding procedure limitation principle)
A1 Automated reservation, check-in and V19. Lack of respect to the purpose restriction principle (purpose
boarding procedure 4 limitation principle)

4
boarding procedure 4 limitation principle)

4
4

4
A1 Automated reservation, check-in and V2. Excessive dependency on IT systems, network and external
boarding procedure 4 infrastructure
4
V2. Excessive dependency on IT systems, network and external
boarding procedure infrastructure
4
4
4
A1 Automated reservation, check-in and V2. Excessive dependency on IT systems, network and external
boarding procedure 4 infrastructure
4
A1 Automated reservation, check-in and V20. Lack of respect to the transparency principle

4
boarding procedure
4
boarding procedure
boarding procedure
4

4
boarding procedure

4
boarding procedure
4
boarding procedure
4
boarding procedure
A1 Automated reservation, check-in and V21. Inappropriate / inadequate identity management

4
boarding procedure
A1 Automated reservation, check-in and V28. Inadequate security measures of data storage (e.g.
boarding procedure 4 inadequate encryption measures)

4
V28. Inadequate security measures of data storage (e.g.
boarding procedure inadequate encryption measures)
4
boarding procedure
4
boarding procedure
4
boarding procedure
4
boarding procedure
4
boarding procedure
A1 Automated reservation, check-in and V3. Lack of back-up / failover procedures

4
boarding procedure
4
boarding procedure
4
V36. Lack of data correction mechanisms (as normally data
boarding procedure subjects do not have access to the databases)
4
A1 Automated reservation, check-in and V36. Lack of data correction mechanisms (as normally data
boarding procedure 4 subjects do not have access to the databases)
4
4
boarding procedure
A1 Automated reservation, check-in and V37. Failure of biometrics sensors

4
boarding procedure
4
boarding procedure
4
V38. Lack of common or harmonised legislation in EU Member
boarding procedure States
4
4
A1 Automated reservation, check-in and V38. Lack of common or harmonised legislation in EU Member
4

4
4
V4. Lack of or low user awareness and/or training in procedures,
boarding procedure use of devices, security aspects etc
4
4
A1 Automated reservation, check-in and V4. Lack of or low user awareness and/or training in procedures,
boarding procedure 4 use of devices, security aspects etc

4
4
4
4
4

4
4

4
boarding procedure 4 use of devices, security aspects etc
4
V39. Insufficient protection of wireless networks and
boarding procedure communication (weak or no encryption etc.)
4
A1 Automated reservation, check-in and V39. Insufficient protection of wireless networks and
boarding procedure 4 communication (weak or no encryption etc.)

4
4

4
4
4
A1 Automated reservation, check-in and V5. Lack of usability / unfriendly user interface(s) of device(s)

4
boarding procedure
4
boarding procedure
4
boarding procedure
4
boarding procedure
4
boarding procedure
4
V6. Lack of interoperability between devices and/or technologies
boarding procedure and/or systems
4
4
4
4
4
V7. Collected data is insufficient or incorrect [lack of adequate
boarding procedure controls at data entry]
4
A1 Automated reservation, check-in and V7. Collected data is insufficient or incorrect [lack of adequate
boarding procedure 4 controls at data entry]
4
4
4
boarding procedure
4
boarding procedure
A1 Automated reservation, check-in and V8. Dependency on power systems

4
V9. Lack of or inadequate identification, authentication and
boarding procedure authorisation controls
A1 Automated reservation, check-in and V9. Lack of or inadequate identification, authentication and
boarding procedure 4 authorisation controls

4
4
4

4
4
4
4
4
4

4
4
4
4
boarding procedure
4
boarding procedure
4
4
boarding procedure
A1 Automated reservation, check-in and V42. Lack of respect to the rights of the data subject (such as the
boarding procedure 4 right for rectification, blocking or deletion of data).
A10 Credit Cards/Debit card/Payment cards/'e-

4
wallet'
4
wallet'
A10 Credit Cards/Debit card/Payment cards/'e- V21. Inappropriate / inadequate identity management
wallet' 4

4
wallet'
4
wallet'
4
wallet'
4
wallet'
wallet' 4
wallet' 4

4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
wallet' 4

4
wallet'
wallet' 4
A10 Credit Cards/Debit card/Payment cards/'e- V24. Inherent features (size, material etc.): easy to lose, to be
wallet' 4 stolen and/or copied (expecially for RFID tags)
wallet' stolen and/or copied (expecially for RFID tags)
4

4
wallet' and/or systems
4
A10 Credit Cards/Debit card/Payment cards/'e- V6. Lack of interoperability between devices and/or technologies
wallet' 4 and/or systems
4
4
4
wallet'
A10 Credit Cards/Debit card/Payment cards/'e- V31. Devices & equipment used in unprotected environments
wallet' 4

4
wallet'
4
wallet'
4
wallet'
wallet' 4

4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
wallet' 4

4
wallet'
4
wallet'
4
wallet'
wallet' 4

4
wallet'
A10 Credit Cards/Debit card/Payment cards/'e- V13. Lack of or inappropriate protection of RFID tags
wallet' 4

4
wallet'
4
wallet'
4
wallet'
4
wallet'
wallet' 4

4
wallet'
4
wallet'
wallet' 4

4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
4
wallet'
A10 Credit Cards/Debit card/Payment cards/'e- V12. Lack of harmonisation and interoperability of procedures
wallet' 4

4
wallet'
4
wallet'
4
wallet'
A10 Credit Cards/Debit card/Payment cards/'e- V12. Lack of harmonisation and interoperability of procedures
wallet'
4
A10 Credit Cards/Debit card/Payment cards/'e- V18. Lack of respect to the data minimisation and proportionality
wallet' 4 principles
4
wallet'
4
wallet'
4
wallet'
wallet' 4

4
wallet'
4
wallet'
A10 Credit Cards/Debit card/Payment cards/'e- V22. Collision of tag traffic / Radio-frequency interference
wallet'
4

4
wallet' States
4
wallet' States
4
wallet' States
A10 Credit Cards/Debit card/Payment cards/'e- V38. Lack of common or harmonised legislation in EU Member
wallet' States
4

4
wallet' States
A10 Credit Cards/Debit card/Payment cards/'e- V39. Insufficient protection of wireless networks and
wallet' 4 communication (weak or no encryption etc.)
4
wallet' communication (weak or no encryption etc.)

4
4
4
4
4
3
A11 Other RFID cards V4. Lack of or low user awareness and/or training in procedures,
use of devices, security aspects etc
3

3
A11 Other RFID cards V24. Inherent features (size, material etc.): easy to lose, to be
3 stolen and/or copied (expecially for RFID tags)
stolen and/or copied (expecially for RFID tags)
3

3
and/or systems
3
and/or systems
3
and/or systems
3
and/or systems
3
and/or systems
A11 Other RFID cards V9. Lack of or inadequate identification, authentication and
3 authorisation controls
3
authorisation controls
A11 Other RFID cards V25. Actual RFID range longer than standard
3

3
A11 Other RFID cards V25. Actual RFID range longer than standard
3
A11 Other RFID cards V26. RFID tags do not have a turn-off option
3
3
A11 Other RFID cards V27. Insufficient protection against reverse engineering
3
A11 Other RFID cards V28. Inadequate security measures of data storage (e.g.
3 inadequate encryption measures)

3
inadequate encryption measures)
3

3

3

3
A11 Other RFID cards V31. Devices & equipment used in unprotected environments
3

3

3
3
3

3

3

3

3
A11 Other RFID cards V12. Lack of harmonisation and interoperability of procedures
3
A11 Other RFID cards V12. Lack of harmonisation and interoperability of procedures
A11 Other RFID cards V38. Lack of common or harmonised legislation in EU Member
3 States

3
States
States
3

3
States
3
States
3
States
3
States
States
3

3
States
3
communication (weak or no encryption etc.)
A11 Other RFID cards V39. Insufficient protection of wireless networks and
3 communication (weak or no encryption etc.)

3
3
3

3
3
3
A12 Scanners & detectors V1. Inappropriate design of procedures - includes: lack of
accountability, high complexity of procedures, assigning extensive
etc.
etc.
etc.
etc.
etc.
etc.
etc.
A12 Scanners & detectors V11. Lack of adequate controls in biometrics' enrollment stage
3

3
V11. Lack of adequate controls in biometrics' enrollment stage
3

3

3

3

3

3

3

3
A12 Scanners & detectors V37. Failure of biometrics sensors

3
A12 Scanners & detectors V37. Failure of biometrics sensors

3

3

3
A12 Scanners & detectors V32. Used by a great number of people every day [health issues
3 (e.g. infectious diseases spread by fingerprint scanners)]
A12 Scanners & detectors V33. High error rates of biometric identification (esp. face-based
3 recognition)

3
V33. High error rates of biometric identification (esp. face-based
recognition)
3
recognition)
A12 Scanners & detectors V33. High error rates of biometric identification (esp. face-based
3 recognition)
3
V29. Over-sensitivity of devices (give many false alarms)

3

3
A12 Scanners & detectors V29. Over-sensitivity of devices (give many false alarms)
3

3

3

3

3
A12 Scanners & detectors V29. Over-sensitivity of devices (give many false alarms)

3
A12 Scanners & detectors V39. Insufficient protection of wireless networks and
3

3
3
3
3

3
3
3
A12 Scanners & detectors V22. Collision of tag traffic / Radio-frequency interference

3
States
3
States
3
States
A12 Scanners & detectors V38. Lack of common or harmonised legislation in EU Member
States
3

3
States
3
principles
3
principles
3
principles
A13 Networks V1. Inappropriate design of procedures - includes: lack of
etc.

etc.
etc.

etc.

etc.

etc.

etc.
A13 Networks V2. Excessive dependency on IT systems, network and external

4 infrastructure
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks V4. Lack of or low user awareness and/or training in procedures,
4
A13 Networks
4
A13 Networks V5. Lack of usability / unfriendly user interface(s) of device(s)
4
A13 Networks V5. Lack of usability / unfriendly user interface(s) of device(s)

4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
and/or systems
A13 Networks
4
and/or systems
A13 Networks
4
and/or systems
A13 Networks
4
and/or systems
A13 Networks
4
and/or systems
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks V21. Inappropriate / inadequate identity management

4
A13 Networks
4

4
A13 Networks
4

4
A13 Networks
4
A13 Networks
4
A13 Networks
4

4
A13 Networks
4
A13 Networks
4
A13 Networks
4

4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks
4

4
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks V39. Insufficient protection of wireless networks and
A13 Networks
4
A13 Networks
4
A13 Networks
4
A13 Networks V39. Insufficient protection of wireless networks and
A13 Networks
4
A13 Networks
4
A13 Networks
4
A14 State databases V1. Inappropriate design of procedures - includes: lack of
etc.

etc.

etc.

etc.

etc.

etc.

etc.
A14 State databases

4
A14 State databases
4
A14 State databases
4
A14 State databases V9. Lack of or inadequate identification, authentication and
A14 State databases
4
A14 State databases
4
A14 State databases
4
A14 State databases
4
systems
A14 State databases
4
systems
A14 State databases
4
systems
A14 State databases
4
systems
A14 State databases
4
systems
A14 State databases
4
systems
A14 State databases
4
principles
A14 State databases V19. Lack of respect to the purpose restriction principle (purpose
4 limitation principle)
A14 State databases

4
limitation principle)
A14 State databases

4
4
A14 State databases

4
A14 State databases V20. Lack of respect to the transparency principle
4
A14 State databases

4

4
A14 State databases

4
A14 State databases

4

4
A14 State databases

4
A14 State databases V35. High data linkability
4
A14 State databases

4
V35. High data linkability
A14 State databases

4

4
A14 State databases

4
subjects do not have access to the databases)
A14 State databases V36. Lack of data correction mechanisms (as normally data
4 subjects do not have access to the databases)
A14 State databases
4
A14 State databases
4
A14 State databases
4
States
A14 State databases
4
States
A14 State databases
4
States
A14 State databases V38. Lack of common or harmonised legislation in EU Member
States
4
A14 State databases

4
States
A15 Commercial and other databases V1. Inappropriate design of procedures - includes: lack of
etc.
etc.
etc.
etc.
etc.
etc.
etc.
A15 Commercial and other databases V2. Excessive dependency on IT systems, network and external
4 infrastructure
4
4

4

4

4

4

4

4

4
systems
A15 Commercial and other databases V10. Flawed/insufficient design and/or capacity of devices and
4 systems
4
systems
4 systems

4
systems
4
systems
4
systems
4 systems
systems
4

4
systems
A15 Commercial and other databases V18. Lack of respect to the data minimisation and proportionality
principles
4

4
principles
4
principles
4
principles
4
principles
4
A15 Commercial and other databases V19. Lack of respect to the purpose restriction principle (purpose

4

4
4

4
A15 Commercial and other databases V20. Lack of respect to the transparency principle
4

4
4

4

4
A15 Commercial and other databases V28. Inadequate security measures of data storage (e.g.

4
A15 Commercial and other databases V35. High data linkability
4

4

4

4

4
4
4
4
A15 Commercial and other databases V38. Lack of common or harmonised legislation in EU Member
4 States
4
States
4
States
A15 Commercial and other databases V38. Lack of common or harmonised legislation in EU Member
States
4

4
States
A16 Temporary handset airport guides V4. Lack of or low user awareness and/or training in procedures,
2

2
A16 Temporary handset airport guides V5. Lack of usability / unfriendly user interface(s) of device(s)
2

2
A16 Temporary handset airport guides V5. Lack of usability / unfriendly user interface(s) of device(s)
2

2

2

2

2
and/or systems
2
and/or systems
2
and/or systems
2
and/or systems
2
and/or systems
3

3
A17 Luggage and goods V13. Lack of or inappropriate protection of RFID tags
3

3

3

3

3
3
3

3

3

3

3

3

3
3

3
3

3

3
A18 Check-in infrastructure V1. Inappropriate design of procedures - includes: lack of

etc.

etc.

etc.

etc.

etc.

etc.

etc.

etc.

etc.

etc.

etc.

etc.
etc.

etc.

etc.

etc.

etc.
A18 Check-in infrastructure V2. Excessive dependency on IT systems, network and external
3 infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
3

3

3

3
A18 Check-in infrastructure V3. Lack of back-up / failover procedures

3

3

3

3

3
A18 Check-in infrastructure V12. Lack of harmonisation and interoperability of procedures

3

3

3

3
3

3

3

3

3

3

3

3

3

3
ariline]
A18 Check-in infrastructure V23. Over dependency on biometrics
3

3
V23. Over dependency on biometrics

3
A18 Check-in infrastructure V23. Over dependency on biometrics

3

3
A18 Check-in infrastructure V33. High error rates of biometric identification (esp. face-based
3 recognition)

3
recognition)
3
recognition)
3
recognition)
A18 Check-in infrastructure V37. Failure of biometrics sensors
3
A18 Check-in infrastructure V37. Failure of biometrics sensors

3

3

3
3
and/or systems
3
and/or systems
3
and/or systems
3
and/or systems
3
and/or systems
3
controls at data entry]
3
3
A18 Check-in infrastructure V7. Collected data is insufficient or incorrect [lack of adequate
3 controls at data entry]
3
3

3

3
A18 Check-in infrastructure V9. Lack of or inadequate identification, authentication and

3
3
3
3
3
3
3

3

3
3
3
3
3
3
3
3
infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
3
infrastructure
A19 Airport facilities V4. Lack of or low user awareness and/or training in procedures,
3 use of devices, security aspects etc
A19 Airport facilities V4. Lack of or low user awareness and/or training in procedures,
3
A19 Airport facilities V5. Lack of usability / unfriendly user interface(s) of device(s)
3

3

3

3
A19 Airport facilities V5. Lack of usability / unfriendly user interface(s) of device(s)
3

3
and/or systems
3
and/or systems
A19 Airport facilities V6. Lack of interoperability between devices and/or technologies
and/or systems
3

3
and/or systems
3
and/or systems
A19 Airport facilities V8. Dependency on power systems
3
A19 Airport facilities V8. Dependency on power systems

3

3

3
ariline]
A19 Airport facilities V14. Lack of sufficiently skilled and/or trained personnel [airport,
3 ariline]

3
ariline]
3
ariline]
ariline]
3

3
ariline]
3 ariline]
3
ariline]
3
ariline]
3
ariline]
3
ariline]
3
ariline]
3
ariline]
3
ariline]
3
ariline]
3

3
A19 Airport facilities V16. Inappropriate expansion of the trust perimeter

3

3

3
A19 Airport facilities V20. Lack of respect to the transparency principle

3

3

3
A19 Airport facilities V20. Lack of respect to the transparency principle

3
A19 Airport facilities V32. Used by a great number of people every day [health issues
(e.g. infectious diseases spread by fingerprint scanners)]
3

4

4
A2 Electronic visa issuing process 4 V8. Dependency on power systems

A2 Electronic visa issuing process V1. Inappropriate design of procedures - includes: lack of
etc.
etc.
etc.
etc.
etc.
etc.

4

4

4

4

4
A2 Electronic visa issuing process V12. Lack of harmonisation and interoperability of procedures
4

4

4

4

4
A2 Electronic visa issuing process V12. Lack of harmonisation and interoperability of procedures
A2 Electronic visa issuing process V14. Lack of sufficiently skilled and/or trained personnel [airport,
4 ariline]
4 ariline]

4
ariline]
4
ariline]
4 ariline]
4
ariline]
4
ariline]
4
ariline]
4
ariline]
4
ariline]
4
ariline]
ariline]
4

4
ariline]
4
ariline]
4
ariline]
4
A2 Electronic visa issuing process 4 V3. Lack of back-up / failover procedures

4
A2 Electronic visa issuing process V3. Lack of back-up / failover procedures

4

4

4
4
4
4
4
A2 Electronic visa issuing process V5. Lack of usability / unfriendly user interface(s) of device(s)
4

4

4

4

4

4
A2 Electronic visa issuing process V23. Over dependency on biometrics
4

4

4

4

4

4
and/or systems
4
and/or systems
4
and/or systems
4
and/or systems
A2 Electronic visa issuing process V6. Lack of interoperability between devices and/or technologies
4 and/or systems
4
States
A2 Electronic visa issuing process V38. Lack of common or harmonised legislation in EU Member
4 States

4
States
4
States
4
States
4 States
4 States
4
States
4
States
4
States
4
States
4
States
4
States
4 States

4
States
4
States
4
States
4
States
4
States
4
States
States
4
4 States
A2 Electronic visa issuing process V15. Insufficient equipment
4

4
A2 Electronic visa issuing process V15. Insufficient equipment

4

4

4
A2 Electronic visa issuing process V20. Lack of respect to the transparency principle
4
4

4

4

4

4
A2 Electronic visa issuing process V21. Inappropriate / inadequate identity management

4

4
States
4
V40. Lack of respect to the legitimacy of data processing, e.g.
consent
A2 Electronic visa issuing process V41. Lack of respect to the data conservation principle
A2 Electronic visa issuing process V42. Lack of respect to the rights of the data subject (such as the
right for rectification, blocking or deletion of data).
4
A20 Cars / vehicles

4
infrastructure
A20 Cars / vehicles V2. Excessive dependency on IT systems, network and external
4 infrastructure
A20 Cars / vehicles
4
infrastructure
A20 Cars / vehicles
4
infrastructure
A20 Cars / vehicles
4
infrastructure
A20 Cars / vehicles
4
infrastructure
A20 Cars / vehicles
4
infrastructure
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles V4. Lack of or low user awareness and/or training in procedures,
A20 Cars / vehicles

4
A20 Cars / vehicles
4
A20 Cars / vehicles

4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles V6. Lack of interoperability between devices and/or technologies
4 and/or systems
A20 Cars / vehicles
4
and/or systems
A20 Cars / vehicles
4
and/or systems
A20 Cars / vehicles
4
and/or systems
A20 Cars / vehicles V6. Lack of interoperability between devices and/or technologies
4 and/or systems
A20 Cars / vehicles

4
A20 Cars / vehicles

4
A20 Cars / vehicles

4
A20 Cars / vehicles

4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles V9. Lack of or inadequate identification, authentication and
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
4
A20 Cars / vehicles

4
systems
A20 Cars / vehicles
4
systems
A20 Cars / vehicles V10. Flawed/insufficient design and/or capacity of devices and
4 systems
A20 Cars / vehicles

4
systems
A20 Cars / vehicles V10. Flawed/insufficient design and/or capacity of devices and
systems
4
A20 Cars / vehicles

4
systems
A20 Cars / vehicles
4
A20 Cars / vehicles

4
A20 Cars / vehicles V12. Lack of harmonisation and interoperability of procedures

4
A20 Cars / vehicles

4

4
A20 Cars / vehicles

4
A20 Cars / vehicles

4
4
A20 Cars / vehicles

4
A20 Cars / vehicles

4
A20 Cars / vehicles V17. Lack of dependable sensors, GPS
A20 Cars / vehicles V17. Lack of dependable sensors, GPS

4
A20 Cars / vehicles

4
principles
A20 Cars / vehicles V18. Lack of respect to the data minimisation and proportionality
4 principles
A20 Cars / vehicles

4
principles
A20 Cars / vehicles
4
principles
A20 Cars / vehicles
4
principles
A20 Cars / vehicles
4
A20 Cars / vehicles V19. Lack of respect to the purpose restriction principle (purpose
4
A20 Cars / vehicles

4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles V19. Lack of respect to the purpose restriction principle (purpose
A20 Cars / vehicles

4
A20 Cars / vehicles V20. Lack of respect to the transparency principle
4
A20 Cars / vehicles

4
A20 Cars / vehicles V20. Lack of respect to the transparency principle

4
A20 Cars / vehicles

4
A20 Cars / vehicles

4
A20 Cars / vehicles

4
A20 Cars / vehicles

4
A20 Cars / vehicles V28. Inadequate security measures of data storage (e.g.
A20 Cars / vehicles

4
States
A20 Cars / vehicles
4
States
A20 Cars / vehicles
4
States
A20 Cars / vehicles V38. Lack of common or harmonised legislation in EU Member
4 States
A20 Cars / vehicles

4
States
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
A20 Cars / vehicles V39. Insufficient protection of wireless networks and
A20 Cars / vehicles V39. Insufficient protection of wireless networks and
A20 Cars / vehicles

4
A20 Cars / vehicles
4
A20 Cars / vehicles
4
3
A3 Luggage and goods handling V13. Lack of or inappropriate protection of RFID tags
3

3

3

3

3

3

3
3

3

3

3

3
3

3
3

3

3
3

3

3
A3 Luggage and goods handling V25. Actual RFID range longer than standard
3

3
A3 Luggage and goods handling V25. Actual RFID range longer than standard
3

3

3
A3 Luggage and goods handling V12. Lack of harmonisation and interoperability of procedures
3

3

3

3

3
3

3

3

3

3

3

3
A3 Luggage and goods handling V5. Lack of usability / unfriendly user interface(s) of device(s)
3

3

3
3

3

3

3

3
A3 Luggage and goods handling V24. Inherent features (size, material etc.): easy to lose, to be
3

3
and/or systems
3
and/or systems
3
and/or systems
3
and/or systems
3
and/or systems
4
V17. Lack of dependable sensors, GPS

4
V17. Lack of dependable sensors, GPS

4
A4 Automated traffic management V39. Insufficient protection of wireless networks and

4
4
4

4
4
4
4
A4 Automated traffic management V40. Lack of respect to the legitimacy of data processing, e.g.
consent
4

4
A4 Automated traffic management V42. Lack of respect to the rights of the data subject (such as the
4 right for rectification, blocking or deletion of data).

4
A5 Passports and National ID cards V11. Lack of adequate controls in biometrics' enrollment stage
4

4

4
4

4

4

4
4

4

4

4

4

4

4
4

4
4
4
A5 Passports and National ID cards V4. Lack of or low user awareness and/or training in procedures,

4
4
4
4
A5 Passports and National ID cards V4. Lack of or low user awareness and/or training in procedures,
4

4
A5 Passports and National ID cards V24. Inherent features (size, material etc.): easy to lose, to be
4
4

4
and/or systems
4
and/or systems
4
and/or systems
4
and/or systems
4
and/or systems
4
4
A5 Passports and National ID cards V25. Actual RFID range longer than standard
4

4
A5 Passports and National ID cards V25. Actual RFID range longer than standard
4
A5 Passports and National ID cards V26. RFID tags do not have a turn-off option
4

4
A5 Passports and National ID cards V27. Insufficient protection against reverse engineering
4
A5 Passports and National ID cards V28. Inadequate security measures of data storage (e.g.

4
4
A5 Passports and National ID cards V12. Lack of harmonisation and interoperability of procedures
4

4

4

4

4
4

4
4

4

4

4

4

4

4
4

4

4
4

4

4

4

4

4
principles
4

4

4
A5 Passports and National ID cards V21. Inappropriate / inadequate identity management

4

4

4
A5 Passports and National ID cards V22. Collision of tag traffic / Radio-frequency interference

4

4

4

4
A5 Passports and National ID cards V31. Devices & equipment used in unprotected environments
4

4

4
A5 Passports and National ID cards V31. Devices & equipment used in unprotected environments
4

4
4
States
4
States
4
States
A5 Passports and National ID cards V38. Lack of common or harmonised legislation in EU Member
States
4

4
States
4

4
A6 Mobile ‘smart’ devices V23. Over dependency on biometrics

4

4

4

4

4

4
A6 Mobile ‘smart’ devices V11. Lack of adequate controls in biometrics' enrollment stage
4

4

4
A6 Mobile ‘smart’ devices V11. Lack of adequate controls in biometrics' enrollment stage
4

4
A6 Mobile ‘smart’ devices V24. Inherent features (size, material etc.): easy to lose, to be
4
4

4
and/or systems
4
and/or systems
4
and/or systems
4
and/or systems
4
and/or systems
4
A6 Mobile ‘smart’ devices V13. Lack of or inappropriate protection of RFID tags

4

4

4

4

4

4

4

4

4

4

4

4

4

4

4

4
4

4

4

4

4

4

4

4

4
A6 Mobile ‘smart’ devices V12. Lack of harmonisation and interoperability of procedures

4

4

4

4

4
A6 Mobile ‘smart’ devices V12. Lack of harmonisation and interoperability of procedures
A6 Mobile ‘smart’ devices V21. Inappropriate / inadequate identity management

4

4

4

4

4

4

4

4

4
A6 Mobile ‘smart’ devices V22. Collision of tag traffic / Radio-frequency interference
4
4

4

4

4
A6 Mobile ‘smart’ devices V31. Devices & equipment used in unprotected environments
4

4

4
A6 Mobile ‘smart’ devices V31. Devices & equipment used in unprotected environments
4

4

4
States
A6 Mobile ‘smart’ devices V38. Lack of common or harmonised legislation in EU Member
4 States
4
States
A6 Mobile ‘smart’ devices V38. Lack of common or harmonised legislation in EU Member
States
4

4
States
4
systems
4
systems
A6 Mobile ‘smart’ devices V10. Flawed/insufficient design and/or capacity of devices and
4 systems
4
systems
4
systems
4
systems
4
A6 Mobile ‘smart’ devices V39. Insufficient protection of wireless networks and

4
4
4
4
4
4
4
V34. Communication of data over unprotected or publicly
accessible channels
4
accessible channels
A6 Mobile ‘smart’ devices V34. Communication of data over unprotected or publicly
4 accessible channels

4
accessible channels
4
accessible channels
4
accessible channels

4
4
4
consent
A6 Mobile ‘smart’ devices V42. Lack of respect to the rights of the data subject (such as the

5
A7 Health monitoring devices V5. Lack of usability / unfriendly user interface(s) of device(s)
5
A7 Health monitoring devices V5. Lack of usability / unfriendly user interface(s) of device(s)
5

5

5

5

5

5
and/or systems
5
and/or systems
5
and/or systems
5
and/or systems
5
and/or systems
A7 Health monitoring devices V24. Inherent features (size, material etc.): easy to lose, to be
5
A7 Health monitoring devices V28. Inadequate security measures of data storage (e.g.

5
5
A7 Health monitoring devices V29. Over-sensitivity of devices (give many false alarms)
5

5

5
V30. Sensitivity to magnetic fields

5

5

5

5
A7 Health monitoring devices V31. Devices & equipment used in unprotected environments
5

5

5
A7 Health monitoring devices V31. Devices & equipment used in unprotected environments
5

5

5
accessible channels
5
accessible channels
A7 Health monitoring devices V34. Communication of data over unprotected or publicly

5
accessible channels
5
accessible channels
5
accessible channels
A7 Health monitoring devices V34. Communication of data over unprotected or publicly

5
accessible channels
5
5
A7 Health monitoring devices V39. Insufficient protection of wireless networks and

5
5

5
5
5
A7 Health monitoring devices V18. Lack of respect to the data minimisation and proportionality
5 principles
5
principles
5
principles
5
5
5
consent
A7 Health monitoring devices V42. Lack of respect to the rights of the data subject (such as the

3
A8 Travel documents (paper) 3 V3. Lack of back-up / failover procedures

3
3

A8 Travel documents (paper) V3. Lack of back-up / failover procedures
3

3

3

3
A8 Travel documents (paper) V12. Lack of harmonisation and interoperability of procedures

3

3

3

3

3

3

3
A8 Travel documents (paper) V24. Inherent features (size, material etc.): easy to lose, to be
3

4
infrastructure
4
A9 RFID & barcode readers 4 V3. Lack of back-up / failover procedures

4

4

A9 RFID & barcode readers V3. Lack of back-up / failover procedures
4
A9 RFID & barcode readers V4. Lack of or low user awareness and/or training in procedures,
4

4
A9 RFID & barcode readers V5. Lack of usability / unfriendly user interface(s) of device(s)
4

4

4

4
A9 RFID & barcode readers V5. Lack of usability / unfriendly user interface(s) of device(s)
4

4

4
and/or systems
4
and/or systems
4
and/or systems
4
and/or systems
4
and/or systems
4
4
systems
4
systems
4
systems
4
systems
4
systems
4
systems
4
4
consent
A9 RFID & barcode readers V42. Lack of respect to the rights of the data subject (such as the
ssment of Risks
lnerability)
Risk Value
A/V Threat (Final)
Value Threats Value A/V/T ID
3 T6. Social engineering attack 4 A1.V1.T6 8
T8. Unauthorised access to / deletion /

3 modification of devices / data etc. 4 A1.V1.T8 8
T11. Procedures / instructions not

3 followed 3 A1.V1.T11 7
T12. Non-compliance with data

3 4 A1.V1.T12 8
protection legislation
T13. Function creep (data used for other

3 purposes that the ones for which they 4 A1.V1.T13 9
T14. Unauthorized check-in and

3 4 A1.V1.T14 9
boarding / identity theft
3 T27. Trade union/labor strikes 3 A1.V1.T27 8
T1. Denial of service attack / Flood /

3 Buffer overflow 3 A1.V10.T1 8

3 T12. Non-compliance with data 4 A1.V10.T12 8

T22. Malfunctioning/breakdown of
3 4 A1.V10.T22 9
systems /devices / equipment
3 T25. Malicious power failure attack 3 A1.V10.T25 8
3 T28. Adverse weather condition or other 4 A1.V10.T28 9

disaster
3 T9. Loss or misuse [of cards, devices etc] 3 A1.V12.T9 7
T10. Use erroneous and/or unreliable

3 data 4 A1.V12.T10 8

3 3 A1.V12.T11 7
followed
3 4 A1.V12.T12 8
T30. Low acceptance of devices /
3 4 A1.V12.T30 8
equipment / procedures

3 4 A1.V12.T10 8
data
3 T11. Procedures / instructions not 3 A1.V12.T11 7

followed

3 equipment / procedures 4 A1.V12.T30 8

4 T2. Spoofing of credentials / bypass 5 A1.V14.T2 10

authentication
T3. Large-scale and/or inappropriate data

4 4 A1.V14.T3 9
mining / surveillance / profiling
4 T5. Man in the middle attack 3 A1.V14.T5 9

4 4 A1.V14.T8 9
modification of devices / data etc.
4 T7. Theft [of cards, devices etc] 4 A1.V14.T7 9

4 4 A1.V14.T10 9
data
4 3 A1.V14.T11 8
followed
4 4 A1.V14.T12 9
4 4 A1.V14.T14 10
T16. Unauthorised access to other

4 restricted areas (apart from boarding e.g. 3 A1.V14.T16 9
control room, personnels' offices)
4 4 A1.V14.T22 10
4 T23. e-visa not accepted at check in 3 A1.V14.T23 9

2 3 A1.V15.T11 6
followed
2 T30. Low acceptance of devices / 4 A1.V15.T30 7



4 4 A1.V16.T14 10
4 T3. Large-scale and/or inappropriate data 4 A1.V18.T3 9

4 4 A1.V18.T12 9

4 T26. State surveillance on citizens 5 A1.V18.T26 10

T2. Spoofing of credentials / bypass

4 authentication 5 A1.V19.T2 10

4 mining / surveillance / profiling 4 A1.V19.T3 9

4 4 A1.V19.T8 9

4 4 A1.V19.T12 9


3 3 A1.V2.T1 8
Buffer overflow
3 5 A1.V2.T2 9
authentication
3 4 A1.V2.T22 9
3 T24. Worms, viruses & malicious code 3 A1.V2.T24 8
T28. Adverse weather condition or other

3 4 A1.V2.T28 9
disaster


followed
3 4 A1.V20.T12 8



3 5 A1.V21.T2 9
authentication

3 T8. Unauthorised access to / deletion / 4 A1.V21.T8 8

3 T14. Unauthorized check-in and 4 A1.V21.T14 9


3 4 A1.V28.T8 8

4 4 A1.V3.T22 10

4 4 A1.V3.T28 10
disaster
3 4 A1.V36.T10 8
data
3 4 A1.V36.T12 8

3 4 A1.V36.T30 8

authentication

3 T10. Use erroneous and/or unreliable 4 A1.V37.T10 8

data


data
4 3 A1.V38.T11 8
followed
4 protection legislation 4 A1.V38.T12 9



authentication



data



4 4 A1.V4.T14 10

4 4 A1.V4.T22 10
4 4 A1.V4.T30 9
2 3 A1.V39.T1 7
Buffer overflow
2 T4. Traffic analysis / scan / probe 3 A1.V39.T4 6

2 4 A1.V39.T8 7

2 4 A1.V39.T10 7
data
2 4 A1.V39.T12 7
2 T19. Jamming 2 A1.V39.T19 5
T20. Fake / rogue RFID readers / scanning

2 of RFID reader and /or tag 3 A1.V39.T20 7
2 T29. MANET/Adhoc network routing 2 A1.V39.T29 5

attack
2 5 A1.V39.T2 8
authentication


data
4 3 A1.V5.T11 8
followed
4 boarding / identity theft 4 A1.V5.T14 10
4 4 A1.V5.T30 9
3 T22. Malfunctioning/breakdown of 4 A1.V6.T22 9



3 4 A1.V6.T30 8

data
3 4 A1.V7.T12 8

4 T1. Denial of service attack / Flood / 3 A1.V8.T1 9

Buffer overflow
4 4 A1.V8.T22 10

3 5 A1.V9.T2 9
authentication



3 4 A1.V9.T10 8
data
3 T15. Cloning of credentials and tags (RFID 3 A1.V9.T15 8

related)
3 T17. Side channel attack 2 A1.V9.T17 7
3 T18. Blocking 2 A1.V9.T18 7
3 T19. Jamming 2 A1.V9.T19 6

3 3 A1.V9.T20 8
of RFID reader and /or tag
3 T21. Physical RFID tag destruction 4 A1.V9.T21 9


attack
3 T31. Data linkability 4 A1.V20.T31 8
T33. Exclusion of the data subject from

3 the data processing process 4 A1.V21.T33 8
4 T32. Profiling 4 A1.V38.T32 9

3 4 A1.V41.T12 8

4 4 A1.V42.T12 9

Buffer overflow
4 5 A10.V21.T2 10
authentication
T15. Cloning of credentials and tags (RFID

4 3 A10.V21.T15 9
related)
4 T18. Blocking 2 A10.V21.T18 8
4 T19. Jamming 2 A10.V21.T19 7


Buffer overflow

authentication

4 3 A10.V21.T15 9
related)
4 T18. Blocking 2 A10.V21.T18 8
4 T19. Jamming 2 A10.V21.T19 7
4 T20. Fake / rogue RFID readers / scanning 3 A10.V21.T20 9

4 4 A10.V21.T22 10
authentication


data

followed



4 4 A10.V24.T14 10
3 4 A10.V6.T22 9


3 5 A10.V31.T2 9
authentication


3 4 A10.V31.T8 8

3 4 A10.V31.T10 8
data
3 4 A10.V31.T14 9
3 3 A10.V31.T15 8
related)
3 T18. Blocking 2 A10.V31.T18 7
3 T19. Jamming 2 A10.V31.T19 6


attack

3 3 A10.V31.T20 8

4 3 A10.V13.T1 9
Buffer overflow
4 5 A10.V13.T2 10
authentication

4 3 A10.V13.T15 9
related)
4 T18. Blocking 2 A10.V13.T18 8
4 T19. Jamming 2 A10.V13.T19 7



3 4 A10.V12.T10 8
data



3 4 A10.V12.T10 8
data
3 4 A10.V12.T12 8






4 4 A10.V21.T14 10
2 T18. Blocking 2 A10.V22.T18 6


3 4 A10.V38.T10 8
data
3 3 A10.V38.T11 7
followed
3 4 A10.V38.T12 8


3 4 A10.V38.T30 8


4 4 A10.V39.T10 9
data

4 T19. Jamming 2 A10.V39.T19 7

T29. MANET/Adhoc network routing

4 2 A10.V39.T29 7
attack

authentication
4 3 A11.V21.T1 8
Buffer overflow


3 4 A11.V4.T14 8

authentication



related)

3 systems /devices / equipment 4 A11.V6.T22 8

3 3 A11.V6.T11 6
followed

3 4 A11.V6.T30 7

2 2 A11.V9.T29 4
attack

4 4 A11.V25.T8 8

4 3 A11.V25.T20 8

3 3 A11.V26.T20 7
3 3 A11.V27.T15 7
related)




3 4 A11.V31.T8 7

data
3 3 A11.V31.T15 7
related)


3 4 A11.V12.T10 7
data
3 3 A11.V12.T11 6
followed
3 4 A11.V12.T12 7





data

followed
3 4 A11.V38.T12 7

3 3 A11.V39.T1 7
Buffer overflow


3 data 4 A11.V39.T10 7

3 T19. Jamming 2 A11.V39.T19 5


attack

2 4 A12.V1.T8 6


2 4 A12.V1.T12 6


2 4 A12.V1.T14 7




4 disaster 4 A12.V11.T28 9

4 4 A12.V11.T12 8

4 4 A12.V11.T30 8


3 data 4 A12.V37.T10 7

3 4 A12.V37.T14 8
4 4 A12.V32.T22 9

4 4 A12.V32.T30 8

3 4 A12.V33.T8 7

3 4 A12.V33.T14 8
3 3 A12.V33.T11 6
followed



data
3 3 A12.V29.T11 6
followed




3 T19. Jamming 2 A12.V39.T19 5

3 3 A12.V39.T20 7

3 2 A12.V39.T29 5
attack
3 5 A12.V39.T2 8
authentication
3 T18. Blocking 2 A12.V22.T18 6


2 4 A12.V38.T10 6
data
2 3 A12.V38.T11 5
followed
2 4 A12.V38.T12 6



4 4 A12.V18.T33 8
the data processing process

3 4 A13.V1.T8 8
followed





3 3 A13.V3.T1 8
Buffer overflow


3 4 A13.V3.T28 9
disaster


4 4 A13.V4.T14 10

4 4 A13.V5.T8 9

4 data 4 A13.V5.T10 9

followed
4 4 A13.V5.T14 10

3 4 A13.V6.T22 9
3 3 A13.V6.T11 7
followed



authentication

4 4 A13.V21.T3 9

4 4 A13.V21.T8 9

4 4 A13.V21.T10 9
data
4 4 A13.V21.T14 10
4 related) 3 A13.V21.T15 9
4 T18. Blocking 2 A13.V21.T18 8
4 T19. Jamming 2 A13.V21.T19 7


4 2 A13.V21.T29 7
attack



Buffer overflow


data

4 T19. Jamming 2 A13.V39.T19 7


4 2 A13.V39.T29 7
attack

authentication

3 4 A14.V1.T8 8


3 4 A14.V1.T12 8



4 3 A14.V9.T1 9
Buffer overflow
4 5 A14.V9.T2 10
authentication

4 2 A14.V9.T29 7
attack

Buffer overflow

followed

disaster
5 4 A14.V18.T30 10


4 4 A14.V19.T8 9

4 4 A14.V19.T12 9


5 4 A14.V20.T3 10

5 3 A14.V20.T11 9
followed


5 4 A14.V20.T30 10


2 4 A14.V28.T12 7

4 4 A14.V35.T3 9



4 4 A14.V36.T10 9
data

4 4 A14.V38.T10 9
data
4 3 A14.V38.T11 8
followed



4 4 A14.V38.T30 9

3 4 A15.V1.T8 8

3 3 A15.V1.T11 7
followed

3 4 A15.V1.T12 8





disaster
3 5 A15.V10.T2 9
authentication


3 4 A15.V10.T10 8
data
3 3 A15.V10.T11 7
followed






5 4 A15.V18.T30 10





5 3 A15.V20.T11 9
followed


5 4 A15.V20.T30 10

2 4 A15.V28.T8 7


4 4 A15.V35.T3 9

4 4 A15.V35.T12 9



4 data 4 A15.V36.T10 9

4 4 A15.V36.T12 9

4 4 A15.V36.T30 9
4 data 4 A15.V38.T10 9


4 4 A15.V38.T12 9





2 data 4 A16.V5.T10 5


2 4 A16.V5.T30 5


2 4 A16.V6.T12 5
2 4 A16.V6.T30 5
3 3 A17.V13.T1 7
Buffer overflow
3 5 A17.V13.T2 8
authentication

3 3 A17.V13.T15 7
related)
3 T18. Blocking 2 A17.V13.T18 6
3 T19. Jamming 2 A17.V13.T19 5

3 3 A17.V13.T20 7

3 3 A17.V13.T1 7
Buffer overflow

authentication

related)

3 T18. Blocking 2 A17.V13.T18 6
3 T19. Jamming 2 A17.V13.T19 5

3 3 A17.V13.T20 7



3 4 A18.V1.T8 7

3 data 4 A18.V1.T10 7


3 4 A18.V1.T12 7

3 4 A18.V1.T14 8




4 5 A18.V2.T2 9
authentication
4 4 A18.V2.T22 9


3 3 A18.V3.T1 7
Buffer overflow

disaster
2 5 A18.V12.T2 7
authentication


2 4 A18.V12.T10 6
data

followed




2 4 A18.V12.T22 7

2 3 A18.V12.T11 5
followed
2 4 A18.V12.T12 6
2 4 A18.V12.T30 6


4 4 A18.V23.T3 8

4 3 A18.V23.T11 7
followed
4 4 A18.V23.T12 8



3 4 A18.V33.T14 8

followed
3 4 A18.V33.T30 7

3 4 A18.V37.T8 7

3 4 A18.V37.T10 7
data



followed


2 4 A18.V7.T10 6
data

2 3 A18.V7.T11 5
followed

2 3 A18.V8.T1 6
Buffer overflow



3 5 A18.V9.T2 8
authentication
3 4 A18.V9.T22 8

3 4 A18.V9.T28 8
disaster




data

followed
3 4 A18.V9.T14 8


3 4 A18.V9.T22 8

followed


3 4 A19.V2.T22 8

3 5 A19.V2.T2 8
authentication


3 4 A19.V5.T8 7

3 4 A19.V5.T10 7
data

3 4 A19.V6.T12 7




3 4 A19.V8.T8 7

3 4 A19.V8.T14 8


followed
4 4 A19.V14.T12 8



4 4 A19.V14.T30 8
4 3 A19.V14.T1 8
Buffer overflow

authentication
4 4 A19.V14.T22 9

4 4 A19.V16.T28 9
disaster

2 4 A19.V20.T8 6

data

4 4 A19.V32.T12 8


4 4 A19.V32.T14 9




5 3 A2.V1.T11 9
followed




4 data 4 A2.V12.T10 9

4 3 A2.V12.T11 8
followed

4 4 A2.V12.T30 9

4 4 A2.V12.T10 9
data
4 3 A2.V12.T11 8
followed
4 4 A2.V12.T12 9
4 4 A2.V12.T30 9




4 4 A2.V14.T8 9

data


4 4 A2.V14.T14 10

4 4 A2.V14.T22 10

4 3 A2.V3.T1 9
Buffer overflow
4 4 A2.V3.T22 10
4 4 A2.V3.T28 10
disaster
3 4 A2.V7.T10 8
data

3 3 A2.V7.T11 7
followed



data


3 4 A2.V5.T30 8

3 3 A2.V23.T11 7
followed


4 4 A2.V6.T22 10

followed
4 4 A2.V6.T12 9


3 4 A2.V38.T3 8

3 4 A2.V38.T8 8

3 4 A2.V38.T10 8
data


related)
3 T19. Jamming 2 A2.V38.T19 6

3 3 A2.V38.T20 8

attack

data
3 3 A2.V38.T11 7
followed







2 4 A2.V15.T30 7


4 3 A2.V20.T11 8
followed
4 4 A2.V20.T12 9


4 4 A2.V20.T30 9
0 T34. Trivialisation of unique identifiers 4 A2.V21.T34 5

4 4 A2.V40.T12 9


3 3 A20.V2.T11 7
followed



authentication

4 4 A20.V4.T3 9

4 4 A20.V4.T8 9

4 4 A20.V4.T10 9
data
4 4 A20.V4.T14 10
3 related) 3 A20.V6.T15 8
3 T19. Jamming 2 A20.V6.T19 6


4 2 A20.V8.T29 7
attack

followed




data

followed


data
3 3 A20.V9.T11 7
followed


2 4 A20.V10.T22 8

2 4 A20.V10.T3 7

2 4 A20.V10.T12 7



authentication


2 4 A20.V12.T8 7




2 3 A20.V12.T11 6
followed





1 4 A20.V18.T10 6
data
1 3 A20.V18.T11 5
followed



4 4 A20.V19.T30 9
4 3 A20.V19.T1 9
Buffer overflow

4 4 A20.V19.T8 9

4 4 A20.V19.T10 9
data
3 T19. Jamming 2 A20.V20.T19 6


3 2 A20.V20.T29 6
attack
3 5 A20.V20.T2 9
authentication

authentication



4 4 A20.V38.T8 9

4 data 4 A20.V39.T10 9


4 3 A20.V39.T15 9
related)
4 T18. Blocking 2 A20.V39.T18 8
4 T19. Jamming 2 A20.V39.T19 7

4 3 A20.V39.T20 9

4 2 A20.V39.T29 7
attack
2 3 A3.V13.T1 6
Buffer overflow

related)
2 T19. Jamming 2 A3.V13.T19 4

2 3 A3.V13.T20 6

Buffer overflow

authentication

2 T19. Jamming 2 A3.V13.T19 4



2 3 A3.V25.T20 6

Buffer overflow
3 5 A3.V12.T2 8
authentication
3 4 A3.V12.T22 8

3 4 A3.V12.T28 8
disaster

3 4 A3.V12.T30 7

data

followed

3 4 A3.V12.T30 7



data
2 3 A3.V5.T11 5
followed




authentication



related)

4 4 A3.V6.T22 9

followed

4 4 A3.V6.T30 8
3 4 A4.V17.T22 9

4 3 A4.V39.T1 9
Buffer overflow


4 data 4 A4.V39.T10 9
4 4 A4.V39.T12 9
4 T19. Jamming 2 A4.V39.T19 7

4 3 A4.V39.T20 9

4 attack 2 A4.V39.T29 7


3 4 A4.V20.T33 8


authentication

3 4 A5.V11.T3 8

3 4 A5.V11.T8 8

3 4 A5.V11.T10 8
data


3 4 A5.V11.T14 9

3 4 A5.V11.T22 9

3 4 A5.V11.T30 8

authentication


3 4 A5.V4.T10 8
data

followed
3 4 A5.V4.T12 8



2 4 A5.V24.T22 8

2 4 A5.V24.T30 7

2 4 A5.V24.T8 7


2 3 A5.V24.T15 7
related)

3 4 A5.V6.T22 9
3 3 A5.V6.T11 7
followed
3 4 A5.V6.T12 8


2 attack 2 A5.V9.T29 5




3 3 A5.V27.T15 8
related)

3 3 A5.V27.T20 8

4 4 A5.V28.T8 9

3 3 A5.V12.T1 8
Buffer overflow
3 5 A5.V12.T2 9
authentication

3 3 A5.V12.T15 8
related)
3 T19. Jamming 2 A5.V12.T19 6


3 3 A5.V12.T1 8
Buffer overflow
3 5 A5.V12.T2 9
authentication

3 T19. Jamming 2 A5.V12.T19 6


3 4 A5.V12.T12 8




3 4 A5.V21.T8 8

3 4 A5.V21.T14 9


3 4 A5.V31.T8 8

data
3 3 A5.V31.T15 8
related)

3 3 A5.V31.T20 8

3 4 A5.V38.T10 8
data

followed



4 T33. Exclusion of the data subject from 4 A5.V41.T33 9



4 3 A6.V23.T11 8
followed


4 4 A6.V23.T30 9
3 5 A6.V11.T2 9
authentication

3 4 A6.V11.T3 8

3 3 A6.V11.T11 7
followed
3 4 A6.V11.T12 8


authentication


data

followed


2 4 A6.V24.T14 8




3 4 A6.V6.T30 8

authentication

4 4 A6.V13.T3 9

4 4 A6.V13.T8 9

4 4 A6.V13.T10 9
data
4 4 A6.V13.T14 10
4 T19. Jamming 2 A6.V13.T19 7


4 2 A6.V13.T29 7
attack
4 T19. Jamming 2 A6.V13.T19 7



3 data 4 A6.V12.T10 8

3 3 A6.V12.T11 7
followed

3 4 A6.V12.T30 8

3 data 4 A6.V12.T10 8

3 3 A6.V12.T11 7
followed
3 4 A6.V12.T12 8
3 4 A6.V12.T30 8





4 5 A6.V21.T2 10
authentication


4 4 A6.V21.T14 10



3 data 4 A6.V31.T10 8

3 3 A6.V31.T15 8
related)

3 3 A6.V31.T20 8

3 4 A6.V38.T10 8
data
3 3 A6.V38.T11 7
followed
3 4 A6.V38.T12 8


3 4 A6.V38.T30 8
3 3 A6.V10.T1 8
Buffer overflow
3 3 A6.V10.T11 7
followed

disaster
3 3 A6.V39.T1 8
Buffer overflow

3 4 A6.V39.T8 8

3 4 A6.V39.T10 8
data

3 T19. Jamming 2 A6.V39.T19 6


attack

authentication


4 4 A6.V34.T10 9
data

4 T19. Jamming 2 A6.V34.T19 7


4 4 A6.V19.T33 9

4 4 A7.V4.T14 11

4 4 A7.V5.T8 10

4 4 A7.V5.T10 10
data

followed
4 4 A7.V5.T14 11
4 4 A7.V5.T30 10
4 4 A7.V6.T22 11



authentication



related)


3 4 A7.V28.T8 9



4 4 A7.V29.T30 10


3 4 A7.V31.T8 9

3 4 A7.V31.T10 9
data
3 3 A7.V31.T15 9
related)

3 3 A7.V31.T20 9

4 3 A7.V34.T1 10
Buffer overflow


data

4 T19. Jamming 2 A7.V34.T19 8


4 3 A7.V39.T1 10
Buffer overflow

4 4 A7.V39.T8 10

4 4 A7.V39.T10 10
data
4 4 A7.V39.T12 10
4 T19. Jamming 2 A7.V39.T19 8

4 3 A7.V39.T20 10

4 2 A7.V39.T29 8
attack
4 5 A7.V39.T2 11
authentication


4 4 A7.V19.T33 10

5 the data processing process 4 A7.V42.T33 11

4 3 A8.V3.T1 8
Buffer overflow

4 4 A8.V3.T22 9



2 data 4 A8.V12.T10 6

2 3 A8.V12.T11 5
followed






4 4 A8.V24.T30 8

4 4 A8.V24.T8 8

4 4 A8.V24.T14 9

4 3 A8.V24.T15 8
related)


3 4 A9.V2.T28 9
disaster

Buffer overflow





data
4 3 A9.V5.T11 8
followed

4 4 A9.V5.T30 9
4 4 A9.V6.T22 10
4 3 A9.V6.T11 8
followed

4 4 A9.V6.T30 9

attack
4 3 A9.V10.T1 9
Buffer overflow

followed


4 4 A9.V10.T28 10
disaster


Annex II - Risk Assessment Spreadsheet

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Annex II - Risk Assessment Spreadsheet

Uploaded by

Copyright:

Available Formats

Asset Value Measurement Scale

Threat Value Measurement Scale

Vulnerability Value Measurement Scale

Information Security Risk Measurement Scale

Risk Assessment Scale

ID Asset Description or reference to above described Owner [involved actors / Value

A7 Health monitoring devices Allergy bracelet Citizen/passenger, airlines, 5

A13 Networks Wi-Fi, WiMax, conventional broadband, Service providers, including 4

A17 Luggage and goods The passengers’ luggage. Citizen/passenger, shops 3

I01 Health / Life / Safety

I02 Time / efficiency

I06 Mobility of individuals

I11 Business activities

Time needed to check-in, security controls or boarding

Existing Control Description

C4 Authorisation of passengers by a paper boarding pass and verified by the

C10 Verification of only one person in the booth

C12 Communication of the payment transaction record to the shuttle service

C22 SMS record kept by taxi service as a proof

Control Category Control Nature

Containment & Recovery Semi - automated

Detective Preventive Automated

Detective Corrective Automated

Detective Corrective Automated

Detective Corrective Automated

Deterrent Preventive Automated

Preventive Detective Automated

Preventive Detective Automated

Preventive Detective Automated

Preventive Detective Automated

Corrective Preventive Automated

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A19. Airport facilities

A18. Check-in infrastructure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A1. Automated reservation, checking and boarding procedure

A4. Automated traffic management

A4. Automated traffic management

A3. Luggage and goods handling

A17. Luggage and goods

A3. Luggage and goods handling

A17. Luggage and goods

A10. Credit Cards/Debit card/Payment cards/'e-wallet'

A7 Health monitoring devices

A4 Automated Traffic Management

No Vulnerability Description Exposure [Metric

V2 Excessive dependency on IT systems, network and external infrastructure 4

V3 Lack of back-up / failover procedures 3

V4 Lack of or low user awareness and/or training in procedures, use of devices, 2

V5 Lack of usability / unfriendly user interface(s) of device(s) 3

Lack of interoperability between devices and/or technologies and/or systems

V8 Dependency on power systems 4

V9 Lack of or inadequate logical access (identification, authentication and 3

V10 Flawed/insufficient design and/or capacity of devices and systems 2

V11 Lack of adequate controls in biometrics' enrolment stage 3

V12 Lack of harmonisation and interoperability of procedures 2