ETSI TS 102 165-1 V4.2.3 (2011-03)

Technical Specification
Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
Methods and protocols;
Part 1: Method and proforma for Threat,
Risk, Vulnerability Analysis
�
2 ETSI TS 102 165-1 V4.2.3 (2011-03)

Reference
RTS/TISPAN-07050-NGN-R3
Keywords
authentication, confidentiality, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network
drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI TS 102 165-1 V4.2.3 (2011-03)
Contents
Intellectual Property Rights . 6
Foreword . 6
Introduction . 6
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references . 9
3 Definitions, symbols and abbreviations . 10
3.1 Definitions . 10
3.2 Symbols . 11
3.3 Abbreviations . 11
4 Introduction . 13
4.1 Role of TVRA . 13
4.2 Generic TVRA relationships . 15
4.3 Countermeasure strategies . 18
4.3.1 Asset redesign . 18
4.3.2 Asset hardening . 18
4.4 Relationship with Common Criteria evaluation . 18
5 TVRA method . . 19
5.1 Overview . 19
5.1.1 Target of Evaluation description . 21
5.1.1.1 Security environment . 21
5.1.1.2 Security objectives . 22
5.1.1.3 Security requirements. 23
5.1.1.3.1 The relationship between security objectives and security requirements . 23
5.1.1.3.2 Security requirements statements . 23
5.1.2 Threats and threat agents . 25
5.2 Actors and roles . 27
5.3 Rationale. 27
6 Method process . 27
6.1 Overview . 27
6.2 Step 1: Identification of Target Of Evaluation (TOE) . 28
6.3 Step 2: Identification of objectives . 29
6.4 Step 3: Identification of functional security requirements . 29
6.5 Step 4: Systematic inventory of the assets . 30
6.6 Step 5: Systematic identification of vulnerabilities . 31
6.6.1 Identification of weakness . 32
6.6.2 Identification of a vulnerability . 32
6.6.3 Identification of attack method (threat agent) . 32
6.6.3.1 Assessment of the practicality . 32
6.6.3.1.1 Knowledge factor . 32
6.6.3.1.2 Time factor . 33
6.6.3.1.3 Expertise factor . 34
6.6.3.1.4 Opportunity factor . 34
6.6.3.1.5 Equipment factor . 34
6.6.3.1.6 Intensity factor . 35
6.7 Step 6: Calculation of the likelihood of the attack and its impact . 35
6.8 Step 7: Establishment of the risks . 36
6.8.1 Impact of intensity . 37
6.8.2 Classification of risk . 37
6.8.2.1 Overview . 37
6.9 Step 8: Security countermeasure identification . 38
ETSI
4 ETSI TS 102 165-1 V4.2.3 (2011-03)
6.9.1 Countermeasures in the system . 38
6.9.2 Composite countermeasures applied to the system . 39
6.9.3 Impact of countermeasures applied to the system . 39
6.10 Step 9: Countermeasure Cost-benefit analysis . 39
6.10.1 Standards design . 39
6.10.2 Implementation . 39
6.10.3 Operation . 40
6.10.4 Regulatory impact . 40
6.10.5 Market acceptance . 40
6.11 Step 10: Specification of detailed requirements . 41
Annex A (normative): TVRA proforma . 42
Annex B (informative): The role of motivation . 43
Annex C: Void . 44
Annex D (informative): Denial of service attacks . 45
D.1 DDoS Attacks viable on the NGN . 45
D.1.1 Land . 45
D.1.2 SYN Flood. 45
D.1.3 Ping of Death . 45
D.1.4 Process Table . 46
D.1.5 Smurf Attack . 46
D.1.6 SSH Process Table . 46
D.1.7 TCP Reset . 46
D.1.8 Teardrop . 46
D.1.9 UDP Storm . 46
D.2 DDoS characteristics . 47
D.3 Defence against DDoS . 47
D.3.1 Preventive Mechanisms . 47
D.3.2 Reactive Mechanisms . 47
D.3.2.1 Signature detection mechanisms . 48
D.3.2.2 Anomaly detection mechanisms . 48
D.3.3 Difficulties of defence . 48
Annex E (informative): TVRA database structure . 49
E.1 Database structure . 49
E.2 SQL code for TVRA database . 51
E.2.1 Lookup tables . 51
E.2.2 Core tables . 52
E.2.3 Linking tables . 54
E.2.4 Sample queries (used to complete input to eTVRA proforma) . 55
Annex F (informative): Use of ISO/IEC 15408-2 security functional classes in security
requirements statements . 56
F.1 Overview . . 56
F.2 Review of functional capabilities . 58
F.2.1 Authentication and identification . 58
F.2.2 Communication class (non-repudiation) . 59
F.2.3 User data protection class . 60
F.2.4 Privacy class . 64
F.2.5 Resource utilization class . 66
F.2.6 Trusted path/channel class . 66
F.2.7 Security management class. 67
F.2.8 Protection of the TSF class . 68
F.2.9 Cryptographic support class . 70
F.2.10 Security audit class . 71
ETSI
5 ETSI TS 102 165-1 V4.2.3 (2011-03)
F.2.11 TOE Access class . 72
Annex G (normative): TVRA Risk Calculation Template and Tool . 74
Annex H (normative): TVRA Countermeasure Cost-Benefit Analysis Template and Tool . 75
Annex I (informative): Bibliography . 77
I.1 UML . . 77
Annex J (informative): Change history . 78
History . 79

ETSI
6 ETSI TS 102 165-1 V4.2.3 (2011-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
The present document is part 1 of a multi-part deliverable covering methods and protocols for security standardization,
as identified below:
Part1: "Method and proforma for Threat, Risk, Vulnerability Analysis";
Part 2: "Protocol Framework Definition; Security Counter Measures".
Introduction
The present document is one of a set of documents that addresses standardization of security protocols and mechanisms
within the context of the eEurope 2005 programme. The suite of documents is composed as follows:
• ETSI EG 202 387 [i.1]: "Telecommunications and Internet converged Services and Protocols for Advanced
Networking (TISPAN); Security Design Guide; Method for application of Common Criteria to ETSI
deliverables".
• ETSI ES 202 383 [1]: "Telecommunications and Internet converged Services and Protocols for Advanced
Networking (TISPAN); Security Design Guide; Method and proforma for defining Security Targets".
• ETSI ES 202 382 [2]: "Telecommunications and Internet converged Services and Protocols for Advanced
Networking (TISPAN); Security Design Guide; Method and proforma for defining Protection Profiles".
• ETSI TS 102 165-1: "Telecommunications and Internet converged Services and Protocols for Advanced
Networking (TISPAN); Methods and protocols; Method and proforma for Threat, Risk, Vulnerability
Analysis" (the present document).
• ETSI TS 102 165-2 [4]: "Telecommunications and Internet converged Services and Protocols for Advanced
Networking (TISPAN); Protocol Framework Definition; Security Counter Measures".
• ETSI TS 102 556 [i.5]: "Telecommunication and Internet converged Services and Protocols for Advanced
Networking (TISPAN); Protection Profile".
• ETSI EG 202 549 [i.6]: "Telecommunication and Internet converged Services and Protocols for Advanced
Networking (TISPAN); Design Guide; Application of security countermeasures to service capabilities".
These documents are developed based on the objectives of the eEurope programme and are also developed to ensure
they comply with the overall objectives of the European regulatory framework as defined in the following documents:
• Directive 2002/19/EC [14] of the European Parliament and of the council of 7 March 2002 on access to, and
interconnection of, electronic communications networks and associated facilities (Access Directive).
ETSI
7 ETSI TS 102 165-1 V4.2.3 (2011-03)
• Directive 2002/20/EC [15] of the European Parliament and of the council of 7 March 2002 on the
authorization of electronic communications networks and services (Authorization Directive).
• Directive 2002/21/EC [16] of the European Parliament and of the council of 7 March 2002 on a common
regulatory framework for electronic communications networks and services (Framework Directive).
• Directive 2002/22/EC [17] of the European Parliament and of the council of 7 March 2002 on universal
service and users' rights relating to electronic communications networks and services (Universal Service
Directive).
• Directive 2002/58/EC [18] of the European Parliament and of the council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications).
In particular the present document forms part of the standardization initiative for the Next Generation Network (NGN)
platform to be used in eEurope and upon which the trust and viability of the e-enabled community will, to a very large
part, depend on.
The eEurope 2005 action plan has been drawn up to focus on "the widespread availability and use of broadband
networks throughout the Union … and the security of networks and information, eGovernment, eHealth and eBusiness"
requiring a supporting infrastructure, which is truly pan-European. To quote COM(2002)263 [i.8]: "By 2005 Europe
should have … a secure information infrastructure".
ETSI
8 ETSI TS 102 165-1 V4.2.3 (2011-03)
1 Scope
The present document defines a method for use by ETSI standards developers in undertaking an analysis of the threats,
risks and vulnerabilities of a telecommunications system.
The method builds from the Common Criteria for security assurance and evaluation defined in ISO/IEC 15408 [9] and
specifically targets the means to build a Threat Vulnerability and Risk Analysis (TVRA) to allow its reference by an
ETSI specification developed using the guidelines given in EG 202 387 [i.1] and ES 202 382 [2]. The TVRA forms part
of the documentation set for the Target Of Evaluation as specified in ES 202 382 [2] with its intended audience being a
developer of standards based Protection Profiles.
The Unified Modelling Language (UML) is used to model relationships within systems for analysis within the TVRA
as a semi-formal tool with verification and simulation capabilities deployed during development.
NOTE: This is in accordance with the goals of the eEurope project under objective Good practices
(COM(2002) 263 page 18) [i.8].
The present document provides a database definition for TVRA and provides, in annexes, the application of the TVRA
method to a number of NGN subsystems or components. The database definition is appended to the present document
as a text file containing Structured Query Language (SQL) database definition commands.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI ES 202 383: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Security Design Guide; Method and proforma for defining
Security Targets".
[2] ETSI ES 202 382: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Security Design Guide; Method and proforma for defining
Protection Profiles".
[3] Void.
[4] ETSI TS 102 165-2 (2006) "Telecommunications and Internet converged Services and Protocols
for Advanced Networking (TISPAN); Methods and protocols; Part 2: Protocol Framework
Definition; Security Counter Measures".
[5] ETSI TS 187 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[6] ISO/IEC 15408-1: "Information technology - Security techniques - Evaluation criteria for IT
security - Part 1: Introduction and general model".
[7] ISO/IEC 15408-2: "Information technology - Security techniques - Evaluation criteria for IT
security - Part 2: Security functional requirements".
ETSI
9 ETSI TS 102 165-1 V4.2.3 (2011-03)
[8] ISO/IEC 15408-3: "Information technology - Security techniques - Evaluation criteria for IT
security - Part 3: Security assurance requirements".
[9] ISO/IEC 15408: "Information technology - Security techniques - Evaluation criteria for IT
security".
NOTE: When referring to all parts of ISO/IEC 15408 the reference above is used.
[10] CCMB-2005-07-004: "Common Methodology for Information Technology Security Evaluation;
Evaluation methodology; July 2005; Version 3.0 Revision 2".
[11] CCMB-2005-07-001: "Common Criteria for Information Technology Security Evaluation
Part 1: Introduction and general model June 2005 Version 3.0 Revision 2".
[12] AS/NZS 4360: "Standards Australian, Risk Management".
[13] ISO/IEC 18028:2005: Information technology -- Security techniques -- IT network security",
parts 4 and 5".
NOTE: ISO/IEC 18028 is a multipart publication and the reference above is used to refer to the series.
[14] Directive 2002/19/EC of the European Parliament and of the council of 7 March 2002 on access
to, and interconnection of, electronic communications networks and associated facilities (Access
Directive).
[15] Directive 2002/20/EC of the European Parliament and of the council of 7 March 2002 on the
authorization of electronic communications networks and services (Authorization Directive).
[16] Directive 2002/21/EC of the European Parliament and of the council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services (Framework
Directive).
[17] Directive 2002/22/EC of the European Parliament and of the council of 7 March 2002 on universal
service and users' rights relating to electronic communications networks and services (Universal
Service Directive).
[18] Directive 2002/58/EC of the European Parliament and of the council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications).
[19] ISO/IEC 27002:2005: Information technology -- Security techniques -- Code of practice for
information security management".
[20] ISO/IEC 27001:2005: "Information Technology - Security Techniques - Information Security
Management Systems - Requirements".
[21] ptc/ 04-10-02: "Object Management Group. UML 2.0 Superstructure Specification", edition, 2004.
[22] IETF RFC 3761: "The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation
Discovery System (DDDS) Application (ENUM)".
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI EG 202 387: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Security Design Guide; Method for application of Common
Criteria to ETSI deliverables".
[i.2] ETSI TR 187 011: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Application of ISO-15408-2 requirements to
ETSI standards - guide, method and application with examples".
ETSI
10 ETSI TS 102 165-1 V4.2.3 (2011-03)
[i.3] ETSI TR 187 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat, Vulnerability and
Risk Analysis".
[i.4] ETSI TR 102 055: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); ENUM scenarios for user and infrastructure ENUM".
[i.5] ETSI TS 102 556: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Protection Profile".
[i.6] ETSI EG 202 549: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Design Guide; Application of security countermeasures to
service capabilities".
[i.7] ETSI TS 102 051: "ENUM Administration in Europe".
[i.8] COM(2002)263: "Communication from the Commission to the Council, the European Parliament,
the Economic and Social Committee and the Committee of the regions".
NOTE: Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2002:0263:FIN:EN:PDF.
[i.9] ETSI ETR 332 (1996): "Security Techniques Advisory Group (STAG); Security requirements
capture".
3 Definitions, symbols and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in EG 202 387 [i.1], ISO/IEC 17799 [19],
ISO/IEC 18028 [13] and the following apply:
asset: anything that has value to the organization, its business operations and its continuity
authentication: ensuring that the identity of a subject or resource is the one claimed
availability: property of being accessible and usable on demand by an authorized entity ISO/IEC 18028 [13]
confidentiality: ensuring that information is accessible only to those authorized to have access
impact: result of an information security incident, caused by a threat, which affects assets
integrity: safeguarding the accuracy and completeness of information and processing methods
mitigation: limitation of the negative consequences of a particular event
nonce: arbitrary number that is generated for security purposes (such as an initialization vector) that is used only one
time in any security session
NOTE: Although random and pseudo-random numbers theoretically produce unique numbers, there is the
possibility that the same number can be generated more than once.
non-repudiation: ability to prove an action or event has taken place, so that this event or action cannot be repudiated
later
residual Risk: risk remaining after risk treatment
risk: potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the
organization
threat: potential cause of an incident that may result in harm to a system or organization
NOTE 1: A threat consists of an asset, a threat agent and an adverse action of that threat agent on that asset
(clause 6.2 of Common Criteria part 1 [11]).
ETSI
11 ETSI TS 102 165-1 V4.2.3 (2011-03)
NOTE 2: A threat is enacted by a threat agent, and may lead to an unwanted incident breaking certain
pre-defined security objectives.
threat agent: entity that can adversely act on an asset
unwanted incident: incident such as loss of confidentiality, integrity and/or availability
NOTE: See AS/NZS 4360 [12].
user: person or process using the system in order to gain access to some system resident or system accessible service
vulnerability: weakness of an asset or group of assets that can be exploited by one or more threats
NOTE: A vulnerability, consistent with the definition given in ISO/IEC 18028 [13], is modelled as the
combination of a weakness that can be exploited by one or more threats.
3.2 Symbols
For the purposes of the present document, the symbols given in OMG UML2 [21] and the following apply:
Generalization/Specialization: UML concept showing relationship between entities A and B where the
two entities exhibit the property that A (top of arrow) is the general case whereas B is the specific case

EXAMPLE: A countermeasure is a specialized asset.
Composition: UML concept showing relationship between entities A and B where A "is composed of" B

EXAMPLE: Vulnerability "is composed of" a threat and a weakness.
Dependency: UML concept showing relationship between entities A and B where B is dependent upon A

EXAMPLE: Security requirements "depend on" security objectives.
Aggregation: UML concept showing relationship between entities A and B where A "is an aggregate of"
B
EXAMPLE: System "is an aggregate of" assets.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ANSI American National Standards Institute
CC Common Criteria
CIAAA Confidentiality, Integrity, Availability, Authenticity and Accountability
CPU Core Processor Unit
DDDS Dynamic Delegation Discovery System
DDoS Distributed Denial of Service
DNS Domaine Name Service
DNSSEC DNS SECurity
DoS Denial of Service
ETSI
12 ETSI TS 102 165-1 V4.2.3 (2011-03)
EAL Evaluation Assurance Level
ERD Entity Relationship Diagram
FAU Functional class Audit
NOTE: From ISO/IEC 15408-2 [11]
FCO Functional class Communication
NOTE: From ISO/IEC 15408-2 [11].
FCS Functional class Cryptographic Support
NOTE: From ISO/IEC 15408-2 [11].
FDP Functional class user Data Protection
NOTE: From ISO/IEC 15408-2 [11].
FIA Functional class Identification and Authentication
NOTE: From ISO/IEC 15408-2 [11].
FMT Functional class Security Management
NOTE: From ISO/IEC 15408-2 [11].
FPR Functional class Privacy
NOTE: From ISO/IEC 15408-2 [11].
FPT Functional class Protection of the TSF
NOTE: From ISO/IEC 15408-2 [11].
FRU Functional class Resource Utilisation
NOTE: From ISO/IEC 15408-2[11].
FTA Functional class TOE Access
NOTE: From ISO/IEC 15408-2 [11].
FTP Functional class Trusted Path/Channels
NOTE: From ISO/IEC 15408-2 [11].
ICMP Internet Control Message Protocol
IMSI International Mobile Subscriber Identity
IN Intelligent Network
IP Internet Protocol
IPsec IP security
IT Information Technology
NAPTR Naming Authority PoinTeR
NAT Network Address Translation
NGN Next Generation Network
PP Protection Profile
RRSet Resource Record Set
RRSIG Resource Record SIGnature
RTP Realtime Transport Protocol
SIP Session Initiation Protocol
SQL Structured Query Language
SSH Secure SHell
ST Security Targets
TCP Transport Control Protocol
TIMSI Temporary IMSI
TISPAN Telecommunications and Internet converged Services and Protocols for Advanced Networking
ETSI
13 ETSI TS 102 165-1 V4.2.3 (2011-03)
TOE Target Of Evaluation
TTP Trusted Third Party
TVRA Threat Vulnerability and Risk Analysis
UDP User Datagram Protocol
UML Unified Modelling Language
URI Uniform Resource Identifiers
4 Introduction
4.1 Role of TVRA
It is recognized that without an understanding of the system, the threats to the system and a systematic countermeasure
cost-benefit analysis that appropriate selection of countermeasures cannot be made. Within ETSI a Threat Vulnerability
and Risk Analysis (TVRA) is used to identify risk to the system based upon the product of the likelihood of an attack,
and the impact that such an attack will have on the system. The TVRA is primarily used within the standards domain to
give justification for the development of standards based security solutions. In addition the TVRA may be used as the
source of parts of a Protection Profile (PP), see ES 202 382 [2]. Large parts of the descriptive text of a PP will be
derived from the TVRA: Security objectives; Security requirements; Rationale.
The method described in the present document provides a means of documenting the rationale for designing security
countermeasures in a system by application of a systematic method, and by using part of the method to visualize the
relationship of objectives, requirements, system design and system vulnerabilities.
The depth of the TVRA changes as the system design becomes more detailed. A TVRA working from the system
objectives will identify at a very coarse level the required security functionality to ensure that the objectives can be met
without damage to the system. The structure of activities in development of a TVRA is shown in figure 1. The process
is shown as recursive wherein in any change to any aspect of the system or its environment requires the process to
restarted.
ETSI
14 ETSI TS 102 165-1 V4.2.3 (2011-03)

Establish Security Objectives
Security Assurance
Objectives Objectives
Carry Out Vulnerability Analysis
( Objectives )
Specify Security Requirements
Security
Threats
Requirements
Carry Out Vulnerability Analysis
( Requirements )
System Design
Security
Security
Security Services
Mechanisms
Architecture
Carry Out Vulnerability Analysis
( System )
Key:
Control
Process
Information
Process
Input / Output
Figure 1: Structure of security analysis and development in standards documents
ETSI
15 ETSI TS 102 165-1 V4.2.3 (2011-03)
The purpose of the TVRA is to determine how open to attack the system, or components of the system are. A measure
of openness of the system to attack is "attack potential" which combines factors of expertise, availability and resources
to give a metric for attack evaluation and this is explored further in clause 6.6.
An alternative view of the nature of TVRA is given in figure 2 showing that any change either internal (say by
application of countermeasures) or external to the system requires that the TVRA process is redone.

External  Application of
change TVRA countermeasures
(Internal change)
Figure 2: Cyclical nature of TVRA
4.2 Generic TVRA relationships
One of the keys to a successful TVRA, and also of a successful system design, is the ability to show the relationship of
objectives and requirements to the system design. Figure 3 shows the dependencies between system objectives, system
requirements and system design highlighting the interplay of security objectives and requirements.
ETSI
16 ETSI TS 102 165-1 V4.2.3 (2011-03)
cd General model
«Objective»
AssuranceObjectives
«Objective»
SystemDesign
SystemObjectives
+Is an aggregation of
«Objective»
SecurityObjectives
«asset»
DesignModule
«realize»
«Requirement»
SecurityRequirements
«Requirement»
SystemRequirements
«Requirement»
AssuranceRequirements
Figure 3: Relationship between system design, objectives and requirements
For most systems and in particular for the Next Generation Network (NGN) the development of system requirements
goes far beyond just security and one concern for TVRA is to ensure that the system design is itself robust and therefore
has fully documented requirements across all its aspects.
A TVRA requires that both the system being examined (with its catalogued objectives and requirements) and the assets
of the system and how it fits to its environment are clearly identified. In the context of TVRA the key relationship is
that between a vulnerability and an asset and this is a weighted relationship with the weighting being defined as the risk
to the asset due to the associated vulnerability. A pictorial view of the asset-threat-weakness-vulnerability-
countermeasure relationship to system design is given in figure 4.
ETSI
17 ETSI TS 102 165-1 V4.2.3 (2011-03)
cd SecurityRelationships
«Countermeasure»
«asset»
SystemDesign
+Is an aggregation of
SecCountermeasure
DesignModule
+May have
+Protects
«Vulnerability»
«UnwantedIncident»
AssetVulnerability
Incident
+Exploit may lead to
ThreatAgent
«Threat»
«Weakness»
+Enacts specific threat
AttackingThreat
AssetWeakness
Figure 4: Generic security TVRA model
One of the purposes of security design is to minimize the probability of any instance of the class "unwanted incident"
being instantiated. It should be noted that whilst some countermeasures may themselves become system assets, and as
such have their own vulnerabilities, many instances of countermeasures will be considered as policies, system
guidelines and, if captured early enough, system redesign.
The data types pertaining to the model in figure 4 are given in figure 5. Essentially threats can be classified as one of
4 types:
• Interception
• Manipulation
• Denial of service
• Repudiation of sending
• Repudiation of receiving
Similarly security objectives can be classified as one of 5 types (commonly referred to as "CIAAA" types):
• Confidentiality
• Integrity
• Availability
• Authenticity
• Accountability
ETSI
18 ETSI TS 102 165-1 V4.2.3 (2011-03)
cd Data Model
«enumeration» «enumeration»
Threat_Type Security_Objective_Type
+ I
...