Guidance
This section provides additional guidance on determining the classification of metrics.
Privileges Required
How the privileges required are defined vary by threat vector:
- Network
High: Able to intercept traffic like ISPs, Wireless Access Point providers, corporate proxies, or governments.
Low: N/A.
None: Only have access to publicly available information e.g. obtainable through network scans.
- Physical
High: Physical access to the device, with significant administrative control (e.g. administrator on Windows, root on Linux, ADB on Android).
Low: Physical access to the device, with logical access to the data (e.g. in a powered-on and unlocked state).
None: Physical access to the device in a powered-off or locked state.
- Local
High: Applications which require administrator authorisation. For example, kernel processes, enterprise mobility management apps, or privileged anti-virus software.
Low: Applications with permissions granted by the user at install or runtime.
None: N/A
- Involved
High: Requires specialised access in a third-party organisation; or use of court order to obtain.
Low: Easily accessible by significant number of individuals in a third-party organisation.
None: N/A