ANNEX II Risk Assessment Spreadsheet

Intro

Flying 2.0Enabling automated air travel by identifying and addressing the challenges of IoT & RFID technology

ANNEX III Risk Assessment Spreadsheet

MetricsMetrics[scales used to assess assets, vulnerabilties, threats and risks]

Asset Value Measurement ScaleValueMagnitude1Very Low2Low3Medium4High5Very High

Threat Value Measurement ScaleValueDescription1Very Low2Low3Medium4High5Very High

Vulnerability Value Measurement ScaleValueDescription1Very Low2Low3Medium4High5Very High

Information Security Risk Measurement ScaleMinimum RiskMaximum Risk12345678910111213Very LowLowMediumHighVery High

Risk Assessment ScaleVulnerabilityValue12345ThreatValue1234512345123451234512345Asset Value101234234563456745678567892123453456745678567896789103234564567856789678910789101143456756789678910789101189101112545678678910789101189101112910111213

AssetsAssets[tangible or intangible: any devices, technologies, applications, processes, data of value ]

IDAssetDescription or reference to above described elementsOwner [involved actors / organisations]ValueImpact Areas (as in worksheet "Impact Areas")IntangibleIA1IA2IA3IA4IA5IA6IA7IA8IA9IA10IA11A1Automated reservation, check-in and boarding procedureControls the entrance of passengers into the restricted area of the airport and finally to the aircraftAirport, airlines, citizens424223334233A2Electronic visa issuing processProcess of getting a visa and linking with check-in [not mandatory at this stage] State, citizens424323434233A3Luggage and goods handlingProcess for managing the flow of luggage and supplies to shops and airport operationsAirlines, airport323212233233A4Automated traffic managementGetting to and from the airport; smart routing; does not include air traffic managementAirport, state, commercial operators423112224222A5Passports and National ID cardsPassports and national ID cards RFID-equipped, with digital photo and biometrics (fingerprint). The devices may store the following data:- Personal data - Biometrics, such as facial image, fingeprintsState/national authority issuing it, citizen/passenger424323434242A6Mobile smart devicesSmall computing devices that allow the transmission of voice and data. Functions integrated usually in one device: Mobile phone, digital camera (working also as 2D barcode reader), NFC reader/tag, Bluetooth, LCD (2D barcode can be displayed), GNSS receiver. Smart phones, PDAs, laptops, e-book reader etc. The devices may store the following data:- Personal data- Personal preferences- Location data- Electronic boarding passes- Electronic visaThey may also store and/or generate- Non-personal data - Passports and National ID cards- Passenger Name Record dataCitizen/passengerFor electronic boarding passes and /or visas, the owner could also be the airline company and state, respectively.424222334333A7Health monitoring devices Allergy bracelet Implants / In body monitoring sensors. Airline seat sensors. he devices may store the following data:- Personal data - Health dataCitizen/passenger, airlines, airports552322223242A8Travel documents (paper)Paper versions of tickets and boarding passes. May contain the following data:- Personal data- Location data- Non-personal dataCitizen/passenger, airline company323223313232A9RFID & barcode readersReaders in automatic check-in kiosks, security control, etc as well as passenger mobile devicesState, Airport authorities, airlines, companies, passengers423212423232A10Credit Cards/Debit card/Payment cards/'e-wallet'RFID-enabled or not. Used to make transactions.Citizen/passenger, issuing bank424222244243A11Other RFID cardsTransport systems and small payments cards, frequent-flyer RFID-based cards.Issuing companies and authorities, passengers323211223222A12Scanners & detectors Liquids and gels (LAG) detectors; Body scannersAirports, State, Security companies323322222132A13NetworksWi-Fi, WiMax, conventional broadband, ZIGBEE, smart dust mesh networks, etcService providers, including airports and airlines424322233342A14State databasesDatabase containing data on passengers held by the State authorities for official travel purposes.State, International bodies (SIS, Interpol, Europol) 433444322242A15Commercial and other databasesDatabases containing data on passengers held by others not related to the State databases in A14. Companies, shops, travel agencies423433123233A16Temporary handset airport guidesDevice given to passengers to help them navigate the airport and to provide translation facilityAirport management212221222211A17Luggage and goods The passengers luggage.Citizen/passenger, shops323221223222A18Check-in infrastructureCheck-in desks, kiosks etc.Airlines, airport323222333222A19Airport facilitiesAll the physical facilities of the airport; includes also shops, stands, information desks etc.Shops, airports313211233223A20Cars / vehiclesCars /vehicles used in the scenarioCitizens / state433111424113

A14A1. Automated reservation, check-in and boarding procedureA24A2. Electronic visa issuing processA33A3. Luggage and goods handlingA44A4. Automated traffic managementA54A5. Passports and National ID cardsA64A6. Mobile smart devicesA75A7. Health monitoring devices A83A8. Travel documents (paper)A94A9. RFID & barcode readersA104A10. Credit Cards/Debit card/Payment cards/'e-wallet'A113A11. Other RFID cardsA123A12. Scanners & detectors A134A13. NetworksA144A14. State databasesA154A15. Commercial and other databasesA162A16. Temporary handset airport guidesA173A17. Luggage and goods A183A18. Check-in infrastructureA193A19. Airport facilitiesA204A20. Cars / vehicles

Impact Areas

Impact Areas[estimation of impact of the identified threats; it is closely related to the asset value, so you need to consider that]No.ImpactDescription

I01Health / Life / SafetyRefers to the physical and psychological condition of an individual; his/her physical and psychological well-being and absence of disease.I02Time / efficiencyTime needed to check-in, security controls or boardingI03Human rights Human rights, e.g. privacy, autonomy, non-discrimination, dignityI04Social valuesSocial inclusion, e-inclusion, trusted human relationships, etc.I05Legal and regulatoryExisting legal regulatory framework needs to be respected. It foresees consequences for violations and for failure to fulfil the obligations foreseeen in it. It delineates the passenger rights. PNR is also based on bilateral/international agreements on the transfer of information of the passengers. I06Mobility of individualsThe ability and potential of people to move across countries.I07Financial / economical Cost considerations for airlines, airports, companies and individualsI08Comfort, convenience and ease of accessSmooth processes, services on demand, usability. The provision of services for people with usabilitiesI09InteroperabilityInteroperability between networks, sensors, devices, organisations, passengers and users is central to the scenario. An IoT like network will depend on a high level of interoperability between all of the different contexts and situations in which devices will need to communicate. However interoperable networks carry with them significant risks and issues, such as privacy, access controls, access to data, secondary and primary uses of data and data 'shelf' life. These would be apart from the technical problems such as standardisation in network protocols for example. Interoperable networks may also provide more room for fraud or other criminal activity in that compromising one part may allow unauthorised access to another. The same is true if interoperability extends to interdependency in the case of failures and problems.I10TrustTrust is essential in all aspects of the scenario. Passengers must trust the information on their devices. Operators must trust personal data provided, and information provided to them by other operators. Trust is also needed in the automated procedures by airlines and airport operators. And border authorities must likewise trust in the systems to perform.I11Business activities

Implemented controlsImplemented Controls [existing safeguards etc. already in place and that need to be considered. These may be found in the assumptions for example]Existing Control IDControl DescriptionControl CategoryControl NatureAffected AssetsC1Multiple ways of getting to the airport (personal vehicle, buses, taxis, trains etc): intermodalityContainment & RecoverySemi - automatedA1. Automated reservation, checking and boarding procedureC2Comparison of individuals physical traits with those documented on a valid official document (passport, national ID card, crew pass, personnel pass) for identification and authentication purposes PreventiveManualA1. Automated reservation, checking and boarding procedureC3Automatic authentication of passengers by means of their biometric featuresPreventiveAutomatedA1. Automated reservation, checking and boarding procedureC4Authorisation of passengers by a paper boarding pass and verified by the airline personnelPreventiveManualA1. Automated reservation, checking and boarding procedureC5Authorisation of passengers by electronic boarding pass verified by the departure control system of the airlinePreventiveAutomatedA1. Automated reservation, checking and boarding procedureC6Valid crew or airport personnel pass with digital photoPreventiveAutomatedA1. Automated reservation, checking and boarding procedureC7Security checks in smart corridors with metal detectors, EDS and LAG detectorsDetective PreventiveAutomatedA1. Automated reservation, checking and boarding procedureC8Airport security monitoring and emergencies identification through the usage of smart devicesDetective CorrectiveAutomatedA1. Automated reservation, checking and boarding procedureC8Airport security monitoring and emergencies identification through the usage of smart devicesDetective CorrectiveAutomatedA19. Airport facilitiesC8Airport security monitoring and emergencies identification through the usage of smart devicesDetective CorrectiveAutomatedA18. Check-in infrastructureC9Departure Control System (DCS)PreventiveAutomatedA1. Automated reservation, checking and boarding procedureC10Verification of only one person in the boothDeterrent PreventiveAutomatedA1. Automated reservation, checking and boarding procedureC11Global Entry System authentication for schengen visa holders using PNRPreventiveAutomatedA1. Automated reservation, checking and boarding procedureC12Communication of the payment transaction record to the shuttle service operatorPreventiveAutomatedA4. Automated traffic managementC13Sharing and co - ordination of traffic dataPreventive DeterrentAutomatedA4. Automated traffic managementC14Automobile's licence plate number capture by the digital video camera and respective record storageDetectiveAutomatedA4. Automated traffic managementC15Website RFID tags on purchased goods for identification of the rightful ownerPreventive DetectiveAutomatedA3. Luggage and goods handlingC15Website RFID tags on purchased goods for identification of the rightful ownerPreventive DetectiveAutomatedA17. Luggage and goods C16Reception of purchased goods after scanning the boarding pass on a specific reader inside the planePreventive DetectiveAutomatedA3. Luggage and goods handlingC17Reception of purchased goods after scanning the boarding pass on a specific reader inside the planePreventive DetectiveAutomatedA17. Luggage and goods C17Automated return of unused credit from TfLCorrectiveAutomatedA10. Credit Cards/Debit card/Payment cards/'e-wallet'C18Flight confirmation during goods purchaseDetective PreventiveAutomatedA3. Luggage and goods handlingC18Flight confirmation during goods purchaseDetective PreventiveAutomatedA17. Luggage and goods C19GPI RFID chipPreventiveAutomatedA6 Mobile 'smart' devicesC20GA message for boardingCorrective PreventiveAutomatedA1. Automated reservation, checking and boarding procedureC21Special seats embedded with pressure and temperature sensors on aircraftDetectiveAutomatedA7 Health monitoring devicesC22SMS record kept by taxi service as a proofDetectiveAutomatedA4 Automated Traffic Management

VulnerabilitiesVulnerabilities[of the tangible / intangible assets]

NoVulnerability DescriptionExposure [Metric Values are 1-5]*Severity [Metric Values are 1-5]*Vulnerability Assessment Value*Comments / Additional InfoV1Inappropriate design of procedures342.4This vulnerability could be due to lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures), etc.V1. Inappropriate design of proceduresV1V1.V2Excessive dependency on IT systems, network and external infrastructure 432.4An excessive dependency arises when one relies on IT systems. It is a sort of "mug's game" in the sense that virtually every system will fail to a lesser or greater extent at some point or other.V2. Excessive dependency on IT systems, network and external infrastructure V2V2.V3Lack of back-up / failover procedures 331.8When things do go wrong, there is no adequate back-up system in place to take over. Availability/robustness has not been considered in the system design, , or appropriate failure modes have not been addressed.V3. Lack of back-up / failover procedures V3V3.V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc241.6 This includes unfriendly authentication mechanisms, too frequent requests for password change, too quick automatic log-offs, etc. This vulnerability may also arise because there has not been sufficient training given to staff in detecting and understanding security threats. V4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcV4V4.V5Lack of usability / unfriendly user interface(s) of device(s)331.8This vulnerability is due to the difficulty of using device interfaces. The interfaces are not intuitive or user friendly. It may arise from excessive or unnecessary functionality options available to the users. A device may be too complicated for ease of use.V5. Lack of usability / unfriendly user interface(s) of device(s)V5V5.V6Lack of interoperability between devices and/or technologies and/or systems342.4A simple example of the lack of interoperability appears when the RFID reader at the airport cannot write data to the RFID tag on Akira's suitcase. This vulnerability is depending on the governance.V6. Lack of interoperability between devices and/or technologies and/or systemsV6V6.V7Collected data is insufficient or incorrect [lack of adequate controls at data entry]342.4This vulnerability arises when systems do not collect enough or appropriate data or garble the data they do collect. For example, the data collected by passenger name records (PNR) may not be sufficient to identify a terrorist or an improper entry on no-fly lists, incorrect entries in relation to visa status, and mistaken identification of individuals by commercial entitiesV7. Collected data is insufficient or incorrect [lack of adequate controls at data entry]V7V7.V8Dependency on power systems432.4If a natural disaster, for example, disrupts an airport's power system, everything comes to a halt.V8. Dependency on power systemsV8V8.V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls331.8This vulnerability may refer to systems, devices, data access or network access. This also includes authentication of RFID and RFID readers, and since many RFIDs are writeable, this may increase the vulnerability. V9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsV9V9.V10Flawed/insufficient design and/or capacity of devices and systems220.8Poorly designed devices or systems may create a vulnerability, whereby they are not sufficiently robust or resilient to withstand attacks by hackers (for example) or they may not do what is expected of them, especially at critical times.V10. Flawed/insufficient design and/or capacity of devices and systemsV10V10.V11Lack of adequate controls in biometrics' enrolment stage 321.2Biometrics are not 100 per cent reliable. Part of the reason why they are not may occur at the enrolment stage when an individual's iris or fingerprints or other feature are scanned.V11. Lack of adequate controls in biometrics' enrolment stage V11V11.V12Lack of harmonisation and interoperability of procedures 220.8Security or other procedures may vary from one airport to another, creating opportunities for evil-doers.V12. Lack of harmonisation and interoperability of procedures V12V12.V13Lack of or inappropriate protection of RFID tags 231.2V13. Lack of or inappropriate protection of RFID tags V13V13.V14Lack of sufficiently skilled and/or trained personnel [airport, airline]342.4It's often been said that the weakest link in any system is human. If personnel are inadequately trained, they become a vulnerability. They need to be trained adequately to detect and understand security threats and what to do in the event of a system malfunction.V14. Lack of sufficiently skilled and/or trained personnel [airport, airline]V14V14.V15Insufficient equipment252Airports with insufficient equipment may create a security vulnerability. The vulnerability might also pose problems to the efficient processing of passengers from check-in to boarding.V15. Insufficient equipmentV15V15.V16Inappropriate expansion of the trust perimeter231.2Too many people may have access to personal information. Often the biggest threat comes from insiders. V16. Inappropriate expansion of the trust perimeterV16V16.V17Lack of dependable sensors, GPS231.2V17. Lack of dependable sensors, GPSV17V17.V18Lack of respect to the data minimisation and proportionality principles220.8The data collected and processed shall be adequate, relevant and not excessive in relation to the purposes they are collected. An example of such lack of respect to the data minimisation and proportionality principles can be mentioned the case, when an LBS system collects not only the information absolutely needed for the provision of the service, but it also stores excessive information. The need-to-know principle is not enforced by any means.V18. Lack of respect to the data minimisation and proportionality principlesV18V18.V19Lack of respect to the purpose limitation (finality principle) 443.2When the purpose limitation principle is not respected, more data are collected and processed than is strictly necessary the specified purpose. For instance, Christina's approximate physical location is revealed to both the cell communication provider as well as the navigation service that provides the map and traffic conditions applications.V19. Lack of respect to the purpose limitation (finality principle) V19V19.V20Lack of respect to the transparency principle443.2 Lack of respect to the transparency principle means that the data subject is not able to determine the relevant data processing practices. In the IoT a lot of information is transmitted and processed via automated processes, most of which remain unnoticed by the data subject.V20. Lack of respect to the transparency principleV20V20.V21Inappropriate / inadequate identity management331.8While the traffic and local map are being downloaded in real time, Christina's approximate physical location is revealed to both the cell communication provider as well as the navigation service that provides the map and traffic conditions applications. Appropriate identity management would protect Christina's privacy in this case.V21. Inappropriate / inadequate identity managementV21V21.V22Inadequacy of RF traffic regulations 241.6V22. Inadequacy of RF traffic regulations V22V22.V23Over dependency on biometrics 220.8Biometric identification has relatively high error rates (especially automatic face recognition). Also modern biometric sensors (especially fingerprint and iris sensors) are difficult to compromise ('liveness detection'), still is also possible to spoof them. Awareness of imperfection of biometric systems is an important factor of overall security [P. Rotter (ed.) Biometrics Deployment Study. Large-scale biometrics deployment in Europe. Identifying challenges and threats. JRC-IPTS report EUR 23564 EN 2008, ISBN 978-92-79-10657-6. Available at: http://ftp.jrc.es/EURdoc/JRC48622.pdf V23. Over dependency on biometrics V23V23.V24220.8V24. V24V24.V25Inherent features (size, material etc.): easy to lose, to be stolen and/or copied (especially for RFID tags)342.4Inherent vulnerability of cards and devices (passports, RFID tags, etc.): they are small in size, and they are easy to lose, be stolen and/or copied.V25. Inherent features (size, material etc.): easy to lose, to be stolen and/or copied (especially for RFID tags)V25V25.V26Actual RFID range longer than standard231.2Malicious RFID readers may be able to operate from a distance several times longer than the intended range (Kirschenbaum & Wool 2006). Moreover, shielding of RFID is often not possible.V26. Actual RFID range longer than standardV26V26.V27RFID tags do not have a turn-off option220.8Unlike mobile phones or PDAs, most RFID tags cannot be turned off and are always ready to send data for a request received by radio waves. This feature is an inherent vulnerability.V27. RFID tags do not have a turn-off optionV27V27.V28Insufficient protection against reverse engineering220.8In RFID and contactless smart cards, due to limited resources, the methods for protection against reverse engineering, such as dummy structures, scramble buses and memory cells, etc., are rarely applied. Active methods for detection of reverse engineering attack are impractical in these devices. V28. Insufficient protection against reverse engineeringV28V28.V29Inadequate security measures of data storage (e.g. inadequate encryption measures)310.6In case RFID and contactless smart cards, due to limited resources, manufacturers often apply light cryptography and proprietary cryptographic methods.V29. Inadequate security measures of data storage (e.g. inadequate encryption measures)V29V29.V30Over-sensitivity of devices (generating many false alarms)220.8Some devices are not 100 per cent reliable. They may produce inaccurate results or make false positives or negatives.V30. Over-sensitivity of devices (generating many false alarms)V30V30.V31Sensitivity to magnetic fields231.2V31. Sensitivity to magnetic fieldsV31V31.V32Devices & equipment used in unprotected environments 331.8Devices used by a great number of people every day [health issues (e.g. infectious diseases spread by fingerprint scanners)] V32. Devices & equipment used in unprotected environments V32V32.V33High error rates of biometric identification (esp. face-based recognition)331.8Face-based identification has the highest social acceptance among all biometric identification methods. Unfortunately, it has also high error rates, which leads to many false alarms and/or false acceptances.V33. High error rates of biometric identification (esp. face-based recognition)V33V33.V34Communication of data over unprotected or publicly accessible channels331.8V34. Communication of data over unprotected or publicly accessible channelsV34V34.V35Data linkability331.8Different databases or data stored at different locations serving different purposes are / can be linked, thus enabling greater data matching, data mining, profiling, data aggregation or social sorting. Key question here is who is doing the linking and why - it could be for security reasons (catching terrorists before they fly), but it could also be for commercial exploitation by airlines, vendors, service providers operating in the airport as well as by evil-doers seeking to undermine air travel, airport systems or engaged in spoofing, phishing, spamming. V35. Data linkabilityV35V35.V36Lack of data correction mechanisms (as normally data subjects do not have access to the databases)432.4Many entities are collecting personal data, but rather fewer of them have procedures in place enabling individuals (data subjects) to see what data they have about them. Procedures for correcting incorrect data may not exist or may be cumbersome and bureaucratic.V36. Lack of data correction mechanisms (as normally data subjects do not have access to the databases)V36V36.V37Failure of biometrics sensors 231.2V37. Failure of biometrics sensors V37V37.V38Lack of common or harmonised legislation in EU Member States321.2Although Member States have transposed the EU Data Protection Directive, they have not done so in a fully harmonised way. In addition, there are lacunae in the legislation so that some matters are not addressed.V38. Lack of common or harmonised legislation in EU Member StatesV38V38.V39Insufficient protection of wireless networks and communication (weak or no encryption etc.)454Due to limited resources, RFID tags often use light, proprietary cryptography, which in some cases is not sufficient. Identifiers of tags which are sent in the beginning of communication are not encrypted at all (as a part of anti-collision protocol) and they may be used e.g. for tracking of people.V39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)V39V39.V40Lack of respect to the legitimacy of data processing, e.g. consent342.4The processing of personal data is supposed to be legitimate. However, some data controllers and data processors may not have obtained the informed consent of data subjects.V40. Lack of respect to the legitimacy of data processing, e.g. consentV40V40.V41Lack of respect to the data conservation principle331.8 Personal data are supposed to be deleted when they are no longer necessary for the purposes for which they were collected or processed. V41. Lack of respect to the data conservation principleV41V41.V42Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data)231.2 Data subjects are supposed to be given the opportunity to rectify incorrect data or to block its further use. For instance, Akira wishes to unsubscribe from "Hazukashi Not" service and to have his account deleted.V42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data)V42V42.*Indicative values - the final vulnerability value is estimated for every pair asset-vulnerability.

ThreatsThreats and Threat Agents[perceived threats that could exploit the identified vulnerabilities of the assets]

Threat IDThreats Threat Agent (source of threat or person who initiates threat)TA MotivationTA Capacity (knowledge etc.)CommentsThreat Assessment ValueLOOKUPT1Denial of service attack / flood / buffer overflowVandals/terrorists/Corporate raiders/professional criminals/hackers/ rogue; StateMediumVaries from low to highA denial of service attack is sabotage, aimed at disrupting a service for fun or to achieve political or illegal goals. A DOS attack is sometimes known as a buffer overflow attack or flooding..3T1.T13T1. Denial of service attack / flood / buffer overflow3T2Spoofing of credentials / bypass authenticationCorporate raiders/professional criminals/hackers Medium4This threat is a stepping stone to achieve next stage of sabotage or penetration.5T2.T25T2. Spoofing of credentials / bypass authentication5T3Large-scale and/or inappropriate data mining and/or surveillanceMarketing companies, online service providers, malicious attackersTo collect large volume of potentially personal sensitive data for market analysis and profit making (H)5The ease with which data can be collected, aggregated and mined coupled with the motivation of large financial paybacks make this a widespread threat. Roger Clarke coined the term dataveillance to describe the phenomenon of surveillance by means of data analysis. Both airports and governments may also have an interest in analysing data, to prevent terrorist related incidents, to develop more targeted advertising.4T3.T34T3. Large-scale and/or inappropriate data mining and/or surveillance4T4Traffic analysis / scan / probeCorporate raiders/professional criminals/hackersHighThis threat is often found in conjunction with or preparation for another attack aimed at revealing protected sensitive operations. The threat gleans data implied in network communication patterns. Traffic analysis requires special skill and knowledge to be effective.3T4.T43T4. Traffic analysis / scan / probe3T5Man-in-the-middle attackHackerTo hijack network communication channel for sensitive data collection and misinformation feeding and identity theft (HML)4This is one of the most common attack methods, especially for information collection. However, such attacks on RFID and smart cards do not occur very often. Such attacks are usually carried to appropriate others' identity rather than getting access to restricted areas or data, which is usually encrypted. Man-in-the-middle (or relay) attacks for contactless smart card has been theoretically analysed by Kfir and Wool (2005). For practical aspects, see Hancke (2005). Countermeasures such as distance bounding based on response time (Hancke & Kuhn 2005; Reid et al. 2006) or signal-to-noise rate (Fishkin & Roy 2003) are rarely applied.3T5.T53T5. Man-in-the-middle attack3T6Social engineering attackHacker, criminal, terroristsTo obtain sensitive information and system penetration4Social engineering attacks are widespread and too-often effective. They play upon gullibility or human psychological weakness. Phishing could be regarded as a form of social engineering. 4T6.T64T6. Social engineering attack4T7Theft [of cards, devices etc]Malicious attackerFinancial gain, criminal activities (H)4There will always be evil-doers engaged in theft of others' property, be it smart cards, smart phones or whatever. Theft is not, of course, the only crime. Extortion, fraud and many other crimes are common in cyberspace.4T7.T74T7. Theft [of cards, devices etc]4T8Unauthorised access to / deletion / modification of devices / data etc.Malicious attackerThis attacks refers to unauthorized access to data stored on RFID, smart cards (especially contactless) and personal devices. Also databases can be a subject of attack though the network, as well as data can be illegally accessed and modified by unauthorized personnel. 4T8.T84T8. Unauthorised access to / deletion / modification of devices / data etc.4T9Loss or misuse [of cards, devices etc]Passenger, airport and airline personnelLoss or misuse of a card or device is also a common threat. 3T9.T93T9. Loss or misuse [of cards, devices etc]3T10Use erroneous and/or unreliable data4T10T104T10. Use erroneous and/or unreliable data4T11Procedures / instructions not followedAirport and airline personnel. PassengersThis threat arises when, for example, a passenger doesn't follow instructions and makes a jam in the automated passport/immigration control or smart corridor.3T11T113T11. Procedures / instructions not followed3T12Non-compliance with data protection legislationCommercial establishments, State4This threat arises when governments and business do not comply with provisions of data protection legislation and the principles stated therein, for example, regarding data minimisation, purpose specification, proportionality, informed consent, access to data by the data subject, etc. 4T12T124T12. Non-compliance with data protection legislation4T13Function creep (data used for other purposes than the ones for which they were originally collected)Commercial establishments4Function creep occurs when data are used for other purposes than the ones for which they were originally collected for. For example, in the air traffic scenario, a car rental company doing some market analysis might approach an airport operator to gain access to its data on airport parking. 4T13T134T13. Function creep (data used for other purposes than the ones for which they were originally collected)4T14Unauthorized check-in and boarding / identity theftHacker, criminal, terroristFor example, an attacker might use a fake fingerprint with a stolen passport to board the plane. 4T14T144T14. Unauthorized check-in and boarding / identity theft4T15Cloning of credentials and tags (rfid related)HackerMedium-HighMedium-HighAn RFID clone can be either physically similar to the original tag or can be a notebook with a special antenna. Cloning is relatively easy for basic tags but even some advanced and apparently well protected tags with a challenge-response protocol have been cloned (Juels 2005; Bono et al. 2005; Courtois et al. 2008).3T15T153T15. Cloning of credentials and tags (rfid related)3T16Unauthorised access to other restricted areas (apart from boarding e.g. Control room, personnel's' offices)Hacker, criminal, terroristThis threat can arise as a result of stealing or cloning authorisation tokens (like smart cards).3T16T163T16. Unauthorised access to other restricted areas (apart from boarding e.g. Control room, personnel's' offices)3T17Side channel attack Smart cards or RFID tags may be subject to side channel attacks based on information gained from physical implementation of a cryptosystem, like variations of power consumption, time of computations or electromagnetic field (Bar-El 2003). It is often combined with other cryptanalysis methods. 2T17T172T17. Side channel attack 2T18BlockingRFID or a GSM network can be blocked by exploiting vulnerabilities of information exchange protocols. Blocking can be also useful as a way to protect consumers' privacy (Juels, Rivest, Szydlo 2003).2T18T182T18. Blocking2T19JammingHackerSystem operation interruption to futher achieve attack steps such as spoofing or decoyed attacks (L)4Jamming is malicious interference of a radio transmission. It can result in denial of service and forcing a system to use fallback procedures. Large-scale jamming requires extensive equipment setup and exposure of the transmission source. It is not commonly practised unless with a clear and critical agenda.2T19T192T19. Jamming2T20Fake / rogue rfid readers / scanning of rfid reader and /or tagRFID Tags can be read by any RFID reader. Therefore, rogue RFID readers can scan for RFID and be used for unauthorized reading of information from a tag. As RFIDs often have light cryptography schemes (if any), powerful back-end systems can break the code in minutes, making the security protection ineffective. The range of a reader may be extended several times beyond the standard communication distance, for example ISO 14443 cards with standard range 10 cm can be scanned from 25-35 cm, which is enough to read a card in someone's pocket. Main countermeasures are: encryption, authentication of the reader, using short-range tags, shielding tags with an anti-skimming material (e.g. aluminium foil) and moving sensitive information to a protected database in the system's backend.3T20T203T20. Fake / rogue rfid readers / scanning of rfid reader and /or tag3T21Physical rfid tag destructionThe easiest way to disrupt RFID systems is to physically destroy the tags. Destruction becomes a serious issue when RFID tags are used as anti-theft protection. RFID tags in e-passports can be destroyed by owners who have concerns about possible abuse of their privacy - especially as an e-passport with a non-working RFID tag is still valid (Wortham 2007). 4T21T214T21. Physical rfid tag destruction4T22Malfunctioning/breakdown of systems /devices / equipmentn/an/an/aThis threat occurs when systems or devices malfunction due to hardware/software/implementation errors.4T22T224T22. Malfunctioning/breakdown of systems /devices / equipment4T23E-visa not accepted at check insystem fault3T23T233T23. E-visa not accepted at check in3T24 Worms, viruses & malicious codeHacker, rogue stateService disruption, system compromise, information theft4Worms, viruses and malicious code are a part of our daily cyber life. They are a prevalent and effective way of disrupting systems. Even very simple RFID tags, such as those used for tagging goods, can carry a malicious code (Rieback at al. 2006).3T24T243T24. Worms, viruses & malicious code3T25Malicious attack on power systemsMalicious attackerThis threat might be aimed at forcing a system to use fallback procedures, e.g., in order to get unauthorised access to restricted areas.3T25T253T25. Malicious attack on power systems3T26State surveillance on citizensStateTo achieve unethical citizen control political agenda (H)5Unjustified political agendas often lead to excessive surveillance on citizens. Every described case (true or invented) dramatically decreases trust and acceptance of technology (especially biometrics, RFID).5T26T265T26. State surveillance on citizens5T27Trade union/labour strikesLabor union3T27T273T27. Trade union/labour strikes3T28Adverse weather condition or other disastern/an/an/aThis threat is of low probability but potentially high consequence. The destruction wrought by natural disasters is difficult to predict. It could affect airport and telecommunication (network) operations. 4T28T284T28. Adverse weather condition or other disaster4T29Ad hoc network routing attackCorporate raiders/professional criminals/hackersInitial attack step to further achieve cloning, man-in-the-middle attack, or service interruption which leads to system compromise (M)4Personal mobile devices may create ad hoc networks in order to exchange data and information between users. These networks can be used by attacker to break into personal devices and compromise the communication and information exchange between parties. For example, DOS attacks can flood ad-hoc networks; rogue participants can de-route or compromise legitimate messages and information exchanges.2T29T292T29. Ad hoc network routing attack2T30Low acceptance of devices / equipment / proceduresPassengers / citizens / airport & airline personnelRFID is perceived by many people as a privacy threat. They have been called "spychips" (Albrecht, McIntyre 2005). Most of the concerns presented during an EU public consultation on RFID were related to privacy (Maghiros, Rotter, van Lieshout 2007). Also some biometrics have low social acceptance, especially fingerprints which are commonly regarded as linked to criminal investigations.4T30T304T30. Low acceptance of devices / equipment / procedures4T31Data linkabilityCommercial establishments, State4The abundance of data collected and processed in the IoT and their storage in databases (commercial and state) facilitate their linkability.4T31T314T31. Data linkability4T32Profiling Commercial establishments, State4The abundance of data collected and processed in the IoT can lead to the creation of user profiles (relating to consumer preferences, travelling habits, etc.).4T32T324T32. Profiling 4T33Exclusion of the data subject from the data processing processCommercial establishments, State4The automatisation of the processes in the IoT threatens to exclude the data subject from the data processing process.4T33T334T33. Exclusion of the data subject from the data processing process4T34Trivialisation of unique identifiersCommercial establishments, State4The use of unique identifiers, such as the human fingerprint, is increasingly being used for trivial transactions, such as in the case when Elena registers her fingerprint in order to "secure" her boarding pass.4T34T344T34. Trivialisation of unique identifiers4

Assets+VulnerabilitiesMapping of Assets and Vulnerabilities

Asset IDAssetsVulnerability DescriptionVulnerability ValueLOOKUPValueA1Automated reservation, check-in and boarding procedureV1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures) etc.3V1.V1A1V13A1Automated reservation, check-in and boarding procedureV10. Flawed/insufficient design and/or capacity of devices and systems3V10V10A1V103A1Automated reservation, check-in and boarding procedureV12. Lack of harmonisation and interoperability of procedures3V12V12A1V123A1Automated reservation, check-in and boarding procedureV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]4V14V14A1V144A1Automated reservation, check-in and boarding procedureV15. Insufficient equipment2V15V15A1V152A1Automated reservation, check-in and boarding procedureV16. Inappropriate expansion of the trust perimeter4V16V16A1V164A1Automated reservation, check-in and boarding procedureV18. Lack of respect to the data minimisation and proportionality principles4V18V18A1V184A1Automated reservation, check-in and boarding procedureV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A1V194A1Automated reservation, check-in and boarding procedureV2. Excessive dependency on IT systems, network and external infrastructure 3V2.V2A1V23A1Automated reservation, check-in and boarding procedureV21. Inappropriate / inadequate identity management3V21V21A1V213A1Automated reservation, check-in and boarding procedureV28. Inadequate security measures of data storage (e.g. inadequate encryption measures)3V28V28A1V283A1Automated reservation, check-in and boarding procedureV3. Lack of back-up / failover procedures4V3.V3A1V34A1Automated reservation, check-in and boarding procedureV36. Lack of data correction mechanisms (as normally data subjects do not have access to the databases)3V36V36A1V363A1Automated reservation, check-in and boarding procedureV37. Failure of biometrics sensors3V37V37A1V373A1Automated reservation, check-in and boarding procedureV38. Lack of common or harmonised legislation in EU Member States4V38V38A1V384A1Automated reservation, check-in and boarding procedureV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A1V44A1Automated reservation, check-in and boarding procedureV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)2V39V39A1V392A1Automated reservation, check-in and boarding procedureV5. Lack of usability / unfriendly user interface(s) of device(s)4V5.V5A1V54A1Automated reservation, check-in and boarding procedureV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A1V63A1Automated reservation, check-in and boarding procedureV7. Collected data is insufficient or incorrect [lack of adequate controls at data entry]3V7.V7A1V73A1Automated reservation, check-in and boarding procedureV8. Dependency on power systems4V8.V8A1V84A1Automated reservation, check-in and boarding procedureV10. Flawed/insufficient design and/or capacity of devices and systems3V10V10A1V103A1Automated reservation, check-in and boarding procedureV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls3V9.V9A1V93A1Automated reservation, check-in and boarding procedureV20. Lack of respect to the transparency principle3V20V20A1V203A1Automated reservation, check-in and boarding procedureV41. Lack of respect to the data conservation principle 3V41V41A1V413A1Automated reservation, check-in and boarding procedureV42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).4V42V42A1V424A2Electronic visa issuing processV8. Dependency on power systems3V8.V8A2V83A2Electronic visa issuing processV1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures) etc.5V1.V1A2V15A2Electronic visa issuing processV12. Lack of harmonisation and interoperability of procedures4V12V12A2V124A2Electronic visa issuing processV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]4V14V14A2V144A2Electronic visa issuing processV3. Lack of back-up / failover procedures4V3.V3A2V34A2Electronic visa issuing processV7. Collected data is insufficient or incorrect [lack of adequate controls at data entry]3V7.V7A2V73A2Electronic visa issuing processV5. Lack of usability / unfriendly user interface(s) of device(s)3V5.V5A2V53A2Electronic visa issuing processV23. Over dependency on biometrics3V23V23A2V233A2Electronic visa issuing processV6. Lack of interoperability between devices and/or technologies and/or systems4V6.V6A2V64A2Electronic visa issuing processV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls3V9.V9A2V93A2Electronic visa issuing processV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A2V44A2Electronic visa issuing processV38. Lack of common or harmonised legislation in EU Member States3V38V38A2V383A2Electronic visa issuing processV18. Lack of respect to the data minimisation and proportionality principles4V18V18A2V184A2Electronic visa issuing processV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A2V194A2Electronic visa issuing processV35. High data linkability3V35V35A2V353A2Electronic visa issuing processV15. Insufficient equipment2V15V15A2V152A2Electronic visa issuing processV40. Lack of respect to the legitimacy of data processing, e.g. consent4V40V40A2V404A2Electronic visa issuing processV41. Lack of respect to the data conservation principle 4V41V41A2V414A2Electronic visa issuing processV42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).5V42V42A2V425A2Electronic visa issuing processV21. Inappropriate / inadequate identity management3V21V21A2V21A2Electronic visa issuing processV20. Lack of respect to the transparency principle4V20V20A2V204A3Luggage and goods handlingV13. Lack of or inappropriate protection of RFID tags2V13V13A3V132A3Luggage and goods handlingV25. Actual RFID range longer than standard2V25V25A3V252A3Luggage and goods handlingV2. Excessive dependency on IT systems, network and external infrastructure 3V2.V2A3V23A3Luggage and goods handlingV37. Failure of biometrics sensors2V37V37A3V372A3Luggage and goods handlingV22. Collision of tag traffic / Radio-frequency interference2V22V22A3V222A3Luggage and goods handlingV12. Lack of harmonisation and interoperability of procedures3V12V12A3V123A3Luggage and goods handlingV5. Lack of usability / unfriendly user interface(s) of device(s)2V5.V5A3V52A3Luggage and goods handlingV15. Insufficient equipment4V15V15A3V154A3Luggage and goods handlingV24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)2V24V24A3V242A3Luggage and goods handlingV6. Lack of interoperability between devices and/or technologies and/or systems4V6.V6A3V64A4Automated traffic managementV17. Lack of dependable sensors, GPS3V17V17A4V173A4Automated traffic managementV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)4V39V39A4V394A4Automated traffic managementV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]2V14V14A4V142A4Automated traffic managementV2. Excessive dependency on IT systems, network and external infrastructure 3V2.V2A4V23A4Automated traffic managementV18. Lack of respect to the data minimisation and proportionality principles2V18V18A4V182A4Automated traffic managementV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A4V194A4Automated traffic managementV6. Lack of interoperability between devices and/or technologies and/or systems2V6.V6A4V62A4Automated traffic managementV38. Lack of common or harmonised legislation in EU Member States2V38A42A4Automated traffic managementV20. Lack of respect to the transparency principle3V20V20A4V203A4Automated traffic managementV40. Lack of respect to the legitimacy of data processing, e.g. consent3V40V40A4V403A4Automated traffic managementV41. Lack of respect to the data conservation principle 3V41V41A4V413A4Automated traffic managementV42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).3V42V42A4V423A4Automated traffic managementV21. Inappropriate / inadequate identity management3V21V21A4V213A5Passports and National ID cardsV20. Lack of appropriate user procedures, especially regarding the collection and processing of persona data: lack of informed consent, insufficient definition of the purpose for which the data are collected for, lack of transparency and data traceability (the user doesn't know when his data are being accessed, by whom and why)4V20V20A5V204A5Passports and National ID cardsV23. Over dependency on biometrics4V23V23A5V234A5Passports and National ID cardsV11. Lack of adequate controls in biometrics' enrollment stage3V11V11A5V113A5Passports and National ID cardsV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A5V43A5Passports and National ID cardsV24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)2V24V24A5V242A5Passports and National ID cardsV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A5V63A5Passports and National ID cardsV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls2V9.V9A5V92A5Passports and National ID cardsV25. Actual RFID range longer than standard4V25V25A5V254A5Passports and National ID cardsV26. RFID tags do not have a turn-off option3V26V26A5V263A5Passports and National ID cardsV27. Insufficient protection against reverse engineering3V27V27A5V273A5Passports and National ID cardsV28. Inadequate security measures of data storage (e.g. inadequate encryption measures)4V28V28A5V284A5Passports and National ID cardsV31. Devices & equipment used in unprotected environments3V31V31A5V313A5Passports and National ID cardsV13. Lack of or inappropriate protection of RFID tags4V13V13A5V134A5Passports and National ID cardsV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)3V39V39A5V393A5Passports and National ID cardsV12. Lack of harmonisation and interoperability of procedures3V12V12A5V123A5Passports and National ID cardsV18. Lack of respect to the data minimisation and proportionality principles4V18V18A5V184A5Passports and National ID cardsV21. Inappropriate / inadequate identity management3V21V21A5V213A5Passports and National ID cardsV22. Collision of tag traffic / Radio-frequency interference2V22V22A5V222A5Passports and National ID cardsV31. Devices & equipment used in unprotected environments3V31V31A5V313A5Passports and National ID cardsV41. Lack of respect to the data conservation principle 4V41V41A5V414A5Passports and National ID cardsV38. Lack of common or harmonised legislation in EU Member States3V38V38A5V383A6Mobile smart devicesV21. Inappropriate / inadequate identity management4V21V21A6V214A6Mobile smart devicesV23. Over dependency on biometrics4V23V23A6V234A6Mobile smart devicesV11. Lack of adequate controls in biometrics' enrollment stage3V11V11A6V113A6Mobile smart devicesV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A6V43A6Mobile smart devicesV24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)2V24V24A6V242A6Mobile smart devicesV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A6V63A6Mobile smart devicesV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls2V9.V9A6V92A6Mobile smart devicesV25. Actual RFID range longer than standard4V25V25A6V254A6Mobile smart devicesV26. RFID tags do not have a turn-off option3V26V26A6V263A6Mobile smart devicesV27. Insufficient protection against reverse engineering3V27V27A6V273A6Mobile smart devicesV28. Inadequate security measures of data storage (e.g. inadequate encryption measures)4V28V28A6V284A6Mobile smart devicesV31. Devices & equipment used in unprotected environments3V31V31A6V313A6Mobile smart devicesV13. Lack of or inappropriate protection of RFID tags4V13V13A6V134A6Mobile smart devicesV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)3V39V39A6V393A6Mobile smart devicesV12. Lack of harmonisation and interoperability of procedures3V12V12A6V123A6Mobile smart devicesV18. Lack of respect to the data minimisation and proportionality principles4V18V18A6V184A6Mobile smart devicesV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A6V194A6Mobile smart devicesV20. Lack of respect to the transparency principle3V20V20A6V203A6Mobile smart devicesV22. Collision of tag traffic / Radio-frequency interference2V22V22A6V222A6Mobile smart devicesV31. Devices & equipment used in unprotected environments3V31V31A6V313A6Mobile smart devicesV38. Lack of common or harmonised legislation in EU Member States3V38V38A6V383A6Mobile smart devicesV10. Flawed/insufficient design and/or capacity of devices and systems3V10V10A6V103A6Mobile smart devicesV40. Lack of respect to the legitimacy of data processing, e.g. consent4V40V40A6V404A6Mobile smart devicesV41. Lack of respect to the data conservation principle 4V41V41A6V414A6Mobile smart devicesV42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).4V42V42A6V424A6Mobile smart devicesV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)3V39V39A6V393A6Mobile smart devicesV34. Communication of data over unprotected or publicly accessible channels4V34V34A6V344A7Health monitoring devices V4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A7V44A7Health monitoring devices V5. Lack of usability / unfriendly user interface(s) of device(s)4V5.V5A7V54A7Health monitoring devices V6. Lack of interoperability between devices and/or technologies and/or systems4V6.V6A7V64A7Health monitoring devices V24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)2V24V24A7V242A7Health monitoring devices V28. Inadequate security measures of data storage (e.g. inadequate encryption measures)3V28V28A7V283A7Health monitoring devices V29. Over-sensitivity of devices (give many false alarms)4V29V29A7V294A7Health monitoring devices V30. Sensitivity to magnetic fields 4V30V30A7V304A7Health monitoring devices V31. Devices & equipment used in unprotected environments3V31V31A7V313A7Health monitoring devices V34. Communication of data over unprotected or publicly accessible channels4V34V34A7V344A7Health monitoring devices V18. Lack of respect to the data minimisation and proportionality principles4V18V18A7V184A7Health monitoring devices V19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A7V194A7Health monitoring devices V20. Lack of respect to the transparency principle3V20V20A7V203A7Health monitoring devices V40. Lack of respect to the legitimacy of data processing, e.g. consent3V40V40A7V403A7Health monitoring devices V41. Lack of respect to the data conservation principle 5V41V41A7V415A7Health monitoring devices V42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).5V42V42A7V425A7Health monitoring devices V39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)4V39V39A7V394A8Travel documents (paper)V3. Lack of back-up / failover procedures4V3.V3A8V34A8Travel documents (paper)V4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A8V43A8Travel documents (paper)V12. Lack of harmonisation and interoperability of procedures2V12V12A8V122A8Travel documents (paper)V24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)4V24V24A8V244A9RFID & barcode readersV2. Excessive dependency on IT systems, network and external infrastructure 3V2.V2A9V23A9RFID & barcode readersV3. Lack of back-up / failover procedures3V3.V3A9V33A9RFID & barcode readersV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A9V44A9RFID & barcode readersV5. Lack of usability / unfriendly user interface(s) of device(s)4V5.V5A9V54A9RFID & barcode readersV6. Lack of interoperability between devices and/or technologies and/or systems4V6.V6A9V64A9RFID & barcode readersV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls3V9.V9A9V93A9RFID & barcode readersV10. Flawed/insufficient design and/or capacity of devices and systems4V10V10A9V104A9RFID & barcode readersV13. Lack of or inappropriate protection of RFID tags3V13V13A9V133A9RFID & barcode readersV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]4V14V14A9V144A9RFID & barcode readersV22. Collision of tag traffic / Radio-frequency interference3V22V22A9V223A9RFID & barcode readersV24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)2V24V24A9V242A9RFID & barcode readersV25. Actual RFID range longer than standard3V25V25A9V253A9RFID & barcode readersV27. Insufficient protection against reverse engineering2V27V27A9V272A9RFID & barcode readersV30. Sensitivity to magnetic fields 2V30V30A9V302A9RFID & barcode readersV34. Communication of data over unprotected or publicly accessible channels3V34V34A9V343A9RFID & barcode readersV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 3V19V19A9V193A9RFID & barcode readersV20. Lack of respect to the transparency principle4V20V20A9V204A9RFID & barcode readersV40. Lack of respect to the legitimacy of data processing, e.g. consent3V40V40A9V403A9RFID & barcode readersV41. Lack of respect to the data conservation principle 4V41V41A9V414A9RFID & barcode readersV42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).4V42V42A9V424A9RFID & barcode readersV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)4V39V39A9V394A10Credit Cards/Debit card/Payment cards/'e-wallet'V21.Lack of appropriate user procedures, especially regarding the collection and processing of persona data: lack of informed consent, insufficient definition of the purpose for which the data are collected for, lack of transparency (the user doesn't know when his data are being accessed, by whom and why)4V21V21A10V214A10Credit Cards/Debit card/Payment cards/'e-wallet'V4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A10V43A10Credit Cards/Debit card/Payment cards/'e-wallet'V24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)4V24V24A10V244A10Credit Cards/Debit card/Payment cards/'e-wallet'V6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A10V63A10Credit Cards/Debit card/Payment cards/'e-wallet'V9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls2V9.V9A10V92A10Credit Cards/Debit card/Payment cards/'e-wallet'V25. Actual RFID range longer than standard4V25V25A10V254A10Credit Cards/Debit card/Payment cards/'e-wallet'V26. RFID tags do not have a turn-off option3V26V26A10V263A10Credit Cards/Debit card/Payment cards/'e-wallet'V27. Insufficient protection against reverse engineering3V27V27A10V273A10Credit Cards/Debit card/Payment cards/'e-wallet'V28. Inadequate security measures of data storage (e.g. inadequate encryption measures)4V28V28A10V284A10Credit Cards/Debit card/Payment cards/'e-wallet'V31. Devices & equipment used in unprotected environments3V31V31A10V313A10Credit Cards/Debit card/Payment cards/'e-wallet'V13. Lack of or inappropriate protection of RFID tags4V13V13A10V134A10Credit Cards/Debit card/Payment cards/'e-wallet'V12. Lack of harmonisation and interoperability of procedures3V12V12A10V123A10Credit Cards/Debit card/Payment cards/'e-wallet'V18. Lack of respect to the data minimisation and proportionality principles4V18V18A10V184A10Credit Cards/Debit card/Payment cards/'e-wallet'V21. Inappropriate / inadequate identity management3V21V21A10V213A10Credit Cards/Debit card/Payment cards/'e-wallet'V22. Collision of tag traffic / Radio-frequency interference2V22V22A10V222A10Credit Cards/Debit card/Payment cards/'e-wallet'V31. Devices & equipment used in unprotected environments4V31V31A10V314A10Credit Cards/Debit card/Payment cards/'e-wallet'V38. Lack of common or harmonised legislation in EU Member States3V38V38A10V383A10Credit Cards/Debit card/Payment cards/'e-wallet'V39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)4V39V39A10V394A10Credit Cards/Debit card/Payment cards/'e-wallet'V18. Lack of respect to the data minimisation and proportionality principles3V18V18A10V183A10Credit Cards/Debit card/Payment cards/'e-wallet'V40. Lack of respect to the legitimacy of data processing, e.g. consent4V40V40A10V404A11Other RFID cardsV21.Lack of appropriate user procedures, especially regarding the collection and processing of persona data: lack of informed consent, insufficient definition of the purpose for which the data are collected for, lack of transparency (the user doesn't know when his data are being accessed, by whom and why)4V21V21A11V214A11Other RFID cardsV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A11V43A11Other RFID cardsV24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)3V24V24A11V243A11Other RFID cardsV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A11V63A11Other RFID cardsV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls2V9.V9A11V92A11Other RFID cardsV25. Actual RFID range longer than standard4V25V25A11V254A11Other RFID cardsV26. RFID tags do not have a turn-off option3V26V26A11V263A11Other RFID cardsV27. Insufficient protection against reverse engineering3V27V27A11V273A11Other RFID cardsV28. Inadequate security measures of data storage (e.g. inadequate encryption measures)4V28V28A11V284A11Other RFID cardsV31. Devices & equipment used in unprotected environments3V31V31A11V313A11Other RFID cardsV13. Lack of or inappropriate protection of RFID tags4V13V13A11V134A11Other RFID cardsV12. Lack of harmonisation and interoperability of procedures3V12V12A11V123A11Other RFID cardsV21. Inappropriate / inadequate identity management3V21V21A11V213A11Other RFID cardsV22. Collision of tag traffic / Radio-frequency interference2V22V22A11V222A11Other RFID cardsV31. Devices & equipment used in unprotected environments4V31V31A11V314A11Other RFID cardsV38. Lack of common or harmonised legislation in EU Member States3V38V38A11V383A11Other RFID cardsV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)3V39V39A11V393A11Other RFID cardsV18. Lack of respect to the data minimisation and proportionality principles3V18V18A11V183A11Other RFID cardsV40. Lack of respect to the legitimacy of data processing, e.g. consent4V40V40A11V404A12Scanners & detectors V1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures) etc.2V1.V1A12V12A12Scanners & detectors V2. Excessive dependency on IT systems, network and external infrastructure 4V2.V2A12V24A12Scanners & detectors V21.Lack of appropriate user procedures, especially regarding the collection and processing of persona data: lack of informed consent, insufficient definition of the purpose for which the data are collected for, lack of transparency (the user doesn't know when his data are being accessed, by whom and why)4V21V21A12V214A12Scanners & detectors V27. Insufficient protection against reverse engineering2V27V27A12V272A12Scanners & detectors V11. Lack of adequate controls in biometrics' enrollment stage4V11V11A12V114A12Scanners & detectors V37. Failure of biometrics sensors3V37V37A12V373A12Scanners & detectors V32. Used by a great number of people every day [health issues (e.g. infectious diseases spread by fingerprint scanners)]4V32V32A12V324A12Scanners & detectors V33. High error rates of biometric identification (esp. face-based recognition)3V33V33A12V333A12Scanners & detectors V4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A12V44A12Scanners & detectors V23. Over dependency on biometrics3V23V23A12V233A12Scanners & detectors V29. Over-sensitivity of devices (give many false alarms)3V29V29A12V293A12Scanners & detectors V39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)3V39V39A12V393A12Scanners & detectors V22. Collision of tag traffic / Radio-frequency interference3V22V22A12V223A12Scanners & detectors V18. Lack of respect to the data minimisation and proportionality principles4V18V18A12V184A12Scanners & detectors V20. Lack of respect to the transparency principle4V20V20A12V204A12Scanners & detectors V40. Lack of respect to the legitimacy of data processing, e.g. consent4V40V40A12V404A12Scanners & detectors V42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).4V42V42A12V424A12Scanners & detectors V38. Lack of common or harmonised legislation in EU Member States2V38V38A12V382A13NetworksV1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures) etc.3V1.V1A13V13A13NetworksV2. Excessive dependency on IT systems, network and external infrastructure 4V2.V2A13V24A13NetworksV3. Lack of back-up / failover procedures3V3.V3A13V33A13NetworksV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A13V44A13NetworksV5. Lack of usability / unfriendly user interface(s) of device(s)4V5.V5A13V54A13NetworksV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A13V63A13NetworksV8. Dependency on power systems3V8.V8A13V83A13NetworksV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls4V9.V9A13V94A13NetworksV10. Flawed/insufficient design and/or capacity of devices and systems3V10V10A13V103A13NetworksV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]2V14V14A13V142A13NetworksV15. Insufficient equipment2V15V15A13V152A13NetworksV16. Inappropriate expansion of the trust perimeter3V16V16A13V163A13NetworksV21. Inappropriate / inadequate identity management4V21V21A13V214A13NetworksV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)4V39V39A13V394A14State databasesV1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures) etc.3V1.V1A14V13A14State databasesV2. Excessive dependency on IT systems, network and external infrastructure 4V2.V2A14V24A14State databasesV3. Lack of back-up / failover procedures3V3.V3A14V33A14State databasesV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A14V43A14State databasesV7. Collected data is insufficient or incorrect [lack of adequate controls at data entry]5V7.V7A14V75A14State databasesV8. Dependency on power systems2V8.V8A14V82A14State databasesV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls4V9.V9A14V94A14State databasesV10. Flawed/insufficient design and/or capacity of devices and systems3V10V10A14V103A14State databasesV18. Lack of respect to the data minimisation and proportionality principles5V18V18A14V185A14State databasesV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A14V194A14State databasesV20. Lack of respect to the transparency principle5V20V20A14V205A14State databasesV28. Inadequate security measures of data storage (e.g. inadequate encryption measures)2V28V28A14V282A14State databasesV35. High data linkability4V35V35A14V354A14State databasesV36. Lack of data correction mechanisms (as normally data subjects do not have access to the databases)4V36V36A14V364A14State databasesV40. Lack of respect to the legitimacy of data processing, e.g. consent4V40V40A14V404A14State databasesV41. Lack of respect to the data conservation principle 5V41V41A14V415A14State databasesV42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).5V42V42A14V425A14State databasesV38. Lack of common or harmonised legislation in EU Member States4V38V38A14V384A15Commercial and other databasesV1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures) etc.3V1.V1A15V13A15Commercial and other databasesV2. Excessive dependency on IT systems, network and external infrastructure 4V2.V2A15V24A15Commercial and other databasesV3. Lack of back-up / failover procedures3V3.V3A15V33A15Commercial and other databasesV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A15V43A15Commercial and other databasesV7. Collected data is insufficient or incorrect [lack of adequate controls at data entry]4V7.V7A15V74A15Commercial and other databasesV8. Dependency on power systems2V8.V8A15V82A15Commercial and other databasesV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls4V9.V9A15V94A15Commercial and other databasesV10. Flawed/insufficient design and/or capacity of devices and systems3V10V10A15V103A15Commercial and other databasesV18. Lack of respect to the data minimisation and proportionality principles5V18V18A15V185A15Commercial and other databasesV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A15V194A15Commercial and other databasesV20. Lack of appropriate user procedures, especially regarding the collection and processing of persona data: lack of informed consent, insufficient definition of the purpose for which the data are collected for, lack of transparency and data traceability (the user doesn't know when his data are being accessed, by whom and why)5V20V20A15V205A15Commercial and other databasesV28. Inadequate security measures of data storage (e.g. inadequate encryption measures)2V28V28A15V282A15Commercial and other databasesV35. High data linkability4V35V35A15V354A15Commercial and other databasesV36. Lack of data correction mechanisms (as normally data subjects do not have access to the databases)4V36V36A15V364A15Commercial and other databasesV40. Lack of respect to the legitimacy of data processing, e.g. consent4V40V40A15V404A15Commercial and other databasesV41. Lack of respect to the data conservation principle 4V41V41A15V414A15Commercial and other databasesV42. Lack of respect to the rights of the data subject (such as the right for rectification, blocking or deletion of data).4V42V42A15V424A15Commercial and other databasesV38. Lack of common or harmonised legislation in EU Member States4V38V38A15V384A16Temporary handset airport guidesV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A16V44A16Temporary handset airport guidesV5. Lack of usability / unfriendly user interface(s) of device(s)2V5.V5A16V52A16Temporary handset airport guidesV6. Lack of interoperability between devices and/or technologies and/or systems2V6.V6A16V62A16Temporary handset airport guidesV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]3V14V14A16V143A16Temporary handset airport guidesV15. Insufficient equipment2V15V15A16V152A16Temporary handset airport guidesV24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)2V24V24A16V242A16Temporary handset airport guidesV32. Used by a great number of people every day [health issues (e.g. infectious diseases spread by fingerprint scanners)]1V32V32A16V321A17Luggage and goods V13. Lack of or inappropriate protection of RFID tags3V13V13A17V133A17Luggage and goods V22. Collision of tag traffic / Radio-frequency interference2V22V22A17V222A17Luggage and goods V24. Inherent features (size, material etc.): easy to lose, stolen and/or copied (expecially for RFID tags)3V24V24A17V243A17Luggage and goods V25. Actual RFID range longer than standard2V25V25A17V252A17Luggage and goods V26. RFID tags do not have a turn-off option2V26V26A17V262A18Check-in infrastructureV1. Inappropriate design of procedures - includes: lack of accountability, high complexity of procedures, assigning extensive responsibilities to end-users (in critical parts of the procedures) etc.3V1.V1A18V13A18Check-in infrastructureV2. Excessive dependency on IT systems, network and external infrastructure 4V2.V2A18V24A18Check-in infrastructureV3. Lack of back-up / failover procedures3V3.V3A18V33A18Check-in infrastructureV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc3V4.V4A18V43A18Check-in infrastructureV5. Lack of usability / unfriendly user interface(s) of device(s)4V5.V5A18V54A18Check-in infrastructureV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A18V63A18Check-in infrastructureV7. Collected data is insufficient or incorrect [lack of adequate controls at data entry]2V7.V7A18V72A18Check-in infrastructureV8. Dependency on power systems2V8.V8A18V82A18Check-in infrastructureV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls3V9.V9A18V93A18Check-in infrastructureV12. Lack of harmonisation and interoperability of procedures2V12V12A18V122A18Check-in infrastructureV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]4V14V14A18V144A18Check-in infrastructureV23. Over dependency on biometrics4V23V23A18V234A18Check-in infrastructureV33. High error rates of biometric identification (esp. face-based recognition)3V33V33A18V333A18Check-in infrastructureV37. Failure of biometrics sensors3V37V37A18V373A19Airport facilitiesV2. Excessive dependency on IT systems, network and external infrastructure 3V2.V2A19V23A19Airport facilitiesV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A19V44A19Airport facilitiesV5. Lack of usability / unfriendly user interface(s) of device(s)3V5.V5A19V53A19Airport facilitiesV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A19V63A19Airport facilitiesV8. Dependency on power systems3V8.V8A19V83A19Airport facilitiesV14. Lack of sufficiently skilled and/or trained personnel [airport, ariline]4V14V14A19V144A19Airport facilitiesV16. Inappropriate expansion of the trust perimeter4V16V16A19V164A19Airport facilitiesV20. Lack of respect to the transparency principle2V20V20A19V202A19Airport facilitiesV32. Used by a great number of people every day [health issues (e.g. infectious diseases spread by fingerprint scanners)]4V32V32A19V324A20Cars / vehiclesV2. Excessive dependency on IT systems, network and external infrastructure 3V2.V2A20V23A20Cars / vehiclesV4. Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc4V4.V4A20V44A20Cars / vehiclesV6. Lack of interoperability between devices and/or technologies and/or systems3V6.V6A20V63A20Cars / vehiclesV8. Dependency on power systems4V8.V8A20V84A20Cars / vehiclesV9. Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controls3V9.V9A20V93A20Cars / vehiclesV10. Flawed/insufficient design and/or capacity of devices and systems2V10V10A20V102A20Cars / vehiclesV12. Lack of harmonisation and interoperability of procedures2V12V12A20V122A20Cars / vehiclesV17. Lack of dependable sensors, GPS3V17V17A20V173A20Cars / vehiclesV18. Lack of respect to the data minimisation and proportionality principles1V18V18A20V181A20Cars / vehiclesV19. Lack of respect to the purpose restriction principle (purpose limitation principle) 4V19V19A20V194A20Cars / vehiclesV20. Lack of respect to the transparency principle3V20V20A20V203A20Cars / vehiclesV28. Inadequate security measures of data storage (e.g. inadequate encryption measures)3V28V28A20V283A20Cars / vehiclesV38. Lack of common or harmonised legislation in EU Member States4V38V38A20V384A20Cars / vehiclesV39. Insufficient protection of wireless networks and communication (weak or no encryption etc.)4V39V39A20V394A20Cars / vehiclesV40. Lack of respect to the legitimacy of data processing, e.g. consent2V40V40A20V402A20Cars / vehiclesV41. Lack of respect to the data conservation principle 2V41V41A20V412

Vulnerabilities+ThreatsMapping of Vulnerabilities and Threats

NoVulnerability DescriptionThreatsThreat valueV1Inappropriate design of proceduresT6. Social engineering attack4V1Inappropriate design of proceduresT8. Unauthorised access to / deletion / modification of devices / data etc.4V1Inappropriate design of proceduresT11. Procedures / instructions not followed3V1Inappropriate design of proceduresT12. Non-compliance with data protection legislation4V1Inappropriate design of proceduresT13. Function creep (data used for other purposes than the ones for which they were originally collected)4V1Inappropriate design of proceduresT14. Unauthorized check-in and boarding / identity theft4V1Inappropriate design of proceduresT27. Trade union/labour strikes3V2Excessive dependency on IT systems, network and external infrastructure T1. Denial of service attack / Flood / Buffer overflow3V2Excessive dependency on IT systems, network and external infrastructure T2. Spoofing of credentials / bypass authentication5V2Excessive dependency on IT systems, network and external infrastructure T5. Man-in-the-middle attack3V2Excessive dependency on IT systems, network and external infrastructure T22. Malfunctioning/breakdown of systems /devices / equipment4V2Excessive dependency on IT systems, network and external infrastructure T24. Worms, viruses & malicious code3V2Excessive dependency on IT systems, network and external infrastructure T25. Malicious attack on power systems3V2Excessive dependency on IT systems, network and external infrastructure T28. Adverse weather condition or other disaster4V3Lack of back-up / failover procedures T1. Denial of service attack / Flood / Buffer overflow3V3Lack of back-up / failover procedures T6. Social engineering attack4V3Lack of back-up / failover procedures T7. Theft [of cards, devices etc]4V3Lack of back-up / failover procedures T9. Loss or misuse [of cards, devices etc]3V3Lack of back-up / failover procedures T22. Malfunctioning/breakdown of systems /devices / equipment4V3Lack of back-up / failover procedures T23. E-visa not accepted at check in3V3Lack of back-up / failover procedures T25. Malicious attack on power systems3V3Lack of back-up / failover procedures T28. Adverse weather condition or other disaster4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT2. Spoofing of credentials / bypass authentication5V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT6. Social engineering attack4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT7. Theft [of cards, devices etc]4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT8. Unauthorised access to / deletion / modification of devices / data etc.4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT9. Loss or misuse [of cards, devices etc]3V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT10. Use erroneous and/or unreliable data4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT11. Procedures / instructions not followed3V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT12. Non-compliance with data protection legislation4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT13. Function creep (data used for other purposes than the ones for which they were originally collected)4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT14. Unauthorized check-in and boarding / identity theft4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT16. Unauthorised access to other restricted areas (apart from boarding e.g. Control room, personnel's' offices)3V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT22. Malfunctioning/breakdown of systems /devices / equipment4V4Lack of or low user awareness and/or training in procedures, use of devices, security aspects etcT30. Low acceptance of devices / equipment / procedures4V5Lack of usability / unfriendly user interface(s) of device(s)T8. Unauthorised access to / deletion / modification of devices / data etc.4V5Lack of usability / unfriendly user interface(s) of device(s)T9. Loss or misuse [of cards, devices etc]3V5Lack of usability / unfriendly user interface(s) of device(s)T10. Use erroneous and/or unreliable data4V5Lack of usability / unfriendly user interface(s) of device(s)T11. Procedures / instructions not followed3V5Lack of usability / unfriendly user interface(s) of device(s)T14. Unauthorized check-in and boarding / identity theft4V5Lack of usability / unfriendly user interface(s) of device(s)T30. Low acceptance of devices / equipment / procedures4V6Lack of interoperability between devices and/or technologies and/or systemsT9. Loss or misuse [of cards, devices etc]3V6Lack of interoperability between devices and/or technologies and/or systemsT22. Malfunctioning/breakdown of systems /devices / equipment4V6Lack of interoperability between devices and/or technologies and/or systemsT11. Procedures / instructions not followed3V6Lack of interoperability between devices and/or technologies and/or systemsT12. Non-compliance with data protection legislation4V6Lack of interoperability between devices and/or technologies and/or systemsT30. Low acceptance of devices / equipment / procedures4V7Collected data is insufficient or incorrect [lack of adequate controls at data entry]T10. Use erroneous and/or unreliable data4V7Collected data is insufficient or incorrect [lack of adequate controls at data entry]T12. Non-compliance with data protection legislation4V7Collected data is insufficient or incorrect [lack of adequate controls at data entry]T11. Procedures / instructions not followed3V7Collected data is insufficient or incorrect [lack of adequate controls at data entry]T14. Unauthorized check-in and boarding / identity theft4V7Collected data is insufficient or incorrect [lack of adequate controls at data entry]T23. E-visa not accepted at check in3V8Dependency on power systemsT1. Denial of service attack / Flood / Buffer overflow3V8Dependency on power systemsT22. Malfunctioning/breakdown of systems /devices / equipment4V8Dependency on power systemsT25. Malicious attack on power systems3V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT2. Spoofing of credentials / bypass authentication5V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT3. Large-scale and/or inappropriate data mining and/or surveillance4V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT5. Man-in-the-middle attack3V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT6. Social engineering attack4V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT7. Theft [of cards, devices etc]4V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT8. Unauthorised access to / deletion / modification of devices / data etc.4V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT9. Loss or misuse [of cards, devices etc]3V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT10. Use erroneous and/or unreliable data4V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT14. Unauthorized check-in and boarding / identity theft4V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT15. Cloning of credentials and tags (RFID related)3V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT17. Side channel attack 2V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT18. Blocking2V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT19. Jamming2V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT20. Fake / rogue RFID readers / scanning of RFID reader and /or tag3V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT21. Physical RFID tag destruction4V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT24. Worms, viruses & malicious code3V9Lack of or inadequate logical access (identification, authentication and authorisation) and physical access controlsT29. Ad hoc network routing attack2V10Flawed/insufficient design and/or capacity of devices and systemsT1. Denial of service attack / Flood / Buffer overflow3V10Flawed/insufficient design and/or capacity of devices and systemsT11. Procedures / instructions not followed3V10Flawed/insufficient design and/or capacity of devices and systemsT12. Non-compliance with data protection legislation4V10Flawed/insufficient design and/or capacity of devices and systemsT22. Malfunctioning/breakdown of systems /devices / equipment4V10Flawed/insufficient design and/or capacity of devices and systemsT25. Malicious attack on power systems3V10Flawed/insufficient design and/or capacity of devices and systemsT28. Adverse weather condition or other disaster4V11Lack of adequate controls in biometrics' enrolment stage T2. Spoofing of credentials / bypass authentication5V11Lack of adequate controls in biometrics' enrolment stage T3. Large-scale and/or inappropriate data mining and/or surveillance4V11Lack of adequate controls in biometrics' enrolment stage T11. Procedures / instructions not followed3V11Lack of adequate controls in biometrics' enrolment stage T12. Non-compliance with data protection legislation4V11Lack of adequate controls in biometrics' enrolment stage T14. Unauthorized check-in and boarding / identity theft4V11Lack of adequate controls in biometrics' enrolment stage T30. Low acceptance of devices / equipment / procedures4V12Lack of harmonisation and interoperability of procedures T9. Loss or misuse [of cards, devices etc]3V12Lack of harmonisation and interoperability of procedures T10. Use erroneous and/or unreliable data4V12Lack of harmonisation and interoperability of procedures T11. Procedures / instructions not followed3V12Lack of harmonisation and interoperability of procedures T12. Non-compliance with data protection legislation4V12Lack of harmonisation and interoperability of procedures T30. Low acceptance of devices / equipment / procedures4V12Lack of harmonisation and interoperability of procedures T13. Function creep (data used for other purposes than the ones for which they were originally collected)4V13Lack of or inappropriate protection of RFID tags T1. Denial of service attack / Flood / Buffer overflow3V13Lack of or inappropriate protection of RFID tags T2. Spoofing of credentials / bypass authentication5V13Lack of or inappropriate protection of RFID tags T4. Traffic analysis / scan / probe3V13Lack of or inappropriate protection of RFID tags T5. Man-in-the-middle attack3V13Lack of or inappropri