Home' RTCA Documents for Review : DO-356A Contents 55
© RTCA, 2018
LEVEL OF THREAT EVALUATION
The Level of Threat Evaluation is part of the Security Risk Assessment. In ED-202A
process figure 3.2, every security risk assessment (preliminary and final) consists of
four activities: threat condition identification/evaluation, threat scenario identification,
security measure characterization and level of threat evaluation.
As the required minimum, all applicants need to evaluate attacks and provide
substantiation of the appropriateness of the security measures. The substantiation
should consider the following evaluation criteria: protection, exposure reduction and
attack attempt; as well as checking the independence, diversity and isolation of
measures from each other for actual combined protection.
This document contains examples of Level of Threat Evaluation methods that are
currently being used to show Risk Acceptability. The reader should not assume that the
methods included in Appendices are the only methods that could be used. Other
methods are possible, and equally acceptable as long as they satisfy the minimum
Relation of Effectiveness and Likelihood
Level of Threat is the general concept to describe the evaluation of a threat scenario
independent from the specific approaches and perspectives used in the analysis of the
The level of threat can be expressed by different approaches and perspectives,
including the defender perspective focusing on the robustness of security measures
protecting the target and the attacker perspective focusing on ways to attack the target
which have the best chance of success. Effectiveness measures the Level of Threat by
the degree to which the protection succeeds in stopping the attacker. Likelihood
measures the Level of Threat by the degree to which the protection fails to stop the
Hence, effectiveness and likelihood can be interpreted as two perspectives of the same
Evaluation criteria considerations
Different methods can be employed to evaluate the Level of Threat. Each method will
apply multiple criteria. The criteria used by the evaluation method to determine the level
of threat should be specified.
The Level of Threat evaluation takes into account the combined protection effect that
considers the characterization and evaluation of all security measures in the threat
scenario, as detailed in section 3.6.3.
The Level of Threat evaluation takes into account the time to respond to changes in the
effectiveness of protection/likelihood of attack, caused by a change in the security
environment, in the aircraft/ systems/ items or in their vulnerabilities.
This consideration is not meant to negotiate the time to respond, but to
consider the time in the risk evaluation. Example: A security measure is
based on COTS software for which vulnerabilities are published often. If
the development process to change the security measure takes longer
than the time until new vulnerabilities are identified, this relation will make
it difficult to maintain the security measure effectiveness during operation.
One way to account for this in the evaluation would be to consider a
reduced security measure effectiveness in the risk assessment.
Level of Threat evaluation criteria can be assigned to one of three categories:
Protection criteria are all aspects that provide protection against attack. These consider
technical and operational security measures within (and including) the security
perimeter. Criteria from this category typically contribute the most to the Level of Threat
Links Archive Navigation Previous Page Next Page