How are risks determined according to ISO 21434?
Clause 8.8 of the DIS of ISO21434 determines the risk level value based on impact ratings (IRs) and attack feasibility ratings (AFRs). The IR results from combining the IRs from each described damage scenario (result of Clause 8.5). Each damage scenario was derived from an identified asset (in Clause 8.3). The AFR stems from combining the identified attack paths (8.6) for each threat scenario (8.4). The assets, threat scenarios and attack paths are identified based on the item definition which comes from clause 9.3.
The impact rating of a damage scenario shall be one of “Severe“, “Major“, “Moderate“, or “Negligible“. Since being grouped by category, financial, operational and privacy related impacts can be rated based on criteria that get combined into the resulting value (examples are in Annex H).
The attack feasibility rating shall be one of “High“, “Medium“, “Low” or “Very low“. Additionally, the ratings should base on either (1) attack potential; on (2) CVSS; or on (3) attack vectors. However, the choice of the three depends obviously depends on the available information and thus the current lifecycle phase. For further details, Annex I describes these categories.
Note, that when identifying a threat scenario in 8.4, it may relate to an already identified asset. If not, the relationship should be established later, so that risk calculation can accomodate impact ratings to determine a risk level for each threat scenario. Later on, the risk treatment decision (8.9) can base on the risk for each related pair of asset and threat scenario. As a result, the treatment decisions will be documented and traceable on a fine-grained scale.