風險值判定 (Risk Value Determination)
基本公式
Risk = f(Impact, Attack Feasibility)
Important
注意:ISO 21434 採用 Impact × Feasibility,不是 ISO 26262 的 S × E × C。
標準風險矩陣
ISO 21434 Annex F 建議的矩陣:
Attack Feasibility →
Very Low Low Medium High
Impact ↓ ┌────────┬────────┬───────┬────────┐
Severe │ 2 │ 3 │ 4 │ 5 │
├────────┼────────┼───────┼────────┤
Major │ 1 │ 2 │ 3 │ 4 │
├────────┼────────┼───────┼────────┤
Moderate │ 1 │ 1 │ 2 │ 3 │
├────────┼────────┼───────┼────────┤
Negligible │ 1 │ 1 │ 1 │ 2 │
└────────┴────────┴───────┴────────┘
風險值 1-5(1 = 最低,5 = 最高)
Tip
部分組織使用 1-25 矩陣(5 × 5),原理相同。
風險等級對應
| 風險值 | 等級 | 行動 |
|---|---|---|
| 5 | Very High | 必須處置 |
| 4 | High | 必須處置 |
| 3 | Medium | 應處置或接受並文件化 |
| 2 | Low | 通常接受 |
| 1 | Negligible / Very Low | 通常接受 |
範例計算
範例 1:偽造煞車訊息
Threat: TS-005 (Spoofed brake CAN message)
Impact:
Safety: Severe
Financial: Moderate
Operational: Major
Privacy: Negligible
→ Overall: Severe
Attack Feasibility:
Total score: 12 → High (容易)
Risk Value: 5 (Very High)
Required Action: 必須處置(如 SecOC)
範例 2:HSM 旁通道金鑰萃取
Threat: TS-022 (DPA on HSM)
Impact:
Safety: Major (key 洩漏可影響多車)
Financial: Severe
Operational: Major
Privacy: Major
→ Overall: Severe
Attack Feasibility:
Total score: 55 → Very Low
Risk Value: 2 (Low)
Required Action: 通常接受(成本不對等)
範例 3:HMI 視覺干擾
Threat: TS-099 (Inject visual artifacts on HMI)
Impact:
Safety: Negligible
Financial: Negligible
Operational: Moderate (annoying)
Privacy: Negligible
→ Overall: Moderate
Attack Feasibility:
Total score: 8 → High
Risk Value: 3 (Medium)
Required Action: 評估是否處置
風險矩陣的可變化性
Warning
ISO 21434 Annex F 是informative(資訊性)。
組織可自訂矩陣,但需在 CSMS 中一致使用。
常見變體:
- 5 × 5(細粒度)
- 4 × 4(如 Annex F)
- 3 × 3(粗粒度,小組織)
- 加權(不同 Impact 面向有不同權重)
處置決策的基本原則(Risk Treatment 預告)
Risk Value 5 (Very High) → Reduce 或 Avoid
└── 通常組織政策禁止「保留」
Risk Value 4 (High) → Reduce 為主
└── 可特例 Retain(需高層級接受 + 補償措施)
Risk Value 3 (Medium) → 評估後決定
└── Reduce / Transfer / Retain 都可能
Risk Value 1-2 (Low) → 通常 Retain
└── 文件化即可
→ 詳見 12-TARA-Methods/08-Risk-Treatment
殘餘風險 (Residual Risk)
Initial Risk (處置前)
↓
風險處置
↓
Residual Risk (處置後仍存在)
↓
需被適當層級接受
↓
文件化於 CS Case
範例:
Initial Risk: 5 (Very High)
→ 加入 SecOC + Anti-replay
Residual Risk: 2 (Low)
→ 仍可能被多專家攻破,但成本不對等
→ 接受 + 持續監控
風險判定的紀錄要求
risk_record:
id: RR-TCU-005
threat_scenario_ref: TS-005
attack_path_ref: AP-005-A # 最容易那條
impact:
safety: Severe
financial: Moderate
operational: Major
privacy: Negligible
overall: Severe
feasibility:
method: "Attack Potential"
parameters:
time: 1
expertise: 3
knowledge: 3
window: 1
equipment: 4
total: 12
level: High
risk_value: 5 # Very High
risk_level: "Very High"
initial_decision: "Must Reduce"
reviewer: "CS Engineer Lead"
reviewed_date: 2026-09-15
證照考點
高頻考點
- 公式:Risk = f(Impact, Feasibility)
- 矩陣最高值 = Severe + High Feasibility = 5
- 風險值 5 = Very High,必須處置
- Annex F 矩陣是 informative,可自訂
- 殘餘風險需被接受並文件化
- 不是 S × E × C(那是 ISO 26262 HARA)
- 跨組織的矩陣可能不同——需在 CIA 中對齊
Related Notes
- 12-TARA-Methods/04-Impact-Rating
- 12-TARA-Methods/06-Attack-Feasibility-Rating
- 12-TARA-Methods/08-Risk-Treatment
- 00-Dashboard/Quick-Reference#五、風險值矩陣 (Risk Matrix)