Objectives
Misuse investigates whether the TOE can be configured or used in a manner that is insecure but that an administrator or user of the TOE would reasonably believe to be secure.
The objectives are:
a) to minimise the probability of configuring or installing the TOE in a way that is insecure, without the user or administrator being able to detect it;
b) to minimise the risk of human or other errors in operation that may deactivate, disable, or fail to activate security functions, resulting in an undetected insecure state.
Component levelling
The components are levelled on the increasing evidence to be provided by the developer and the increasing rigour of analysis.
Application notes
Conflicting, misleading, incomplete or unreasonable guidance may result in a user of the TOE believing that the TOE is secure when it is not, and can result in vulnerabilities.
An example of conflicting guidance would be two guidance instructions that imply different outcomes when the same input is supplied.
An example of misleading guidance would be the description of a single guidance instruction that could be parsed in more than one way, one of which may result in an insecure state.
An example of incomplete guidance would be a list of significant physical security requirements that omitted an important item, resulting in this item being overlooked by the administrator who believed the list to be complete.
An example of unreasonable guidance would be a recommendation to follow a procedure that imposed an unduly onerous administrative burden.
Guidance documentation is required. This may be contained in existing User or Administration documentation, or may be provided separately. If provided separately, the evaluator should confirm that the documentation is supplied with the TOE.