Modelling Causal Factors of Unintentional Electromagnetic Emanations Compromising Information Technology Equipment Security

Information technology equipment (ITE) processing sensitive information can have its security compromised by unintentional electromagnetic radiation. Appropriately assessing likelihood of a potential compromise relies on radio frequency (RF) engineering expertise—specifically, requiring knowledge of the associated causal factors and their interrelationships. Several factors that can cause unintentional electromagnetic emanations that can lead to the compromise of ITE have been found in the literature. This paper confirms the list of causal factors reported in previous work, categorizes the factors as belonging to threat, vulnerability, or impact, and develops an interpretive structural model of the vulnerability factors. A participatory modelling approach was used consisting of focus groups of RF engineers. The resulting hierarchical structural model shows the relationships between factors and illustrates their relative significance. The paper concludes that the resulting model can motivate a deeper understanding of the structural relationship of the factors that can be incorporated in the RF engineers’ assessment process. Areas of future work are suggested.


Introduction
Electronic products generate electromagnetic interference and can also be susceptible to it. Electromagnetic compatibility (EMC) standards require electronic products not to generate unacceptable levels of interference, but also to have an adequate level of immunity from them [1]. From an information security perspective these support the security objectives of integrity and availability. That is, the equipment being interfered with will continue to function and operate correctly. However, reducing emissions so that products can coexist in the same environment does not necessarily protect the security objective of confidentiality. Where information technology equipment (ITE) is processing sensitive information, the electromagnetic fields that it generates can give rise to unintentional emanations that can radiate into space or conduct along power and signal lines. These emanations, if related to the information being processed, can be captured and reconstituted, leading to a loss of confidentiality. The name given to describe these vulnerabilities was TEMPEST [2].
TEMPEST vulnerabilities of office-based ITE (computers and peripherals) were demonstrated publicly by [3]. This showed how unintentional emanations could be captured and reconstructed from a visual display unit (VDU), resulting in a loss of confidentiality. The author of [3] established that the emanations were either narrow-bandwidth (clocks and their harmonics) or wide-bandwidth (video signals). It also made the distinction between EMC and TEMPEST, showing that ITE meeting EMC radiation and conduction standards can still have its security compromised.

1.
Explore how RF engineers can categorize the known causal factors as belonging to threat, vulnerability, or impact.

2.
Model the vulnerability causal factors so that their interpretive structure, relationships, and relative significance can be understood and shared with cyber-and information security professionals without RF experience.
Categorization of the causal factors facilitates the modelling of the interpretive structure of the causal vulnerability factors. A participatory modelling approach is adopted in this paper. It involves the use of experienced RF engineers, with a view to answering the following research questions: RQ1: What is the interpretive structural relationship between the identified causal vulnerability factors? RQ2: What is the relative significance of the causal factors that give rise to unintentional electromagnetic emanation vulnerabilities?
The remaining sections of this paper are structured as follows. Section 2 details the research methodology, consisting of the use of RF engineer focus groups, cause-and-effect analysis and the interpretive structural modelling technique applied to the vulnerability factors. Section 3 contains the results, consisting of the categorized list of causal factors and the structural model. Section 4 discusses the results obtained. Conclusions and areas of future work are suggested in Section 5.

Methodology
The focus of this study is the loss of confidentiality through unintentional emanations. The risk of this is a function of threat, vulnerability and impact [15]. To answer the research questions RQ1 and RQ2 stated in Section 1, the research methodology adopted is shown in Figure 1. Central to this approach is the use of focus groups consisting of experienced RF engineers.
1. Explore how RF engineers can categorize the known causal factors as belo threat, vulnerability, or impact. 2. Model the vulnerability causal factors so that their interpretive structure, ships, and relative significance can be understood and shared with cyber-a mation security professionals without RF experience.
Categorization of the causal factors facilitates the modelling of the interpreti ture of the causal vulnerability factors. A participatory modelling approach is ad this paper. It involves the use of experienced RF engineers, with a view to answe following research questions: RQ1: What is the interpretive structural relationship between the identified causa ability factors? RQ2: What is the relative significance of the causal factors that give rise to unin electromagnetic emanation vulnerabilities?
The remaining sections of this paper are structured as follows. Section 2 de research methodology, consisting of the use of RF engineer focus groups, cause-a analysis and the interpretive structural modelling technique applied to the vuln factors. Section 3 contains the results, consisting of the categorized list of causa and the structural model. Section 4 discusses the results obtained. Conclusions a of future work are suggested in Section 5.

Methodology
The focus of this study is the loss of confidentiality through unintentiona tions. The risk of this is a function of threat, vulnerability and impact [15]. To an research questions RQ1 and RQ2 stated in Section 1, the research methodology is shown in Figure 1. Central to this approach is the use of focus groups cons experienced RF engineers. Two focus groups from different organizations, FG-I and FG-II, were engage work. The FG-I focus group was presented with a list of the causal vulnerabilit and asked to create the ISM model from them. The other focus group, i.e., FG-II, w to validate the structural model obtained from FG-I. The focus group participa over 18 years of age and could (as assessed by the team leaders in their re Two focus groups from different organizations, FG-I and FG-II, were engaged in this work. The FG-I focus group was presented with a list of the causal vulnerability factors and asked to create the ISM model from them. The other focus group, i.e., FG-II, was used to validate the structural model obtained from FG-I. The focus group participants were over 18 years of age and could (as assessed by the team leaders in their respective organization's) apply their RF engineering skill to unintentional electromagnetic emanationrelated problems.

Identifying the Vulnerability Causal Factors
In the previous study [10], a workshop was held with focus group FG-I. They were asked to brainstorm the factors that would lead to the compromise of information, resulting from unintentional emanations, from an office-based (thin client workstations) ITE scenario. Following the workshop, the seven RF engineers in FG-I were asked to reflect on the list of brainstormed factors and suggest any additions or modifications. Changes to the list were admissible where the majority (four or more) agreed. After two iterations, the list of causal factors with their rationale for inclusion was agreed. The four RF engineers in FG-II were then asked to validate the list of factors, by confirming that the list was complete and that the reason for a factor's inclusion was sound. Finally, both focus groups were engaged at multiple workshops to agree the final list of factors along with the rationale for the factor's inclusion.
A cause-and-effect analysis was then performed on the list of factors so that they could be categorized as belonging to threat, vulnerability, or impact. This analysis used an Ishikawa diagram. Ishikawa diagrams, also known as fishbone diagrams, were developed by Professor Kaoru Ishikawa in the 1960s. Professor Ishikawa specialized in qualitymanagement techniques. They enable potential causes of a problem to be broken down into basic elements, providing insight that may enable the problem to be resolved [17]. As Ishikawa diagrams provide a straightforward way of examining causes that create or contribute to effects, we used this approach to identify the cause of loss of confidentiality resulting from unintentional radiation. The graphical output produced by this technique also provides a holistic view of the problem under consideration. The stages involved in creating a fishbone diagram [18] are: (i) Define the problem. State the problem or effect in a box on the right-hand side of the diagram, then draw a line to the box, creating the backbone of the fish. In this case, the effect is the loss of confidentiality from unintentional electromagnetic emanations. (ii) Identify potential causes for the problem. The main causes are drawn as the main bones coming from the fish's backbone. The effect will be caused by a process or function. As the risk of loss of confidentiality will be a function of threat, vulnerability, or impact, these were identified as the main causes. (iii) Identify subcauses for the problem. Each main cause is broken down into a set of subcauses. These are drawn as bones connected to the main bones, as shown in the fishbone structure in Figure 2. The list of causal factors that had been identified during the earlier brainstorming sessions was used to subcategorize and populate the main clauses. These created three levels of detail in the resulting fishbone diagram. organization's) apply their RF engineering skill to unintentional electromagnetic em tion-related problems.

Identifying the Vulnerability Causal Factors
In the previous study [10], a workshop was held with focus group FG-I. They w asked to brainstorm the factors that would lead to the compromise of information, re ing from unintentional emanations, from an office-based (thin client workstations) scenario. Following the workshop, the seven RF engineers in FG-I were asked to re on the list of brainstormed factors and suggest any additions or modifications. Chan to the list were admissible where the majority (four or more) agreed. After two iterati the list of causal factors with their rationale for inclusion was agreed. The four RF e neers in FG-II were then asked to validate the list of factors, by confirming that the was complete and that the reason for a factor's inclusion was sound. Finally, both f groups were engaged at multiple workshops to agree the final list of factors along the rationale for the factor's inclusion.
A cause-and-effect analysis was then performed on the list of factors so that could be categorized as belonging to threat, vulnerability, or impact. This analysis u an Ishikawa diagram. Ishikawa diagrams, also known as fishbone diagrams, were de oped by Professor Kaoru Ishikawa in the 1960s. Professor Ishikawa specialized in qua management techniques. They enable potential causes of a problem to be broken d into basic elements, providing insight that may enable the problem to be resolved [17 Ishikawa diagrams provide a straightforward way of examining causes that create or tribute to effects, we used this approach to identify the cause of loss of confidenti resulting from unintentional radiation. The graphical output produced by this techn also provides a holistic view of the problem under consideration. The stages involve creating a fishbone diagram [18] are: (i) Define the problem. State the problem or effect in a box on the right-hand side o diagram, then draw a line to the box, creating the backbone of the fish. In this c the effect is the loss of confidentiality from unintentional electromagnetic emanati (ii) Identify potential causes for the problem. The main causes are drawn as the m bones coming from the fish's backbone. The effect will be caused by a process or f tion. As the risk of loss of confidentiality will be a function of threat, vulnerabilit impact, these were identified as the main causes. (iii) Identify subcauses for the problem. Each main cause is broken down into a set of causes. These are drawn as bones connected to the main bones, as shown in the bone structure in Figure 2. The list of causal factors that had been identified du the earlier brainstorming sessions was used to subcategorize and populate the m clauses. These created three levels of detail in the resulting fishbone diagram. (iv) Analyse potential causes. Typically, when using fishbone diagrams, a cause that is most likely to be contributing to the problem is highlighted. In this case, as the risk of FG-I was engaged at a workshop to produce the initial fishbone diagram. FG-II was used to validate it, by agreeing or otherwise to the categorization of the factors, at a follow up workshop, only they attended. A final workshop involving both focus groups was used to reach a consensus on the final fishbone diagram produced.

Interpretive Structural Modelling of the Vulnerability Factors
The technique chosen to structurally model the vulnerability factors was interpretive structural modelling (ISM). ISM was selected as it is an interactive approach that uses a group's judgement to decide how things or elements interrelate. As a method, it helps the group to develop a deeper understanding and insight into what links the chosen elements and the nature of their relationships. ISM has been used in a range of different domains. Examples include it being used to determine the barriers to solar power installation [19], for the analysis of consumer online buying motivations [20], and to model supply chain risks [21].
Both focus groups were introduced to the purpose of the study and were provided with an overview of the ISM process and their roles within it. FG-I participants were asked to complete a structural self-interaction matrix (SSIM) individually. The SSIM involves performing a pairwise comparison of the factors so that the relationships between them can be found. The returned SSIMs were combined at a workshop from which a first ISM was produced. This model was sent to FG-I for comment and the SSIM was modified as needed. This process was iterated three times until FG-I was content with the model they had produced. FG-II was presented with this model and asked to comment on the factor's hierarchical placement and interconnections. The SSIM was changed to accommodate their views and an updated version of the model created. This updated version was sent to FG-II for comment and after two iterations was agreed. Both FG-I and FG-II were then invited to a joint workshop to consider this new version and agree on the final ISM. The approach followed is shown in Figure 3.
threat, vulnerability, and impact.
(v) State the identified root cause of the problem. In this case we have categorized all the identified causal factors under the main causes of threat, vulnerability, and impact to enable further analysis of the contextual and relative significance of the vulnerability causal factors. FG-I was engaged at a workshop to produce the initial fishbone diagram. FG-II was used to validate it, by agreeing or otherwise to the categorization of the factors, at a follow up workshop, only they attended. A final workshop involving both focus groups was used to reach a consensus on the final fishbone diagram produced.

Interpretive Structural Modelling of the Vulnerability Factors
The technique chosen to structurally model the vulnerability factors was interpretive structural modelling (ISM). ISM was selected as it is an interactive approach that uses a group's judgement to decide how things or elements interrelate. As a method, it helps the group to develop a deeper understanding and insight into what links the chosen elements and the nature of their relationships. ISM has been used in a range of different domains. Examples include it being used to determine the barriers to solar power installation [19], for the analysis of consumer online buying motivations [20], and to model supply chain risks [21].
Both focus groups were introduced to the purpose of the study and were provided with an overview of the ISM process and their roles within it. FG-I participants were asked to complete a structural self-interaction matrix (SSIM) individually. The SSIM involves performing a pairwise comparison of the factors so that the relationships between them can be found. The returned SSIMs were combined at a workshop from which a first ISM was produced. This model was sent to FG-I for comment and the SSIM was modified as needed. This process was iterated three times until FG-I was content with the model they had produced. FG-II was presented with this model and asked to comment on the factor's hierarchical placement and interconnections. The SSIM was changed to accommodate their views and an updated version of the model created. This updated version was sent to FG-II for comment and after two iterations was agreed. Both FG-I and FG-II were then invited to a joint workshop to consider this new version and agree on the final ISM. The approach followed is shown in Figure 3. The stages involved in the ISM process [22] are: (i) Identify the issue to be studied. In this case, the aim is to model the vulnerability factors that RF engineers take into consideration when assessing the likelihood of unintentional electromagnetic radiation compromising office-based ITE security. (ii) Decide on the type of ISM to be constructed. The author of [22] explains that ISM has five structures: intent, priority, attribute enhancement, process structures The stages involved in the ISM process [22] are: (i) Identify the issue to be studied. In this case, the aim is to model the vulnerability factors that RF engineers take into consideration when assessing the likelihood of unintentional electromagnetic radiation compromising office-based ITE security. (ii) Decide on the type of ISM to be constructed. The author of [22] explains that ISM has five structures: intent, priority, attribute enhancement, process structures (sequencing) and mathematical dependence. Each of these structures will have a contextual relationship between the elements making up the ISM. Examples of contextual re-lationships between elements of the five structures listed in order could be 'would help to achieve', 'is more important than', 'strongly contributes to', 'takes place before', 'maps to'. This study prioritizes the vulnerability factors whilst establishing the contribution of the factors to each other as the contextual relationship. (iii) Select participant group and facilitator. Two focus groups of RF engineers were engaged in the study, with the lead author of this paper acting as the facilitator. (iv) Generate the element set. The list of vulnerability factors (V1-V19) as identified in Figure 4 are used as the element set. (v) Complete matrix of element interactions. Pairs of elements within the set were compared and a structural self-interaction matrix (SSIM) was completed based on their relationship. All FG-I RF engineers had been sent instructions explaining how to complete a SSIM, with all seven returning the completed SSIM matrix. This required them to consider 171 combinations of two factors for the vulnerability SSIM made from the 19 factors. The SSIM was completed using the following rules: • Vulnerability factor (i) contributes to vulnerability factor (j) (noting this as a letter V in the SSIM) • Vulnerability factor (j) contributes to vulnerability factor (i) (noting this as a letter A in the SSIM) • Both vulnerability factors contribute to each other (noting this as a letter X in the SSIM) • Both vulnerability factors are independent of each other (noting this as letter O in the SSIM) The individual SSIMs were combined into a single SSIM using the majority vote as the decider for the cell value. A follow-on workshop with FG-I participants resolved any areas of disagreement. An initial reachability matrix (IRM) was created from the SSIM. The IRM has rows and columns labelled by the Factors and shows the pairwise relationship between the Factors in binary form. The rules for converting the SSIM to an IRM are:

•
If the relationship between factor (i) and factor (j) is 'V', then the cell in the IRM labelled (i,j) is marked with a value of binary 1 and the cell labelled (j,i) is marked with a value of binary 0; • If the relationship between factor (i) and factor (j) is 'A', then the cell in the IRM labelled (i,j) is marked with a value of binary 0 and the cell labelled (j,i) is marked with a value of binary 1; • If the relationship between factor (i) and factor (j) is 'X', then the cell in the IRM labelled (i,j) is marked with a value of binary 1 and the cell labelled (j,i) is marked with a value of binary 1; • If the relationship between factor (i) and factor (j) is 'O', then the cell in the IRM labelled (i,j) is marked with a value of binary 0 and the cell labelled (j,i) is marked with a value of binary 0.
The IRM was then checked for added inferred relationships (termed transitivity), which were added to the reachability matrix, creating a final reachability matrix (FRM). This is based on the idea that if factor X is related to factor Y and factor Y is related to factor Z, then it can be inferred that factor X will be related to factor Z. The inferred transitive relationships are shown as red cells in the FRM.
The reachability matrix was then partitioned into different hierarchical levels. The FRM rows (having a binary 1) show which other factors a factor can reach; these being termed the reachability set. The FRM columns (having a binary 1) show which factors can reach the factor in question, termed the antecedent set. An intersection set is made from the common factors of both the reachability and antecedent sets. When the reachability set is the same as the intersection set, the factor has been partitioned into a level. Once a factor has been partitioned into a level, it is removed from the reachability and antecedent sets, and the process is repeated for the remaining factors until all have eventually been assigned a level.
A canonical matrix (CM) was then produced with the factors grouped in order of the partitioned levels with the transitive links removed (i.e., the CM contains the entries from the IRM, but with the factors ordered in terms of the levels identified).
A directed graph (digraph) was then created from the CM. The 19 factors from the CM were placed at the determined levels and links drawn between them where a cell had a binary 1. Once all the cells had been examined, the digraph was complete.
(vi) Display the ISM. The digraph was then converted into an ISM by replacing the element nodes with the element names. (vii) Discuss the structure and amend if necessary. The resulting model was then checked for conceptual consistency with both FG-I and FG-II focus groups.

Results
This section is divided into two subsections. In Section 3.1, the categorization of the causal factors resulting from the cause-and-effect analysis using the Ishikawa diagram is presented. In Section 3.2, the development of the ISM using the factors related to vulnerability is shown and a cross-impact matrix multiplication applied to classification analysis (MICMAC) is used to show the factors' relative significance.

Causal Factor Categories
Risk has three components: threat, vulnerability, and impact. By mapping the 26 causal factors as subcauses to these, it was possible to show 19 of the identified factors related to vulnerability; 3 to threat; and 4 to impact. The identified factors were treated as the potential causes that could lead to the effect of loss of confidentiality. The resulting Ishikawa diagram, adapted from [10] with the vulnerability factors labelled V1-V19, is shown in Figure 4.

Interpretive Structural Model of the Vulnerability Factors
The research questions RQ1 and RQ2 focused on TEMPEST vulnerability. Therefore, the vulnerability causal factors V1-V19 shown in Figure 4 were used as the basis from which to build a structural model. The model and associated MICMAC analysis performed show the factors' relationships and relative significance.
As described in Section 2, pairs of elements (i.e., vulnerability factors) within the element set were compared and a structural self-interaction matrix (SSIM) was completed based on the contextual relationship between them. The resulting SSIM is given in Table 1. Table 1. Self-structured interaction matrix (SSIM).
An initial reachability matrix (IRM) was created from the SSIM ( Table 2). The IRM has rows and columns labelled by the vulnerability factors and shows the pairwise relationship between the factors in binary form. The rules used for converting the SSIM to an IRM were as described in Section 2.  The IRM was then checked for any inferred relationships (termed transitivity). These are added, creating a final reachability matrix (FRM). The inferred transitive relationships are shown in red in the FRM in Table 3. Table 3. Final reachability matrix (FRM).
From the FRM, it was then possible to develop the structural model by identifying the reachability and antecedent sets so that the factors could be levelled into a hierarchy, as shown in Table 4. Once a factor has been partitioned into a level, it is removed from the reachability and antecedent sets, and the process is repeated for the remaining factors until all have eventually been assigned a level.   The factors were then grouped in the order of the partitioned levels, with the transitive links removed, creating a canonical matrix (CM). The CM contains the entries from the IRM, but with the factors ordered in terms of the levels identified, as shown in Table 5. The 19 factors from the CM were placed at the determined levels. The nodes of the digraph were labelled with the vulnerability factor ID and links were drawn between them where a cell had a binary 1. This created a directed graph (digraph), shown in Figure 5, that was the basis for the structural model. The nodes of the digraph were then named to create the model. The model was then examined by both FG-I and FG-II at the final workshop. They asked that an additional link be added between the V10 ITE Type and V12 ITE Interfaces. Both focus groups wanted to ensure that the relationship between the ITE and its interfaces was shown, as the interfaces and their associated data rates have a bearing on the TEMPEST vulnerability likelihood of the ITE and system in which it is used. This extra link is shown as a dotted line in the final ISM ( Figure 6). The nodes of the digraph were then named to create the model. The model was then examined by both FG-I and FG-II at the final workshop. They asked that an additional link be added between the V10 ITE Type and V12 ITE Interfaces. Both focus groups wanted to ensure that the relationship between the ITE and its interfaces was shown, as the interfaces and their associated data rates have a bearing on the TEMPEST vulnerability likelihood of the ITE and system in which it is used. This extra link is shown as a dotted line in the final ISM ( Figure 6).

Vulnerability Factor MICMAC Analysis
To address RQ2, a cross-impact matrix multiplication applied to classification analysis (MICMAC) was performed on the vulnerability factors to determine how they influence each other. This is a two-stage process using the FRM. Firstly, the driving power of each factor is found by counting the ones in the rows, and the dependency power is determined by counting the ones in the columns. Secondly, these values are then mapped onto a grid made of four quadrants, labelled autonomous, linkage, independent (or driver) and dependent. Autonomous

Vulnerability Factor MICMAC Analysis
To address RQ2, a cross-impact matrix multiplication applied to classification analysis (MICMAC) was performed on the vulnerability factors to determine how they influence each other. This is a two-stage process using the FRM. Firstly, the driving power of each factor is found by counting the ones in the rows, and the dependency power is determined by counting the ones in the columns. Secondly, these values are then mapped onto a grid made of four quadrants, labelled autonomous, linkage, independent (or driver) and dependent.
Autonomous The resulting analysis is shown in Figure 7. It shows that the independent (driving) factors found at the bottom of the ISM diagram in Figure 6 strongly influence the overall vulnerability likelihood as they are factors that drive through the adoption of policy and standards, equipment selection, equipment installation and change management. The dependent factors residing at the top of the ISM diagram have limited influence on other factors but show the relationship between the ITE radiation profile, the attacker proximity, and countermeasures, including physical security. The resulting analysis is shown in Figure 7. It shows that the independent (driving) factors found at the bottom of the ISM diagram in Figure 6 strongly influence the overall vulnerability likelihood as they are factors that drive through the adoption of policy and standards, equipment selection, equipment installation and change management. The dependent factors residing at the top of the ISM diagram have limited influence on other factors but show the relationship between the ITE radiation profile, the attacker proximity, and countermeasures, including physical security.

Discussion
The aims of this paper were to explore how RF engineers categorized the causal factors as either belonging to threat, vulnerability, or impact, and then to model the causal vulnerability factors so that their interpretive structure, relationships, and relative significance can be understood and shared with cyber-and information security professionals who do not possess RF experience.
To achieve this, a focus group approach was used to elicit the expert knowledge of the RF engineers engaged in the study. The use of focus groups proved useful in that it allowed for the modelling of the causal vulnerability factors and the models' validation to be split across two different organizations. This offset the expert availability problem, as the workshops and the requirement to individually complete documentation could be more easily scheduled to meet the organizations' work commitments.
The 26 causal factors found in [10] were validated and found to exist in the literature, e.g., [23][24][25][26][27]. However, they are not collated or categorized and their relative significance to each other is difficult to decide given the different contexts in which they are reported. The categorization of the causal factors showed that the 19 related to vulnerability focused on the ITE, the installation standards, the operating environment, and the facility in which it was deployed.
This grouping of factors aligned with the findings from [24] that showed that threat actors will apply technical capability to detect [25], then capture [14] and finally reconstitute [26] unintentional electromagnetic emanations generated from IT equipment as part of its normal operation. Risk mitigation through the application of countermeasures [23] such as signal strength reduction of the emanations (e.g., by providing separation distance and/or by architectural and equipment shielding) are deployed. The results show that the RF engineers use their expertise to concentrate on the vulnerabilities, whilst recognizing

Discussion
The aims of this paper were to explore how RF engineers categorized the causal factors as either belonging to threat, vulnerability, or impact, and then to model the causal vulnerability factors so that their interpretive structure, relationships, and relative significance can be understood and shared with cyber-and information security professionals who do not possess RF experience.
To achieve this, a focus group approach was used to elicit the expert knowledge of the RF engineers engaged in the study. The use of focus groups proved useful in that it allowed for the modelling of the causal vulnerability factors and the models' validation to be split across two different organizations. This offset the expert availability problem, as the workshops and the requirement to individually complete documentation could be more easily scheduled to meet the organizations' work commitments.
The 26 causal factors found in [10] were validated and found to exist in the literature, e.g., [23][24][25][26][27]. However, they are not collated or categorized and their relative significance to each other is difficult to decide given the different contexts in which they are reported. The categorization of the causal factors showed that the 19 related to vulnerability focused on the ITE, the installation standards, the operating environment, and the facility in which it was deployed.
This grouping of factors aligned with the findings from [24] that showed that threat actors will apply technical capability to detect [25], then capture [14] and finally reconstitute [26] unintentional electromagnetic emanations generated from IT equipment as part of its normal operation. Risk mitigation through the application of countermeasures [23] such as signal strength reduction of the emanations (e.g., by providing separation distance and/or by architectural and equipment shielding) are deployed. The results show that the RF engineers use their expertise to concentrate on the vulnerabilities, whilst recognizing that threat capability, particularly the impact that radio receiver and antenna performance will have on the range over which emissions can be captured [27].
The resulting ISM and MICMAC analysis show the relationships between the 19 vulnerability factors and their ability to influence each other. The analysis has found four key causal factors (shown at the bottom levels of the ISM diagram in Figure 6): V18 Policy, Standards and Guidance; V10 ITE Equipment Type; V8 Application of Installation Standards; and V16 Configuration and Control. These factors drive the overall TEMPEST vulnerability likelihood. This implies that to manage TEMPEST vulnerabilities effectively relies on adopting policies, standards and guidelines, which in turn lead to the right choice of equipment. This equipment then needs to be installed correctly and configuration-controlled. Given the significance of these factors, if they are not adopted, the model shows that this will have a detrimental impact on the overall level of vulnerability likelihood. For example, if no policy is adopted, there is a risk that the ITE type selected, and installation standards applied will not be appropriate for the application. Without appropriate installation standards the change management becomes ineffective, as the standards set a baseline from which changes can be assessed. The analysis has also found four highly dependent factors (shown at the top levels of the ISM diagram in Figure 6): V3 Physical Security; V1 Inspectable Space; V7 Radiated and Conducted Emanation Countermeasures; and V5 ITE Radiation Profile. These show the relationship between the ITE's radiation profile, and the countermeasures deployed to prevent any emanations radiating over a distance from which an attacker could benefit. It highlights the level of physical security needed as being influenced by the geolocation and operating environment of the ITE and the inspectable space (how close an attacker can get). The geolocation of the ITE may increase the risk to it, allowing potential attackers greater access to the facility in which it is housed and or greater proximity to the equipment itself. The ISM developed ( Figure 6) highlights that the RF engineers are using physical security controls to keep the distance from the ITE and an attacker to the maximum. The RF Engineers are then assessing the radiation profile of the ITE against this distance, and providing that the radiation profile is less than it, they believe that the vulnerability is unlikely to be exploited. If the RF Engineers find that the radiation profile exceeds the distance that they can physically control, they will then apply countermeasures to keep the emanations within it.
Information leakage through electromagnetic emissions are now included in security management frameworks, e.g., ISO 27000, and specifically ISO 27005 [28]. However, the detail explaining these vulnerabilities and their mitigation measures is not always sufficient, requiring cybersecurity practitioners without RF experience to seek support from RF consultancy services. Additionally, it is recognized that different approaches will be used by experts and novices when processing information. This is related to the different levels of prior knowledge that each bring to a specific domain [29]. This may also extend to information security practitioners without prior knowledge of RF engineering who may not give the same consideration to the TEMPEST vulnerabilities as they would to the other cybersecurity vulnerabilities that they have more experience of.
The structural model of the causal vulnerability factors and associated MICMAC analysis produced by this study should aid cybersecurity practitioners (without RF experience) to enhance their knowledge and understanding of what is being considered as part of a TEMPEST vulnerability assessment. This will be useful when they are carrying out risk assessments that need to incorporate TEMPEST vulnerability assessments. For example, the ISM can be used to derive a series of questions that could be asked, e.g., by a cybersecurity risk manager (without RF experience) of a project to ensure that the vulnerability likelihood is being minimized. This could include, for example, focusing on an area where the project may have increased the vulnerability likelihood, e.g., by buying equipment of the wrong type or not having robust configuration and control practices, so that when a piece of equipment fails, it is replaced with the wrong type or installed without following the best installation practice. The ISM can also aid RF engineers in their professional consultancy practice by supplying a baseline model from which vulnerability assessments of office-based ITE can be made. An example would be to derive a checklist from the model. This could be used to formalize a peer review process between RF engineers to ensure they had maintained the quality of any consultancy offered.
One of the difficulties with assessing TEMPEST vulnerability likelihood is in establishing how much deviation from the ideal causes the vulnerability likelihood level to rise, and by how much. To answer this requires knowledge of the factor relationships (provided by the ISM) but also the dynamic behaviour between the factors, i.e., if one factor changes its value, what impact that has on a connected factor. This will be the focus of future work, which will use the ISM as the basis to investigate the dynamic relationships between factors, so that the vulnerability likelihood level as part of a vulnerability assessment can be quantified.

Conclusions
The output from this study provides an ISM of the causal vulnerability factors related to TEMPEST vulnerabilities of office-based ITE. The model shows the relative significance of the factors and their interrelationships. The accompanying MICMAC analysis has also found the key driving factors that affect TEMPEST vulnerability management.
The study has employed two independent focus groups of RF engineers to model the factors used in professional practice when assessing TEMPEST vulnerabilities. The model and associated MICMAC analysis can be used by cybersecurity risk managers having little or no RF experience to enhance their knowledge. This will improve their ability to manage vulnerabilities of this type by, e.g., ensuring best installation practices are followed. The ISM and related information provided by the Ishikawa diagram also provide useful artefacts as an aide-memoire for practicing RF engineers.
Future work will develop the ISM into a vulnerability assessment decision support tool, where it will be used to predict the TEMPEST vulnerability likelihood from office-based deployments of ITE. The intent is for the tool to be of use to RF engineers and to support cybersecurity practitioners who do not have RF expertise. As TEMPEST vulnerability assessment is a specialized area of RF engineering, only a limited number of RF engineers with the requisite expertise were available. This, taken into consideration with the fact that the model was developed for a specific office-based ITE deployment scenario, may impact the generality of the results. Nonetheless, the RF experts believe that the results are robust enough to provide a useful basis from which to develop a decision support tool.