"A risk assessment of the Piql Services" by FFI

that while the piqlFilms are in storage, they have no connection to online networks. Yet, in order for the piqlFilms to become just that – a film with printed information on it as a vital component of the Piql Preservation Services – the piqlFilms must at some point be connected to online networks, for instance when they are placed on the piqlWriter- and Reader. These processes are necessary both during data ingestion and data retrieval, and risks and vulnerabilities connected to data security are present in both these phases. Because of the similarity of threats, we therefore include only the ingestion phase in our risk assessment, as we deem it unnecessary to include both.

4 Definitions

This chapter provides working definitions of key terms utilised in this report and specifies important delimitations. The subjects touched upon requiring clarifications are risk and vulnerability analysis, computer security and the scenario-based approach.

4.1 Terms Related to Risk and Vulnerability Analysis

Term

Definition

Protection against unwanted events that are caused by one or more coincidences, i.e. unintentional events [11, 12]. Protection against unwanted events that are the result of deliberation and planning, i.e. intentional acts [11, 12]. Expression of danger of loss of important values due to an unwanted event. SN ISO Guide 73:2009 defines risk as the effect of uncertainty on objectives, often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence. NS 5830:2012 defines risk as the expression of the relationship between the threat against a given asset and this assets vulnerability to the specific threat [11, 5 p.3, 13 p.5]. A possible unwanted event that can have negative consequences for the security of an entity [13 p.4]. Used in this report in relation to an action performed by a threat actor, i.e. an intentional act. Source of potential harm [5 p.7]. Used in this report in relation to an event without a deliberate cause, i.e. an unintentional event. ISO Guide 73:2009 defines vulnerability as the intrinsic properties of something resulting in susceptibility to a risk source (element which alone or in combination has

Safety

Security

Risk

Threat

Hazard

Vulnerability

21

FFI-RAPPORT 16/00707