"A risk assessment of the Piql Services" by FFI

6.2 Considerations in Scenario Development

Several considerations create an operating environment for this assessment which is very comprehensive: The universal and global application of the service, the 500 year longevity of the piqlFilm, -Box, –Bin and some elements of the piqlVault, and the interconnected physical and digital nature of digital preservation. We permit ourselves, in this section, a summary of the vast number of variables present in this assessment, which must all be considered in order for FFI to be able to make meaningful conclusions and recommendations regarding the Piql Preservation Services. We therefore briefly outline these variables with the hope that it will enable the reader to better understand the grounds upon which we based the decisions made in the scenario development. Before the variables, or considerations, are outlined, it is useful to introduce the criteria by which the Piql Preservation Services will be judged in the scenario analysis, i.e. how well the system and all surrounding protective measures hold up against unwanted external influence. As the asset we are assessing the protection of in the scenarios is the information preserved on the piqlFilms, it is evident that we are in the realm of information security. It is natural to judge the Piql Preservation Services on its ability to guarantee the three key security properties of information security. These are confidentiality, integrity and availability, easily remembered by the abbreviation CIA, as described in chapter 4. In addition to cover issues of data security, the assessment must also include the physical security of the system. We therefore ask the question of how the information on the piqlFilms can be compromised, either through the use of digital malware which damages or extracts without permission the encoded information on the piqlFilms or because the physical components of the system – the film, the box and the vault – are physically damaged. Both incidences cause the information to be compromised, jeopardising the confidentiality, integrity and availability of the information that is preserved. Additionally, the scenario selection must also consider various causes of a security situation challenging the Piql Preservation Services. The field of risk assessments is commonly separated into two concepts: safety and security. Safety is defined as protection against unwanted events that are caused by one or more coincidences, or unwanted unintentional events. Security is defined as protection against unwanted events that are the result of deliberation and planning, or unwanted intentional acts [11, 12]. In security, we have to account for threat actors and their intentions and capacities because we are referring to events that are premeditated and pre- arranged. This is unlike safety, where we cannot speak of threat actors in the same way. This is not to say that there can never be a human actor who instigates an event in the safety category. An accident can be a result of human error, but then the act is not deliberate, and the following situation cannot thus be characterised as being related to security. The selection of scenarios in our assessment must include issues that arise in both safety- and security-related situations, because both can have negative consequences for the Piql Preservation Services.

47

FFI-RAPPORT 16/00707