"A risk assessment of the Piql Services" by FFI

Another consideration to be kept in mind during the scenario development is the many phases the information goes through in the Piql Preservation Services Journey. The reader will recall the scope we have defined for the assessment, which includes the objects of study, the structural relationships between these objects and the defined security parameters surrounding it all. The scenarios chosen must firstly account for risks faced by the Piql Preservation Services during production. This entails risk that may harm the Piql system during the steps of receiving the data, the ingestion phase of the data into the piqlWriter, while the piqlWriter prints the piqlFilms and they are developed, and finally when the finished films are read back to verify their integrity and accuracy. Furthermore, the scenario selection must include the transportation phase from the production site to the designated storage facility when the boxed piqlFilms are out in the open and more exposed to external influences. Most of the scenarios must cover events that may occur while the films are in storage which may have consequences for the confidentiality, integrity and availability of the information. We assume that the piqlFilms can be stored in three different geographical zones, placed in different settings at their locations, and operated by an automated handling system. Additionally, the safety measures and security regimes that would be in place for the different user classes protecting information with varying levels of sensitivity must be accounted for. These variables too must be covered in equal measure in the scenario analysis. The main challenge in the scenario development is finding a balance between all these variables and considerations, and making sure they are included in the scenario descriptions to such an extent as is necessary for us to be able to do a meaningful analysis. The scenarios relating to issues of safety will take place only during storage and not during production or transportation. During both the production phase and during transportation a natural disaster or accident which harms the piqlFilms can, of course, occur. However, there is little one can do to plan for this or prevent the films from being damaged by accidents or natural phenomena when they are ―out in the open‖ like this, i.e. not in secured storage, as these things happen without warning and can simply be chalked up to ―bad luck‖. When considering that it is nearly impossible to plan for the protection of the film from such events, the assessment would have no value other than to say ―these things do happen, tough luck‖. The piqlFilm will always be more vulnerable out in the open. In storage, however, the Piql partner has control of the environment and can implement safety and security measures to offset the effects of the above-mentioned, i.e. this is where the scenarios have a user value to the Consortium. Most security scenarios have the Piql Preservation Services as the target, i.e. we are describing direct threats to the system. Yet, in the scenarios relating to terrorism and a nuclear event, we find it too unlikely that the piqlFilm is the actual target to make a plausible scenario. The scenario selection method of morphological analysis used in this assessment does find these scenarios as relevant direct threats to the Piql Preservation Services: we have simply chosen not 6.2.1 Scenario Constraints

48

FFI-RAPPORT 16/00707