"A risk assessment of the Piql Services" by FFI

to describe them that way, as this seems implausible considering the current application areas of the Piql system. We have instead chosen to include the scenarios where the Piql Preservation Services is not perceived as the direct target, but nonetheless suffer as an indirect effect or cascade effect. The piqlFilm is simply collateral damage to another attack not directed at it. Similarly, as the Piql Preservation Services is not the target in these scenarios and there is no direct threat present, it is difficult for us to give specific recommendations on how to mitigate that threat. Our only recommendation must therefore be: always be aware of your surroundings. Avoid high risk occupancies such as close proximity to chemical plants or refineries, or placement of the piqlVault in a building which is likely to be a terrorist target due to one of the other occupants, or in a city likely to be the target of a nuclear attack. Other recommendations regarding the dangers that threaten the Piql Preservation Services in such scenarios, such as fire protection, fortified walls to withstand tremors or explosives, are covered in the measures recommended in other safety scenarios. The scenarios more than often describe a worst case scenario where a vital safety or security measure is missing. This is simply to illustrate how badly this can damage the Piql Preservation Services in order to underline the importance of protecting the Piql Preservation Services from such harm. It does not have to be a complicated or expensive measure: the important thing is that it is present. Often a minor measure can make all the difference, especially when it comes to issues regarding security. It can simply be about putting enough (minor) obstacles in the threat actor’s way to deter them from acting. There is often an easy fix to the problem as well, e.g. move a vault placed in an area with a higher risk of flooding to a higher floor to avoid flood damage. One should always take into consideration that such changes can lead to different kinds of vulnerabilities, such as, in this example, making the vault more vulnerable to the effects of earthquakes and tremors. An important delimitation of our scenario analysis is that the scenarios will not examine the consequences of loss of information, i.e. how this may affect the company storing the information financially or with regards to its reputation. Our scenario description and analysis ends once the film is damaged or removed from the piqlVault without authorisation. The aftermath falls outside the scope of our assignment. Our aim is to assist in the definition of the safety and security measures that need to be in place to prevent said loss. Finally, we must make one caveat regarding one of the security properties CIA. Normally, for the security property availability to be deemed compromised the information in question must be unavailable at a time when it is urgently needed, i.e. it is both time- and situation specific. However, as the scenario descriptions in this report are generic, we have found it necessary to redefine the usage of availability. Therefore, when we conclude that availability has been compromised in a scenario, we mean that the information simply cannot be accessed – regardless of the data owner’s need for it.

49

FFI-RAPPORT 16/00707