18

FFI-RAPPORT 16/00707

corresponding sensitivity of that information. This could vary greatly from area to area: military

secrets are a lot more sensitive, for instance, than a company’s accounting records. The security

level surrounding the Piql Preservation Services would vary in equal measure. Before we can

make sound recommendations regarding the security level needed to protect the asset, we must

first understand the value of the asset in order to analyse what kind of threats it faces and thus

what its vulnerabilities are. The value-oriented thinking is therefore paramount to our risk

assessment.

Based on the discussion above, we present our working definition of a risk assessment. A risk

assessment is the overall process of risk identification, risk analysis and risk evaluation. By risk

identification we mean first mapping the system which is the object of analysis, here the Piql

Preservation Services, followed by finding and describing corresponding risks. The next step,

risk analysis, entails assessing the relationship between the intentional threats or unintentional

hazards faced by a certain value and the vulnerability of this value against the specified threat or

hazard. Lastly, risk evaluation involves determining the level of risk and identifying

corresponding measures to reduce the harmful effect [5, 8]. Our emphasis in the PreservIA

project is primarily placed on the first two, whereas the risk evaluation will serve to form the

basis of further work in later work packages in the PreservIA project.

As stated in chapter 1 of the report, our risk assessment will cover the Piql Preservation Service

Journey. However, a more in-depth clarification of the scope is necessary, firstly, because we

include considerations which go beyond the service journey as explained in detail in chapter 2,

and, secondly, because certain aspects of - and stages in – the service journey are not covered

by our assessment.

Figure 3.1

The scope of the risk assessment