Page Comparison

System unavailability

Error, component failure, or act of God

Power failure, network failure, computer component failure, operator error, software failure, capacity constraint,  etc.

Inconvenience, distress or damage to standing or reputation

Moderate: failures will happen, but competently managed systems typically have availability records of 99% or better

Low: for fishery management decision support typical availability is adequate.  Even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience.  Smaller scale failures, for instance a failure that prevents reporting from one vessel, would be a minor inconvenience.

N.A. (E-signature has no effect, positive or negative, on this vulnerability) N.A. (E-signature has no effect, positive or negative, on this vulnerability)

System unavailability

Vandalism

Internet security exploit such as denial-of-service attack

Inconvenience, distress or damage to standing or reputation

Low: this is not an online Internet-exposed system and should have very low vulnerability to network-based exploits. 

Low: even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience

N.A.

System misuse

System administrator, operator, or N.A. other agency user

Abuse of insider knowledge and access for unauthorized use or release of information

Civil or criminal violations
and orUnauthorized Unauthorized release of sensitive information

Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security

Moderate: at worst, a release of personal or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations.

N.A.

"

"

"

Civil or criminal violations

Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security

Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts

N.A.

Failure to report

Fisher

Fisher fails to report, either through negligence, or with intent to mislead fisheries managers and evade fisheries management control or enforcement actions

Harm to agency programs or public interests

Low: permitted fishers know the rules and understand the risks of non-compliance

Moderate: any individual trip report would be inconsequential in overall impact, but widespread and long-term failure to report may facilitate overfishing with significant damage to public interests

Benefit: failure to report would be detectable quickly, resulting in more responsive enforcement and potentially a higher rate of compliance.  Also e-reporting and e-signature can be additional features of fishing activity management software, providing e-logbook reporting in a value-added context, potentially making compliance more attractive

"

"

"

Civil or criminal violations

Low: permitted fishers know the rules and understand the risks of non-compliance

Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts

Benefit: failure to report would be detectable quickly, resulting in more responsive enforcement and potentially a higher rate of compliance.  Also e-reporting and e-signature can be additional features of fishing activity management software, providing e-logbook reporting in a value-added context, potentially making compliance more attractive.

Under-reporting or misreporting catch

Fisher

Fisher under-reports or misreports, to mislead fisheries managers and evade fisheries management controls

Harm to agency programs or public interests

Low: permitted fishers know the rules and understand the risks of non-compliance

Low: any individual trip report with highly unlikely numbers would trigger data quality checks and would be corrected or disregarded.  Credible individual trip reports, even if intentionally misreported, would be inconsequential in overall impact.  Even a concerted long-term effort to misreport by any one fisher is likely to be either not creditable or inconsequential.

Benefit: e-reporting and e-signature can result in more immediate feedback for detectable errors, and more immediate feedback facilitates more accurate reporting

"

"

"

Civil or criminal violations

Low: permitted fishers know the rules and understand the risks of non-compliance

Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts

Benefit: misreporting problems might be detected quickly, resulting in more responsive enforcement and potentially a higher rate of compliance.

Impersonation in e-logbook transactions

Common criminal/identity thief

Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim

Inconvenience, distress or damage to standing or reputation

Low: common criminals are unlikely to have subject-area expertise to discover an incrimination or defamation opportunity and there are probably easier attacks

Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review, and when detected, the impact could be effectively mitigated

No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control.  However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood.

"

"

Impersonation using stolen identity credentials, for access to sensitive information

Unauthorized release of sensitive information

Low: successful identity theft could result in compromise of sensitive information from the victim's logbook records but an uninformed criminal would be unlikely to find or identify sensitive information

Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity.  Also, the impact would be limited to the party whose identity has been stolen

No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control.  However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood.

Impersonation in e-logbook transactions

Disgruntled industry employee

Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim

Inconvenience, distress or damage to standing or reputation

Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); however, an employee might be more likely than others to have the means, motive, and opportunity

Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review, and when detected, the impact could be effectively mitigated

No net cost or benefit: vulnerability for an employee attack is not significantly different in electronic transactions than it is in paper transactions

"

"

Impersonation using stolen identity credentials, for access to sensitive information

Unauthorized release of sensitive information

Low: the employee who might possibly have the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in e-logbook data

Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the disgruntled employee is likely to already have that information from personal observation.   Also, the impact would be limited to the party whose identity has been stolen

No net cost or benefit: vulnerability for an employee attack is not significantly different in electronic transactions than it is in paper transactions

Impersonation in e-logbook transactions

Competitor

Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim

Inconvenience, distress or damage to standing or reputation

Low: a competitor might have a motive, but is unlikely to have means and opportunity

Low: impersonated parties or agency staff would be likely to notice during dockside interview No net cost or benefit: vulnerability for an employee attack is not significantly different in electronic transactions than it is in paper transactions process and subsequent data review, and when detected, the impact could be effectively mitigated

No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control.  However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood.

"

"

Impersonation using stolen identity credentials, for access to sensitive information

Unauthorized release of sensitive information

Low: a competitor might have a motive, but is unlikely to have means and opportunity

Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity.  Also, the impact would be limited to the party whose identity has been stolen

No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control.  However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood.

"

Common criminal/identity thief
or
Disgruntled industry employee
or
Competitor 

Impersonation using stolen identity credentials

Civil or criminal violations

Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software)

Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts

Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation

Repudiation to escape accountability

Customer (fisher)

Signer claims "I didn't sign that"

Inconvenience, distress or damage to standing or reputation

Low: in most cases a customer who repudiated an e-logbook document submission could then be prosecuted for fishing without following record-keeping and reporting requirements.  There will generally be independent evidence of the fishing or processing activity (follow the fish.)

Low: agency might expend effort to resolve, but the distress would be limited and short-term

Cost: despite e-signature's legal standing and agency instructions, there is likely to be a tendency to regard a holographic signature as more significant or more binding.  It is likely that the requirement to sign a filing with a holographic signature has more influence on the signer's behavior with respect to their consideration of what they are submitting, their commitment to reporting the truth, and their expectation of being held accountable.  Persons signing with an e-signature are likely to understand that it would be difficult to prove what individual executed the e-signature (because credentials are transferable).  This is likely to motivate some people to repudiate their e-signature if they are being held accountable for something signed with an e-signature.

"

"

"

Civil or criminal violations

Low: in most cases a customer who repudiated an e-logbook document submission could then be prosecuted for fishing without following record-keeping and reporting requirements.  There will generally be independent evidence of the fishing or processing activity (follow the fish.)

Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts

Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation

Inconvenience, distress or damage to standing or reputation

No

Mod Low

2/3 1

Financial loss or agency liability

No

Mod

2/3 N/A

N/A

Agency liability

No

Mod

2/3 N/A

N/A

Harm to agency programs or public interests

No

Low Moderate

2 3

Unauthorized release of sensitive information

No

Low

2

Personal Safety

N/A

N/A

Civil or criminal violations

No

Moderate

3