Cybersecurity as Preservation

Adversarial Risk and Information Resilience in Cultural Heritage Institutions

Authors

Affiliation

Jonathan Isip

School of Library and Information Studies

Dan Anthony Dorado

School of Library and Information Studies

Abstract

Digital preservation theory has long addressed technological obsolescence, repository trust, metadata, authenticity, and long-term access, but it has less fully accounted for adversarial disruption as a preservation problem. Libraries and cultural heritage institutions now depend on networked, platform-mediated, and data-intensive infrastructures whose compromise can affect not only system availability but also provenance, confidentiality, interpretability, and public trust. This article develops the concept of cybersecurity as preservation through an abductive qualitative document analysis of 44 public governance documents and incident materials from libraries, archives, cultural heritage organizations, and professional bodies. The study examines how digital preservation, cybersecurity, disaster continuity, AI governance, and privacy are represented across public documents, and how genre-based policy fragmentation constrains the conceptualization of cyber incidents as preservation failures. The article contributes to information science by theorizing cybersecurity not as technical hardening adjacent to preservation, but as a preservation practice when it protects the sociotechnical conditions of trustworthy information stewardship.

1 Introduction

1.1 Adversarial disruption as a preservation problem

Libraries, archives, museums, and other cultural heritage institutions have long understood preservation as a promise across time: the commitment that records, collections, metadata, and evidentiary contexts will remain usable, intelligible, and trustworthy beyond the technological, organizational, and environmental conditions in which they were created. In the digital era, however, that promise increasingly depends on infrastructures that are exposed to malicious disruption. Preservation can no longer be conceptualized only as protection against decay, obsolescence, or disaster damage. It must also be understood as protection against adversarial attacks on availability, integrity, confidentiality, authenticity, and institutional trust.

This article advances the concept of cybersecurity as preservation: the proposition that cybersecurity is not merely an administrative, technical, or compliance function adjacent to cultural heritage work, but a core preservation practice that sustains access, evidence, memory, and accountability. The argument is not that cybersecurity replaces established preservation activities such as appraisal, metadata creation, format migration, fixity checking, environmental control, or disaster planning. Rather, cybersecurity should be theorized as one of the conditions under which those activities can continue to hold meaning. A repository may maintain multiple copies and check fixity, yet remain preservation-fragile if privileged credentials allow all copies to be deleted, encrypted, or silently altered (Owens, 2017). A digitized collection may reduce handling of physical originals, yet become unavailable or untrustworthy if access platforms, identity systems, discovery layers, or storage environments are compromised (Conway, 2010; Nguyen, 2024).

This reframing is urgent because the object of preservation has expanded. Libraries and cultural heritage institutions now preserve not only physical collections and digital objects, but also the relationships that make those objects meaningful: metadata, provenance, rights information, audit trails, repository workflows, access infrastructures, service channels, and user trust. Digital preservation scholarship has long emphasized planning, policy, infrastructure, metadata, trusted repositories, and preservation as risk management (Becker et al., 2009; Becker & Rauber, 2011; Pinnick, 2017). Knowledge-infrastructure scholarship likewise shows that archives and repositories mediate durable relations among people, artifacts, institutions, and data practices (Borgman et al., 2019). Yet the dominant institutional division of labor still often treats cybersecurity as an information technology concern and preservation as a curatorial, archival, or collections concern. That division is increasingly untenable.

Recent cyber incidents in the cultural heritage sector make visible what was previously easy to treat as hypothetical. Ransomware and data incidents have disrupted major library systems, interrupted catalog and service access, exposed sensitive information, and forced lengthy recovery processes (British Library, 2024; HathiTrust, 2026; Seattle Public Library, 2025; Toronto Public Library, 2023). In the language of preservation, these are not simply system outages. They are interruptions in the chain of stewardship. They threaten the availability of cultural memory, the integrity of digital surrogates and born-digital collections, the confidentiality of user and staff data, and the credibility of institutions that mediate public knowledge.

1.2 The limits of separated governance domains

The public documentary record of institutional governance often treats preservation, disaster planning, information technology, privacy, AI, and cybersecurity as separate policy domains. Preservation policies often emphasize bit-level integrity, metadata, storage, format migration, and repository responsibilities; disaster plans often emphasize fire, flood, evacuation, salvage, and physical collection triage; cybersecurity plans often emphasize networks, endpoints, authentication, incident response, and compliance. Each domain is necessary, but the separation produces a blind spot: public documents may describe how to recover systems or collections while leaving the trust relationships among objects, metadata, provenance, users, rights, and platforms under-specified.

This study therefore does not claim to measure actual institutional cybersecurity maturity. Its empirical object is narrower: publicly available governance documents and incident materials. These documents represent how priorities are made visible, how domains are separated or connected in public policy genres, and where public accounts of continuity leave cyber, AI, privacy, or preservation relationships under-specified. The central research problem is that this public documentary fragmentation limits preservation theory’s ability to account for adversarial disruption and limits resilience planning’s ability to protect authenticity, provenance, confidentiality, interpretability, access, and trust as linked information-science concerns.

1.3 Contribution and research questions

The central theoretical contribution of this article is to reposition cybersecurity within preservation theory rather than merely beside it. Cybersecurity as preservation addresses this gap by treating cyber controls as preservation controls when they protect the conditions of continued cultural memory. Under this framing, multifactor authentication is not only an access-control measure; it is a safeguard for stewardship authority. Offline and immutable backups are not only disaster recovery assets; they are preservation copies under adversarial conditions. Fixity checking and audit trails are not only repository functions; they are evidence practices for detecting unauthorized change. Vendor risk management is not only procurement diligence; it is a means of preserving access paths, metadata dependencies, and licensed knowledge environments. Privacy protection is not only legal compliance; it is part of preserving intellectual freedom and the public legitimacy of libraries (American Library Association, 2025; Association of Research Libraries, 2024).

This article makes three contributions. First, it extends digital preservation theory by identifying adversarial disruption as a preservation risk. Second, it extends information resilience scholarship by shifting attention from user and community adaptation to institutional stewardship continuity. Third, it contributes a framework for analyzing when cybersecurity, AI governance, privacy, and disaster continuity function as preservation-relevant controls.

This article develops an Information Resilience Framework for libraries and cultural heritage institutions. The framework is informed by a structured corpus of 44 public documents and case materials across 6 regions, including disaster plans, digital preservation policies, AI and privacy guidelines, cybersecurity reports, and real-world incident materials. The corpus is used conceptually rather than statistically: it functions as a comparative evidence base for identifying policy separations, recurring gaps, and emerging exemplars.

The article is guided by four questions:

1. RQ1: How are preservation, cybersecurity, disaster continuity, AI governance, and privacy represented across public governance documents and incident materials from libraries and cultural heritage institutions?
2. RQ2: Where do these document genres converge or diverge in their treatment of access, integrity, authenticity, confidentiality, provenance, service continuity, and institutional trust?
3. RQ3: How does policy-domain fragmentation constrain the conceptualization of cyber incidents as preservation failures?
4. RQ4: What dimensions constitute an Information Resilience Framework capable of integrating cybersecurity as a preservation practice in libraries and cultural heritage institutions?

The sections that follow will review the relevant literature, describe the document corpus and analytical approach, elaborate the Information Resilience Framework, and discuss implications for research, governance, and practice. The intended contribution is both theoretical and strategic: to give library and information science a vocabulary for treating cyber risk as a preservation risk, and to give cultural heritage institutions a framework for aligning preservation, cybersecurity, ethics, and continuity before the next crisis forces that integration under duress.

2 Review of Related Literature

2.1 Digital preservation as sociotechnical risk management

Digital preservation research has moved well beyond a narrow concern with storage. Foundational work in the field frames preservation as an ongoing sociotechnical commitment involving appraisal, metadata, policy, repository design, format sustainability, organizational responsibility, and the ability to render and interpret digital objects over time (Conway, 2010; Dappert & Enders, 2008; Owens, 2017). This matters for the present argument because cybersecurity as preservation does not begin from a blank conceptual field. Preservation scholarship has already established that long-term access depends on relationships among objects, systems, people, institutions, and designated communities.

Several strands of this literature are especially relevant. First, preservation planning research treats preservation as a problem of decision-making under uncertainty. Becker and colleagues develop systematic approaches for evaluating preservation actions and decision criteria, emphasizing that preservation choices must be measurable, context-sensitive, and aligned with institutional requirements (Becker et al., 2009; Becker & Rauber, 2011). Second, preservation requirements research highlights the organizational embedding of preservation work. Pinnick’s study of digital preservation requirements emphasizes policy, strategy, infrastructure, standards, trusted repositories, and organizational context, noting that preservation programs cannot be acquired as ready-made products (Pinnick, 2017). Third, risk-based approaches explicitly position digital preservation as risk management. Barons and colleagues, for example, argue that safeguarding national digital memory requires modeling preservation risks and desired outcomes such as availability, identity, persistence, renderability, understandability, and authenticity (Barons et al., 2021).

These contributions provide the basis for a broader claim: digital preservation is already a resilience practice, but its security implications are often under-theorized. The preservation literature recognizes that digital objects are vulnerable to media failure, format obsolescence, software dependency, metadata loss, organizational neglect, and resource constraints. It is less consistent in theorizing malicious disruption as a preservation problem. Owens offers one of the clearest bridges by distinguishing backup from preservation and by warning that even well-managed copies and fixity workflows can fail if one actor can delete all copies (Owens, 2017). This observation is crucial: a preservation system can satisfy technical criteria for replication and integrity checking while remaining fragile under adversarial conditions.

The implication is that cybersecurity should be understood as part of the preservation environment, not as a later operational add-on. Authentication, authorization, logging, network segmentation, offline or immutable backups, incident response, vendor risk review, and recovery testing all shape whether preserved materials remain available, authentic, and trustworthy after disruption. Preservation theory therefore needs a security vocabulary, while cybersecurity practice in cultural heritage settings needs a preservation vocabulary.

2.2 Libraries, archives, and cultural heritage institutions as critical information infrastructures

Libraries and cultural heritage institutions are often described through their collections, but the literature on disaster, community resilience, and information behavior suggests that they also operate as critical information infrastructures. In disaster contexts, libraries provide access to communication channels, trusted local information, public computing, social support, and interpretive help. Studies of Hurricane Katrina survivors show that public libraries served as open, trusted places where displaced people could seek information, contact loved ones, and regain some sense of orientation after disruption (Braquet, 2010). More broadly, scholarship on libraries, archives, museums, and communities links LAM institutions to community, cultural, and information resilience, especially for groups navigating uncertainty and disrupted information landscapes (Varheim et al., 2018).

Information resilience scholarship deepens this point by shifting attention from infrastructure availability alone to the practices through which people learn to navigate changed information environments. Lloyd’s work conceptualizes information resilience as the capacity to address disruption and uncertainty through information practices, access, social networks, and the construction of new information landscapes (Lloyd, 2014, 2015). Nicol, Willson, and Ruthven similarly show that information intermediaries became crucial during the pandemic as clients and service providers confronted shifting rules, broken systems, and new forms of information marginalization (Nicol et al., 2022). In network-oriented research, information resilience has also been defined in terms of continued access to information despite faults and challenges, with integrity and availability treated as central measures (Rak et al., 2017).

Taken together, these studies broaden the preservation question. The issue is not only whether a file survives, or whether a building can reopen, but whether the institution can sustain meaningful information access and trust when its ordinary channels are compromised. This perspective is particularly compatible with JASIST readership because it connects infrastructure, information behavior, knowledge organization, ethics, and institutional design. It also clarifies why cultural heritage cybersecurity cannot be reduced to technical hardening. A cyber incident can damage information resilience by interrupting access, fragmenting service channels, undermining confidence in metadata or records, exposing user data, or forcing staff into improvised workflows without reliable systems.

2.3 Cybersecurity, integrity, and the preservation of trust

Cybersecurity literature in library and cultural heritage contexts has grown as digitization, cloud services, remote access, and platform dependence have expanded institutional attack surfaces. Research on cybersecurity for information professionals emphasizes that cultural heritage technologies can expose students, staff, faculty, patrons, and other users to breaches of confidential data and information (Cybersecurity for Information Professionals, 2020). Recent library-focused work identifies phishing, malware, ransomware, data breaches, insider threats, and cloud-based service vulnerabilities as risks to confidentiality, integrity, and availability in higher education libraries (Akor et al., 2024). Cultural heritage cybersecurity scholarship similarly warns that malware, ransomware, unauthorized alteration, loss of authenticity, service disruption, and integrity compromise threaten digital repositories and archives (Nguyen, 2024; Vukovic & Stefanac, 2023).

This body of work aligns closely with core preservation values. Integrity is not only a security property; it is also an evidentiary and archival property. Availability is not only a service metric; it is a condition of access, scholarship, memory, and accountability. Confidentiality is not only a legal or technical matter; it protects user privacy, intellectual freedom, sensitive communities, and trust in knowledge institutions (American Library Association, 2025). Authenticity is not only a metadata concern; it depends on the ability to show that digital objects, records, and descriptions have not been tampered with or stripped of context.

The literature therefore supports a conceptual merger: cybersecurity becomes preservation when cyber controls protect the continuity of stewardship relationships. This is clearest in ransomware and data-integrity scenarios. A ransomware attack on a library catalog, repository, authentication system, or digital asset management platform may not immediately destroy a physical collection, but it can suspend discovery, access, circulation, staff workflows, public computing, and institutional accountability. Unauthorized modification or exfiltration of cultural heritage data can compromise provenance, copyright stewardship, community relationships, and public trust. Nguyen’s analysis of digital cultural heritage in conflict is especially instructive because it frames cyber threats not simply as technical intrusions but as threats to authenticity, integrity, accessibility, and the digital footprint of cultural memory (Nguyen, 2024).

2.4 Disaster planning and business continuity in the digital institution

The disaster-planning literature in libraries has historically centered on physical hazards: fire, flood, storms, mold, facilities failure, emergency communication, salvage priorities, and collection recovery. This focus remains necessary. Climate change, conflict, infrastructure failure, and local emergencies continue to threaten physical collections and cultural heritage sites. Yet digital dependence has changed the meaning of disaster preparedness. A library can be physically intact while informationally disabled. Conversely, a building may be damaged while digital services remain essential to continuity.

The resilience literature provides a useful conceptual bridge. Disaster studies increasingly emphasize multi-hazard and systems approaches, arguing that resilience involves adaptive capacities, interdependencies, communication, and the maintenance of function under changing conditions (Carvalhaes et al., 2020; Masten & Motti-Stefanidi, 2020). For libraries, this means that disaster planning should cover not only collections salvage and facilities recovery, but also digital service continuity, secure remote access, preservation repositories, staff communication, vendor dependencies, privacy obligations, and recovery sequencing. The experience of libraries during disasters and pandemics indicates that users often need reliable information precisely when institutional routines are disrupted (Ahlryd & Hanell, 2024; Braquet, 2010).

However, the public policy corpus assembled for this study suggests that these domains remain unevenly integrated. Traditional disaster plans often mention collections and buildings, while digital preservation policies address repositories and formats, and cybersecurity policies address systems and risk. The literature helps explain why this separation is analytically inadequate: preservation is a long-term social and technical process, disaster planning is a continuity process, and cybersecurity is a trust and integrity process. In digital cultural heritage institutions, these are not separate problems. They are different views of the same information resilience challenge.

2.5 AI, automation, and emerging risks to information resilience

Artificial intelligence introduces a further layer of complexity. AI systems are increasingly used, proposed, or imagined for digitization, transcription, translation, description, discovery, recommendation, restoration, preservation decision support, and cultural heritage interpretation (Johnson et al., 2019; Pansoni et al., 2023; Stojanovic & Cajic, 2023). These applications may expand access and enhance preservation workflows, particularly where institutions face scale, language, and metadata constraints. At the same time, AI systems create risks related to provenance, bias, hallucination, opacity, data extraction, surveillance, copyright, cultural sensitivity, and accountability.

AI ethics literature in library and cultural heritage contexts is therefore relevant to information resilience even when it does not use that term. Johnson, Ridley, and Henry argue that research librarians are positioned to contribute to AI policy because of their expertise in information science, data provenance, privacy, and information ethics (Johnson et al., 2019). The ARL guiding principles similarly emphasize security, privacy, transparency, copyright, information integrity, and human responsibility in research-library AI use (Association of Research Libraries, 2024). IFLA’s AI statement and UNESCO’s AI ethics recommendation provide broader normative anchors for transparency, human rights, privacy, accountability, equity, and intellectual freedom (International Federation of Library Associations and Institutions, 2020; UNESCO, 2021).

For cybersecurity as preservation, the key point is that AI governance cannot remain detached from disaster and continuity planning. Generative AI could support emergency communication, collection triage, rapid translation, or user guidance during crisis. But it could also generate inaccurate instructions, expose confidential information through prompts or training pipelines, obscure responsibility for decisions, or mediate access through proprietary systems with fragile accountability. In this sense, AI systems are both potential resilience tools and potential resilience risks. An information resilience framework must therefore ask not only whether AI is useful, but whether AI-mediated services preserve trust, provenance, privacy, and interpretability under stress.

2.6 Toward an integrative gap

Across these literatures, the conceptual gap is not the absence of relevant concepts. Digital preservation supplies authenticity, integrity, repository trust, and long-term access. Cybersecurity supplies threat modeling, confidentiality, integrity, availability, incident response, and control environments. Disaster and resilience research supplies continuity, adaptive capacity, communication, and multi-hazard planning. AI ethics supplies accountability, transparency, privacy, bias awareness, and human oversight. The problem is that these concepts are rarely integrated into a single library and cultural heritage framework.

This article addresses that gap by treating information resilience as the umbrella construct and cybersecurity as a preservation practice within it. The move is theoretical as well as practical. It shifts the unit of analysis from isolated assets to stewardship relationships; from system uptime to meaningful continuity; from backup to recoverable trust; from compliance to cultural memory; and from separate policy domains to integrated governance. The next section therefore turns from literature to the document corpus and analytical approach used to develop the proposed framework.

3 Methodology

3.1 Research design

This study uses an abductive qualitative document analysis and conceptual model-building design. The unit of analysis is the public governance document or incident material, not the institution as a whole. The purpose is not to estimate the prevalence of cybersecurity, AI governance, or digital preservation practices across all libraries and cultural heritage institutions. Rather, the study uses a purposive corpus of public policies, plans, guidelines, strategies, and incident materials to refine theory and develop a conceptual framework. Document analysis is appropriate because documents can be studied as institutional artifacts that make priorities, categories, omissions, and governance boundaries visible (Bowen, 2009). Abductive analysis is appropriate because the article moves iteratively between established theory and surprising empirical patterns rather than applying a purely deductive codebook or claiming inductive theory generation from a representative sample (Timmermans & Tavory, 2014). The study therefore makes analytic and theoretical claims about how public governance documents represent resilience domains, not empirical claims about the internal operational maturity of the institutions that produced them.

The study is positioned within interpretive library and information science research, where documents are treated as institutional artifacts that express priorities, assumptions, silences, and governance boundaries. Public policies and plans are not neutral descriptions of practice. They encode what institutions consider worth naming, assigning, funding, protecting, and auditing. For this reason, the analysis attends both to the presence of explicit provisions and to meaningful absences, such as disaster plans that protect physical collections but omit ransomware, or AI policies that address ethics but not continuity planning.

The methodological logic is abductive. The project began with a theoretical tension identified in the literature: digital preservation, cybersecurity, disaster planning, AI governance, and privacy ethics share overlapping concerns, but they are commonly governed as separate domains (Association of Research Libraries, 2024; Nguyen, 2024; Pinnick, 2017). The document corpus was then used to examine how this separation appears in public institutional materials and to generate the dimensions of an integrative framework. In this sense, the corpus functions as a comparative grounding device for conceptual development rather than as a population sample. The resulting claims are therefore claims about public documentary governance and conceptual integration, not direct claims about internal institutional maturity.

Coding was conducted by the author. Because the study is interpretive and theory-building rather than reliability-oriented content analysis, intercoder reliability was not calculated. To strengthen dependability, the analysis used a defined codebook, conservative coding rules, negative-case analysis, genre comparison, and an audit trail linking documents, codes, patterns, and framework dimensions. Analytic memos were used to record shifts from first-cycle structural codes to second-cycle pattern codes and to document rival interpretations during framework development.

3.2 Corpus construction

The empirical base for the article is a structured corpus of 44 public documents and case materials collected from libraries, archives, cultural heritage organizations, and relevant international or professional bodies. The corpus was assembled to support conceptual breadth across institutional type, geography, and document genre. It includes national libraries, academic libraries, public library systems, national archives, digital library consortia, professional associations, and international organizations.

Corpus construction used purposive maximum-variation sampling across three strata: document genre, institution type, and region. The search was conducted during May 2026 using public web search, targeted institutional websites, professional association websites, and known cultural heritage organizations. Searches prioritized official institutional pages, public PDFs, policy repositories, and incident statements. English-language documents were prioritized because of feasibility and comparability; non-English documents were included when official institutional sources and document structure were sufficiently interpretable. This language choice is treated as a limitation rather than as a claim about the distribution of global practice. The full corpus is provided in Table 7.

The search strategy and regional corpus audit are reported in Table 8 and Table 10 in Appendix B to preserve transparency without overloading the main text.

The search strategy prioritized official and institutionally credible sources, including organizational websites, public PDF reports, policy pages, official incident statements, and professional association publications. The target period was 2015-2026, with emphasis on documents updated or published between 2020 and 2026. Older materials were retained selectively where they served as influential baselines for disaster planning or digital preservation theory, such as legacy disaster preparedness guidance or established preservation scholarship.

Table 9 in Appendix B specifies the inclusion and exclusion criteria. These criteria are important because the article analyzes public documentary representation; therefore, summaries, news coverage, and vendor materials were excluded unless they were official institutional statements about an incident or policy.

Documents were selected to ensure coverage of six policy and practice domains:

1. disaster preparedness and emergency response;
2. digital preservation policy and repository stewardship;
3. cybersecurity policy, cyber incident review, or ransomware case material;
4. business continuity and service resilience;
5. AI governance, responsible AI, or emerging technology guidance;
6. privacy, intellectual freedom, ethics, and data protection.

The corpus is intentionally heterogeneous. This heterogeneity reflects the article’s theoretical premise: information resilience cannot be understood through one document genre alone. Disaster plans reveal how institutions imagine emergency response; preservation policies reveal how they define long-term stewardship; cybersecurity incidents reveal what fails under adversarial pressure; AI and privacy guidelines reveal ethical commitments that may or may not be linked to continuity planning.

3.3 Data extraction and coding framework

Each document was entered into a structured spreadsheet-ready dataset with fields for bibliographic metadata, institutional characteristics, substantive coverage, and analytical tags. The metadata fields include institution name, country, region, institution type, year, document type, and source URL. The substantive fields capture whether and how the document addresses disaster planning, digital preservation, cybersecurity, AI or emerging technology, privacy and ethics, and gaps or missing elements.

The coding framework was developed from the literature review and refined during document collection. Coding proceeded in two cycles. Cycle 1 used deductive structural coding based on the literatures on digital preservation, information resilience, cybersecurity, disaster continuity, AI governance, and privacy. Cycle 2 used abductive pattern coding to identify genre-level fragmentation, negative cases, and mechanisms linking cyber controls to preservation constructs. Table 1 provides an excerpt of the codebook used to stabilize interpretation across documents.

Table 1: Codebook excerpt for structural and pattern coding

Code	Definition	Observable_Indicators
Preservation continuity	Sustained access, authenticity, provenance, interpretability, and stewardship over time	Fixity, metadata, replication, repository policy, format migration, audit trails
Cyber-resilient stewardship	Prevention, detection, response, and recovery from adversarial disruption without loss of trust	MFA, access control, ransomware planning, immutable backups, logging, incident response
Disaster/service continuity	Maintenance or restoration of institutional functions during disruption	Recovery priorities, remote access, crisis communication, service restoration
Ethical continuity	Protection of privacy, intellectual freedom, rights, and public legitimacy under crisis conditions	Confidentiality, breach response, user-data minimization, surveillance safeguards
AI-mediated resilience risk	Risks and capacities introduced by AI in discovery, description, communication, or preservation workflows	AI policies, human review, provenance of AI outputs, prompt/data restrictions
Governance integration	Linkage across policy domains through shared roles, risk registers, exercises, and accountability	Cross-references, joint teams, integrated recovery procedures

The first-cycle coding used five high-level analytical categories:

1. Disaster planning coverage, including physical collection protection, emergency response, environmental hazards, salvage, service continuity, and remote access.
2. Cybersecurity elements, including ransomware preparedness, backup strategies, incident response, access control, authentication, vendor or platform risk, and data integrity verification.
3. Digital preservation elements, including repository stewardship, format sustainability, preservation metadata, replication, fixity, authenticity, audit, migration, and long-term access.
4. AI and emerging technology elements, including generative AI, automation, AI-supported discovery or description, responsible AI guidance, bias, hallucination, and misinformation.
5. Privacy and ethical considerations, including user data protection, confidentiality, intellectual freedom, surveillance concerns, cultural sensitivity, and responsible use of digital tools.

Documents were then assigned one or more interpretive tags. Traditional Plan denotes documents focused primarily on physical collections, facilities, or conventional emergency response. Hybrid Plan denotes documents integrating physical and digital continuity, or linking preservation with service infrastructure. Cyber-aware denotes documents that explicitly address cybersecurity, ransomware, authentication, information security, incident response, or cyber-related integrity risks. AI-aware denotes documents that discuss AI systems, generative AI, automation, or responsible AI governance. Ethics-integrated denotes documents that substantively connect planning or technology governance with privacy, intellectual freedom, user rights, cultural stewardship, or public trust.

The coding was deliberately conservative. A document was not coded as cyber-aware merely because it mentioned technology, nor AI-aware merely because it discussed digital transformation. Similarly, a document was not coded as ethics-integrated unless ethical or privacy concerns were more than peripheral. This conservative approach was adopted to avoid inflating the degree of integration across policy domains.

3.4 Analytical procedure

The analysis proceeded in four stages. First, documents were screened for institutional credibility, public availability, date, and relevance to the study’s two core themes: information resilience in disaster planning and cybersecurity as preservation. Duplicate, promotional, or purely descriptive webpages were excluded unless they provided official policy or incident evidence unavailable elsewhere.

Second, each document was read for explicit provisions across the coding categories. This stage focused on direct evidence: named backup practices, repository functions, incident response procedures, access controls, privacy obligations, AI governance statements, or disaster recovery roles. When documents were broad strategies rather than operational plans, the coding distinguished between strategic commitment and concrete control detail.

Third, documents were compared across genres. The analysis asked how disaster plans differ from digital preservation policies, how incident reports reveal risks not captured in formal plans, and how AI or privacy guidelines relate to continuity and preservation concerns. This cross-genre comparison was central to identifying the article’s integrative gap: the tendency for institutions to address physical disaster, digital preservation, cybersecurity, AI governance, and privacy through parallel but weakly connected documents.

Fourth, the findings were synthesized into conceptual dimensions for the proposed Information Resilience Framework. The goal of this stage was not to rank institutions, but to identify recurring governance problems and transferable design principles. For example, ransomware case materials informed the framework’s emphasis on recoverable access and adversarial continuity; digital preservation policies informed its emphasis on integrity, authenticity, and metadata continuity; AI guidance informed its emphasis on interpretability, accountability, and epistemic trust. Table 6 in the Results section makes this movement from empirical pattern to framework dimension explicit.

The analysis also included three safeguards against overinterpretation. First, negative-case analysis was used to retain traditional disaster plans and preservation policies that lacked cyber or AI content rather than excluding them as irrelevant. Second, genre comparison was used to distinguish “not mentioned in a disaster plan” from “not present in the institution.” Third, sensitivity checks were conducted conceptually by asking whether the central claim still held when incident documents were treated as stress-test cases rather than representative cases, and when North American examples were not treated as the normative baseline.

3.5 Use of R and reproducible manuscript workflow

The dataset is maintained as a CSV file and imported into this Quarto manuscript through R. The R workflow is used for simple descriptive summaries, corpus auditing, and reproducible integration of dataset counts into the manuscript text. This supports transparency by keeping the source data and manuscript in the same analytical environment.

The workflow is intentionally lightweight. Because the study is qualitative and theory-building, R is not used for inferential statistics. Instead, it supports reproducible documentation of corpus size, regional distribution, document types, and descriptive audit tables. Future versions of the article can extend this workflow to include intercoder reliability checks, coded matrix visualizations, or comparative heatmaps of policy coverage.

3.6 Trustworthiness, limitations, and scope

Several strategies were used to strengthen the trustworthiness of the analysis. First, the corpus was limited to official or credible institutional sources, reducing dependence on secondhand reporting. Second, the coding framework was derived from the literature and applied consistently across document types. Third, the analysis included both strong exemplars and negative cases, allowing the framework to be built from absences as well as best practices. Fourth, the study distinguishes between policy presence and operational maturity; a public document can signal institutional intent without proving implementation. Fifth, an audit trail was maintained through the CSV dataset, Quarto manuscript, codebook excerpt, search-strategy table, and framework-derivation matrix.

The study has five principal limitations. First, public documentation is uneven. Some institutions may have robust internal cybersecurity or continuity plans that are not publicly available. The analysis therefore captures public governance visibility, not necessarily total institutional capability. Second, the corpus is purposive rather than exhaustive, with stronger coverage of North America and Europe than Africa or parts of Latin America and Asia-Pacific. Third, the corpus privileges English-language and easily discoverable public documents, creating language and visibility bias. Fourth, cyber incident materials often disclose limited technical detail for security and legal reasons and may bias the argument toward crisis-visible cases. Fifth, AI governance in libraries and cultural heritage institutions is rapidly evolving, so the analysis should be read as a 2026 snapshot rather than a settled map.

These limitations are appropriate to the article’s purpose. The study does not claim that the corpus represents all institutional practice. Its claim is conceptual: the visible documentary record represents preservation, cybersecurity, disaster planning, AI, and privacy through fragmented policy genres, and that public documentary fragmentation creates a theoretical and practical need for an information resilience framework.

4 Results

4.1 Corpus profile and visibility limits

The final corpus contains 44 public documents and case materials across 6 geographic categories. The regional and institution-type distributions are reported in Table 11 and Table 13 in Appendix B. Those descriptive tables are treated as visibility audits rather than maturity measures: they show which public documents were discoverable and included, not how resilient institutions are internally.

Table 2 shows the document-genre distribution used in the comparative analysis. The table matters because the main finding is not simply that some topics are present or absent; it is that visibility is genre-structured. Disaster plans, preservation policies, cyber incident materials, AI guidance, and privacy documents tend to make different risks visible.

Table 2: Corpus distribution by document genre

Document_Genre	Documents
Digital preservation	25
Disaster/service continuity	6
Strategy/guidance	5
AI governance	4
Cyber incident/cybersecurity	3
Privacy/ethics	1

The document types are deliberately heterogeneous. The corpus includes digital preservation policies, disaster plans, cyber incident reviews, public incident updates, repository guidance, AI statements, privacy interpretations, digital strategy reports, and international toolkits. This heterogeneity is not a limitation for the present purpose; it is the empirical condition that motivates the framework. Information resilience is distributed across multiple genres of institutional documentation rather than contained in one policy instrument.

4.2 Genre fragmentation across governance documents

Table 3 summarizes how document genres differ across the four coded domains. The matrix shows that public documentary governance is not merely uneven; it is partitioned by genre. Digital preservation documents are more likely to foreground long-term access and integrity, while cyber incident materials foreground adversarial disruption and recovery. AI and privacy documents name ethical risks, but they rarely operationalize them as continuity mechanisms.

Table 3: Document genre by high-coverage resilience domains

Document_Genre	Documents	High_Digital_Preservation	High_Cybersecurity	High_AI	High_Ethics_Privacy
Digital preservation	25	21	2	0	2
Disaster/service continuity	6	0	0	0	0
Strategy/guidance	5	2	2	0	0
AI governance	4	1	1	4	4
Cyber incident/cybersecurity	3	1	3	0	3
Privacy/ethics	1	0	1	0	1

The genre pattern in Table 3 supports RQ2. Disaster and service-continuity documents tend to treat continuity as operational recovery; digital preservation documents treat continuity as long-term access and integrity; cyber incident documents treat continuity as crisis recovery and trust repair; AI and privacy documents treat continuity more normatively, through values such as transparency, confidentiality, and accountability. The fragmentation is therefore not random omission. It is produced by the documentary genres through which institutions organize governance.

Document-level contrasts make this fragmentation visible. Columbia University Libraries’ preservation policy foregrounds robust security, verification, replication, geographic distribution, monitoring, and migration/emulation, but it does not frame ransomware or credential compromise as named preservation scenarios (Columbia University Libraries, 2018). By contrast, the University of Toronto Libraries disaster plan is rich in collection-salvage logic but remains oriented toward physical library materials rather than digital repositories or identity-dependent access systems (University of Toronto Libraries, 2019). These examples show how different genres make different parts of resilience legible.

4.3 Preservation without adversarial continuity

The strongest coverage in the corpus concerns digital preservation. 25 documents were coded as high in digital preservation coverage, compared with 9 medium and 10 low. The coverage audit in Table 14 in Appendix B shows the central asymmetry in the corpus: digital preservation and ethics/privacy are more visible than AI, while cybersecurity is present but uneven. High-scoring digital preservation documents typically address repository stewardship, long-term access, preservation metadata, authenticity, integrity, format sustainability, replication, or trusted digital archive practice.

The pattern in Table 14 is illustrated by several strong preservation documents. NARA’s digital preservation strategy and framework foreground infrastructure, data integrity, authenticity, format risk, and information security as preservation concerns (National Archives and Records Administration, 2022, 2024). BAnQ’s digital preservation policy explicitly links bit-level preservation, confidentiality, audits, access law, and personal data protection (Bibliotheque et Archives nationales du Quebec, 2021). KB National Library of the Netherlands emphasizes reliable digital archives, integrity, authenticity, preservation planning, and certification-oriented trust (KB National Library of the Netherlands, 2025). Columbia University Libraries’ preservation policy is especially concise in connecting robust security, verification, replication, geographic distribution, monitoring, and migration or emulation (Columbia University Libraries, 2018).

Yet the same pattern also shows the limits of current policy integration. Many strong digital preservation documents are not disaster plans; many disaster plans are not cyber-aware; and many cybersecurity or AI documents do not explicitly define themselves as preservation instruments. The result is a mature but compartmentalized preservation landscape. Institutions know how to describe digital preservation commitments, but those commitments are not always integrated with ransomware preparedness, service continuity, AI governance, or privacy-centered emergency response.

Table 4 translates this result into preservation terms. It shows how familiar preservation constructs require cyber mechanisms when the threat environment includes intentional compromise. The matrix is interpretive rather than statistical, and it is derived from the cross-reading of preservation policies, incident reports, and cybersecurity-aware guidance in the corpus.

Table 4: Preservation constructs and corresponding cybersecurity mechanisms

Preservation_Construct	Cybersecurity_Mechanism	Resilience_Rationale
Availability	Redundancy, immutable/offline backups, recovery sequencing	Maintains access when systems are encrypted, damaged, or unavailable
Integrity	Fixity, logging, access control, change monitoring	Detects unauthorized alteration and supports trustworthy restoration
Authenticity	Audit trails, provenance controls, role-based stewardship authority	Links recovered objects to accountable custodial histories
Confidentiality	Privacy controls, breach response, least-privilege access	Protects user, staff, donor, and sensitive cultural data during recovery
Interpretability	Metadata preservation, documentation, AI-output provenance	Ensures materials remain meaningful and explainable after disruption
Trust	Incident transparency, verification, governance accountability	Restores confidence in institutional stewardship, not only uptime

The logic of Table 4 narrows the central claim. Cybersecurity is not automatically preservation. It becomes preservation when controls protect availability, integrity, authenticity, confidentiality, interpretability, or trust as preservation constructs.

4.4 Cyber incidents as preservation stress tests

Cybersecurity coverage is uneven. 9 documents were coded as high in cybersecurity coverage, while 23 were medium and 12 were low. The high-coverage documents are disproportionately cyber incident reviews, public incident updates, or policies that explicitly link preservation and information security.

The strongest evidence comes from recent incidents. The British Library cyber incident review shows ransomware as an institutional crisis affecting infrastructure, recovery, service continuity, staff capacity, risk governance, and public trust (British Library, 2024). Toronto Public Library’s public updates and digital strategy materials show how ransomware disrupted library systems and required staged restoration, cybersecurity expertise, and privacy regulator engagement (Toronto Public Library, 2023, 2024). Seattle Public Library’s reporting documents ransomware recovery, cloud migration, multifactor authentication, cybersecurity staffing, and the service impact of technology disruption (Seattle Public Library, 2025). HathiTrust’s 2026 data incident statement extends the pattern beyond ransomware by foregrounding unauthorized distribution, repository trust, and the need to distinguish data exposure from alteration of the preserved corpus (HathiTrust, 2026). These incidents are not treated here as representative cases. They function analytically as preservation stress tests: moments when hidden dependencies among systems, metadata, access platforms, staff workflows, user data, and public trust become visible.

These cases support the article’s central claim: cyber incidents are preservation events. They do not merely affect back-office systems. They interrupt access, alter the meaning of redundancy, expose dependencies in discovery and delivery systems, and test whether institutions can recover without losing integrity or legitimacy. In the corpus, cyber-awareness is therefore strongest where institutions have been forced to narrate disruption. That finding suggests a governance problem: cybersecurity becomes visible after crisis more often than it is integrated into preservation and disaster planning before crisis.

The British Library review is the clearest example of post-incident documentary visibility: ransomware becomes legible not simply as malware, but as a disruption to service continuity, recovery sequencing, organizational capacity, and trust repair (British Library, 2024). HathiTrust’s incident statement provides a different exemplar because it separates unauthorized distribution from alteration of the preserved repository corpus, making integrity and trust the central interpretive issues (HathiTrust, 2026).

4.5 Traditional disaster plans still privilege physical collections

The analytical tags show that 30 documents were coded as hybrid plans, while 6 were coded as traditional plans; the full tag audit is reported in Table 15 in Appendix B. Hybrid documents typically combine physical and digital concerns or treat digital continuity as part of preservation. Traditional plans focus primarily on physical hazards, collection salvage, facilities, emergency roles, and environmental damage.

The traditional plans represented in Table 15 are analytically important because they show what remains missing. University of Tasmania’s disaster management plan for library collections, the University of Toronto Libraries disaster plan, IFLA’s disaster preparedness manual, and Brazil’s national-library risk management and emergency plan are valuable for physical collection protection and emergency response (Biblioteca Nacional do Brasil, 2010; International Federation of Library Associations and Institutions, 2006; University of Tasmania Library, 2020; University of Toronto Libraries, 2019). However, their dominant orientation is toward fire, flood, facilities, salvage, and physical materials. They provide comparatively little guidance on ransomware, digital repository recovery, identity systems, vendor platforms, remote access, or data integrity verification.

This does not make traditional disaster planning obsolete. Rather, it reveals the need to extend it. Physical preservation remains essential, especially under climate, conflict, and infrastructure risk. But the digital institution can fail even when the building survives. A contemporary disaster plan that omits cyber incidents, service continuity, repository recovery, and privacy breach response is incomplete as an information resilience instrument.

4.6 AI and privacy as under-integrated resilience domains

AI is the least integrated domain in the corpus. Only 4 documents were tagged as AI-aware, and most documents contain no explicit AI reference. AI-aware documents tend to be professional or strategic guidelines rather than disaster plans or digital preservation policies. Harvard Library’s generative AI guidance addresses responsible institutional use and information literacy concerns (Harvard Library, 2023). ARL’s AI principles emphasize security, privacy, transparency, licensing, information integrity, and human responsibility (Association of Research Libraries, 2024). IFLA and UNESCO provide broader AI ethics frameworks applicable to libraries and cultural heritage institutions (International Federation of Library Associations and Institutions, 2020; UNESCO, 2021).

The pattern is not simply that AI is absent. Rather, AI appears in a separate policy stream. AI guidance discusses ethics, transparency, privacy, bias, copyright, and responsible use, but it rarely connects these issues to emergency communication, cyber incident recovery, digital preservation workflows, or continuity planning. This is a significant gap because AI systems increasingly mediate discovery, description, digitization, translation, summarization, reference, and public communication. If these systems are used during crisis, they may shape what users can know, what staff can verify, and how institutions communicate uncertainty.

For example, ARL’s AI principles explicitly foreground privacy, security, transparency, copyright, and information integrity, but they are written as research-library AI governance principles rather than as continuity procedures for disruption scenarios (Association of Research Libraries, 2024). ALA’s privacy interpretation similarly provides operationally relevant security practices, including access controls and breach response, but it is not itself a disaster or preservation continuity plan (American Library Association, 2025). The contrast supports the claim that AI and privacy are present as ethical governance domains but weakly integrated into resilience operations.

The corpus therefore suggests that AI governance is emerging faster than AI-aware resilience planning. The Information Resilience Framework must account for this by treating AI not only as an innovation or ethics issue, but as a continuity and trust issue. Under crisis conditions, hallucinated guidance, opaque automated decisions, insecure prompts, or vendor-dependent AI services can become preservation risks when they affect access, interpretation, rights, or institutional credibility.

Ethics and privacy appear more frequently than AI but remain unevenly operationalized. 10 documents were coded as high in ethics/privacy coverage, 24 as medium, and 10 as low. High-coverage documents usually come from privacy, AI, or incident-response contexts rather than from traditional disaster plans.

ALA’s privacy interpretation provides a strong bridge between library ethics and security practice by connecting confidentiality, user data protection, encryption, access controls, patching, training, breach reporting, and incident response (American Library Association, 2025). ARL’s AI principles likewise integrate privacy, security, copyright, transparency, and information integrity (Association of Research Libraries, 2024). BAnQ is a strong institutional example because its preservation policy connects digital preservation with confidentiality and personal data obligations (Bibliotheque et Archives nationales du Quebec, 2021).

However, privacy is less visible in many disaster and preservation documents. This matters because crisis conditions often increase surveillance, data sharing, emergency communication, vendor dependence, and improvisational technology use. A resilience framework that protects access but neglects privacy may preserve systems while eroding intellectual freedom and public trust. Conversely, an ethics framework that does not address continuity may protect values in principle while leaving institutions unprepared to sustain those values under disruption.

4.7 Cross-regional observations

The corpus shows regional variation in public documentation. Table 16 in Appendix B cross-tabulates analytical tags by region and shows that cyber-aware and AI-aware materials are concentrated in a smaller subset of the corpus than hybrid preservation planning. North America contributes the largest number of cyber-aware and AI-aware materials, partly because of public incident reporting, professional association guidance, and research-library policy work. European materials provide visible examples of digital preservation maturity and trusted repository framing, with KB Netherlands, National Library of Scotland, the British Library, and The National Archives providing important examples (British Library, 2024; KB National Library of the Netherlands, 2025; National Library of Scotland, 2026; The National Archives, 2024). Asia-Pacific materials contribute strong national preservation and community-facing digital preservation guidance, especially through New Zealand and Japan, but fewer public documents in the corpus explicitly connect cyber risk with preservation (National Diet Library, 2021; National Library of New Zealand, 2025). Latin American and African materials are fewer in number, but they are important for showing how preservation, cultural memory, digitization, and continuity are framed outside the dominant North Atlantic policy environment (Biblioteca Nacional do Brasil, 2021; National Archives and Records Service of South Africa, 2020).

The cross-tabulation in Table 16 should not be overinterpreted as a direct measure of institutional maturity. The differences partly reflect language, publication practices, public-sector transparency rules, and the availability of official English-language documents. Still, the pattern is useful: cyber-aware preservation discourse is more visible where incident reporting and digital preservation policy are publicly documented; AI-aware discourse is concentrated in professional guidance; and Global South examples remain underrepresented in the public record, creating a research gap for future multilingual and regionally embedded work.

4.8 Deriving the Information Resilience Framework

Table 5 links the main forms of policy-domain fragmentation to preservation risks. The matrix provides the analytic bridge between the document analysis and the framework developed in the next section. It shows how separate vocabularies, documents, and recovery priorities produce specific resilience vulnerabilities.

Table 5: Policy-domain fragmentation and resulting preservation risks

Fragmentation_Pattern	Observed_Documentary_Form	Preservation_Risk
Physical disaster planning separated from digital preservation	Disaster plans emphasize facilities, salvage, and physical collections	Digital repositories, discovery systems, and access platforms omitted from emergency priorities
Preservation separated from cybersecurity	Preservation policies emphasize integrity and access without adversarial mechanisms	Recovery may restore files without restoring trustworthy stewardship
Cybersecurity separated from preservation language	Incident documents emphasize systems, credentials, and recovery	Cultural memory, provenance, and metadata dependencies remain under-specified
AI governance separated from continuity planning	AI policies emphasize ethics and responsible use	AI-mediated crisis communication or description may be unverifiable
Privacy separated from disaster recovery	Privacy principles appear outside operational continuity plans	Crisis response may compromise confidentiality or intellectual freedom

The framework dimensions were not derived from frequency alone. They emerged from cross-genre comparison: recurring absences in one genre became analytically meaningful when another genre treated the same issue as central. For example, disaster plans’ limited treatment of ransomware became significant because incident reports showed cyber disruption as a continuity problem, while preservation policies treated integrity and access as core stewardship values.

Table 6 then states how empirical patterns were translated into framework dimensions. This table is the traceability device requested by the study design: it shows that the framework is not appended after the results but derived from them.

Table 6: From empirical patterns to Information Resilience Framework dimensions

Empirical_Pattern	Preservation_Risk	Framework_Dimension
Disaster plans privilege physical collections	Digital services and repositories omitted from emergency planning	Disaster and service continuity
Cybersecurity visible after incidents	Reactive rather than anticipatory governance	Cyber-resilient stewardship
AI treated as ethics issue	AI-mediated misinformation or opacity during crisis	AI-verifiable continuity
Privacy stated normatively	Crisis recovery may compromise confidentiality	Ethical continuity
Preservation policies focus on objects	Metadata, access systems, and trust relationships under-specified	Stewardship continuity
Policy documents use separate vocabularies	Recovery priorities and accountability remain fragmented	Integrated resilience governance

The framework dimensions in Table 6 answer RQ4. They also delimit the scope of the article: the framework applies where cultural heritage institutions depend on digital collections, metadata infrastructures, access platforms, networked services, or AI-mediated workflows, and where public governance documents reveal separations among preservation, cybersecurity, continuity, AI, and privacy.

4.9 Summary of results

The results support four claims. First, digital preservation is the most developed domain in the corpus, but it is not consistently integrated with cybersecurity, disaster planning, AI governance, and privacy. Second, cybersecurity becomes most visible in incident materials, suggesting that the public documentary record often narrates cyber risk retrospectively rather than incorporating it prospectively into preservation planning. Third, traditional disaster planning remains indispensable but too often privileges physical collections over digital continuity. Fourth, AI and privacy guidance provide important ethical resources, but they are rarely operationalized as resilience mechanisms.

These findings justify the need for an Information Resilience Framework. The framework must connect preservation’s concern for authenticity and long-term access, cybersecurity’s concern for confidentiality, integrity, and availability, disaster planning’s concern for continuity and recovery, and information ethics’ concern for privacy, intellectual freedom, and public trust. The next section presents that framework formally.

5 Information Resilience Framework

5.1 Framework overview

The Information Resilience Framework formalizes the article’s core proposition: cybersecurity functions as preservation when it protects the continuity of trustworthy information stewardship under adversarial or disruptive conditions. The framework is shown in Figure 1. Its center is stewardship continuity, defined as recoverable trust among objects, metadata, provenance, rights, users, staff workflows, systems, and institutional authority. Information resilience is the outcome: trustworthy, ethical access and interpretation under disruption.

The construct hierarchy is intentionally narrow. The core construct is stewardship continuity. The outcome is information resilience. The primary threats are adversarial/disruptive risk and policy-domain fragmentation. The enabling dimensions are preservation continuity, cyber-resilient stewardship, disaster/service continuity, ethical continuity, AI-verifiable continuity, and integrated resilience governance. This hierarchy prevents information resilience from becoming an all-purpose label and locates cybersecurity as one mechanism within stewardship continuity.

Figure 1: Information Resilience Framework. Cybersecurity becomes preservation when controls protect stewardship continuity: recoverable trust relationships that sustain authentic, private, interpretable, and accessible cultural memory under adversarial or disruptive conditions.

Figure 1 should be read as a relational model rather than a maturity checklist. Adversarial and disruptive risks, such as ransomware, exfiltration, unauthorized alteration, outages, and facility disruption, put pressure on stewardship continuity. Policy-domain fragmentation can weaken coherent response by separating vocabularies, roles, documents, and recovery priorities. The five framework dimensions and integrated resilience governance then operate as conditions that either strengthen or weaken the recoverability of trust.

5.2 Dimension 1: Preservation continuity

Preservation continuity is the capacity to sustain long-term access, authenticity, provenance, and interpretability. It includes familiar preservation practices such as fixity, metadata, replication, format sustainability, repository policy, and audit trails. In the framework, these practices remain foundational, but they are insufficient unless they are protected against adversarial compromise. Preservation continuity therefore depends on cyber-resilient stewardship and governance integration.

5.3 Dimension 2: Cyber-resilient stewardship

Cyber-resilient stewardship is the capacity to prevent, detect, respond to, and recover from adversarial disruption without loss of trust. It includes MFA, role-based access, logging, immutable backups, segmentation, incident response, and recovery testing. These controls become preservation controls when they protect authenticity, provenance, access, confidentiality, or institutional trust. This dimension is the analytic hinge of cybersecurity as preservation.

5.4 Dimension 3: Disaster and service continuity

Disaster and service continuity is the capacity to maintain or restore institutional functions during disruption. It includes recovery sequencing, remote access, crisis communication, public service continuity, and vendor or platform dependency planning. The framework extends traditional disaster planning by treating digital repositories, discovery systems, identity systems, e-resource platforms, and public communication channels as preservation-relevant continuity infrastructure.

5.5 Dimension 4: Ethical continuity

Ethical continuity is the capacity to preserve privacy, intellectual freedom, rights, cultural sensitivity, confidentiality, and public legitimacy during crisis. Recovery that restores systems while exposing user data, enabling excessive surveillance, or compromising sensitive cultural materials is not successful information resilience. Ethical continuity therefore moderates resilience quality: a recovery process is resilient only if it preserves the values that make information stewardship legitimate.

5.6 Dimension 5: AI-verifiable continuity

AI-verifiable continuity addresses risks and capacities introduced by AI systems in discovery, description, communication, and preservation workflows. AI may support resilience by accelerating triage, translation, metadata enhancement, or crisis communication. It may also weaken resilience through hallucinated guidance, opaque outputs, insecure prompts, vendor lock-in, and untraceable metadata generation. AI-mediated services strengthen information resilience only when their outputs are verifiable, accountable, provenance-aware, and integrated into continuity planning.

5.7 Integrated resilience governance

Integrated resilience governance converts parallel controls into stewardship continuity. It includes shared risk registers, cross-functional tabletop exercises, joint accountability, policy cross-references, shared recovery priorities, and collaboration among preservation staff, IT security staff, privacy officers, public service units, administrators, and community stakeholders. Governance integration is not an additional domain beside preservation, cybersecurity, disaster planning, AI, and privacy. It is the mechanism that aligns them.

5.8 Propositions

The framework advances five propositions for future empirical testing:

P1: Separation between preservation governance and cybersecurity governance increases the likelihood that recovery will be defined as system restoration rather than stewardship continuity.

P2: Cybersecurity controls function as preservation controls when they protect authenticity, provenance, access, confidentiality, interpretability, or institutional trust.

P3: Policy-domain fragmentation weakens information resilience by producing separate vocabularies, recovery priorities, and accountability structures.

P4: Ethical continuity moderates resilience quality because recovery that violates privacy, intellectual freedom, cultural sensitivity, or public legitimacy is not successful information resilience.

P5: AI-mediated services increase information resilience only when their outputs are verifiable, accountable, provenance-aware, and governed as part of continuity planning.

5.9 Boundary conditions

The framework applies most directly to libraries, archives, museums, repositories, and cultural heritage institutions that depend on digital collections, metadata infrastructures, access platforms, networked services, or AI-mediated workflows. It applies to both adversarial and non-adversarial disruptions when those disruptions affect information access, interpretation, stewardship, or trust. It is most appropriate for analyzing public governance documents, institutional policies, incident materials, and resilience planning practices.

The framework does not claim to measure actual cybersecurity maturity without internal operational evidence. It also does not imply that every institution should publish sensitive technical details. Its purpose is conceptual and evaluative: to clarify when cybersecurity becomes preservation, what dimensions of resilience must be integrated, and how public documentary fragmentation can obscure preservation risk.

The framework is not a cybersecurity maturity model, a compliance checklist, or a substitute for technical risk assessment. It is an information-science framework for analyzing when controls, policies, and recovery practices preserve the trust relationships that make cultural heritage information usable and accountable over time.

6 Discussion

6.1 Reframing cyber incidents as preservation failures

The results support a conceptual shift from treating cyber incidents as operational interruptions to treating them as preservation failures. In cultural heritage institutions, ransomware, unauthorized access, data exfiltration, credential compromise, and platform disruption do not merely affect information technology units. They threaten the conditions under which collections remain discoverable, interpretable, evidential, and trustworthy. This is the central theoretical move of cybersecurity as preservation: it relocates cyber risk from the periphery of institutional operations to the core of stewardship.

This reframing clarifies why the distinction between backup and preservation is so important. Backup may restore data, but preservation requires the restoration of trustworthy relationships among objects, metadata, provenance, rights, users, staff, and institutional authority (Owens, 2017). A library that can recover files but cannot verify their integrity, explain provenance, protect user confidentiality, or reestablish reliable access has not fully preserved its informational function. Likewise, a repository that maintains fixity but lacks segmented access, tested recovery, or resilient identity management remains vulnerable to adversarial failure.

The incident materials in the corpus make this point concrete. The British Library, Toronto Public Library, Seattle Public Library, and HathiTrust cases show that cyber disruption can affect service continuity, public trust, staff workflows, privacy obligations, and the perceived reliability of cultural infrastructure (British Library, 2024; HathiTrust, 2026; Seattle Public Library, 2025; Toronto Public Library, 2023). These are preservation concerns because they determine whether a cultural heritage institution can sustain meaningful access over time. The preservation object, in this sense, is not only a digital file or physical item, but the institution’s capacity to maintain credible stewardship under stress.

6.2 Theoretical contribution to information science

For information science, the proposed framing contributes to scholarship on information resilience by extending it from individual and community navigation of disrupted information landscapes to institutional stewardship of disrupted information infrastructures. Lloyd’s work emphasizes the role of information practices in resilience processes, especially when people must navigate unfamiliar or unstable information environments (Lloyd, 2014, 2015). Recent JASIST work similarly develops information resilience as a framework for understanding how marginalized communities manage complex, intersecting information conditions (Threats, 2025). This article builds on that tradition but shifts the analytical site: from the resilience of information seekers and intermediaries to the resilience of memory institutions as sociotechnical systems.

This shift matters because libraries and cultural heritage institutions are both information intermediaries and preservation infrastructures. They mediate access, organize knowledge, protect records, teach literacies, preserve evidence, and sustain public memory. When such institutions experience cyber disruption, the effects are not limited to internal systems. Users may lose access to trusted sources, staff may lose the ability to verify or describe materials, communities may lose continuity of service, and institutional records may become unavailable or suspect. Information resilience therefore requires attention to both practice and infrastructure: how people find, interpret, and trust information, and how institutions secure the systems that make those practices possible.

The article also contributes to digital preservation theory by making adversarial risk more explicit. Digital preservation research has long framed preservation as planning under uncertainty and as a problem of policy, infrastructure, metadata, organizational responsibility, and risk (Barons et al., 2021; Becker et al., 2009; Becker & Rauber, 2011; Pinnick, 2017). Cybersecurity as preservation extends this work by distinguishing ordinary uncertainty from adversarial uncertainty. Format obsolescence, media decay, and resource constraints are preservation risks; so are malicious encryption, unauthorized alteration, credential theft, data exfiltration, and vendor compromise. The framework proposed here therefore does not replace existing preservation theory. It sharpens preservation theory for an environment in which threats are intentional as well as accidental.

6.3 Policy fragmentation as a governance problem

The most important empirical insight from the corpus is not simply that some documents omit cybersecurity or AI. It is that the public policy record is organized through fragmented domains in ways that make omissions predictable. Disaster plans are often written around physical collections and facilities. Digital preservation policies are often written around repositories, formats, metadata, and long-term access. Cybersecurity documents are often written around systems, credentials, incident response, and compliance. AI guidelines are often written around responsible use, transparency, bias, copyright, and privacy. Each genre has its own professional vocabulary and governance audience.

This fragmentation creates what might be called a resilience translation problem. A preservation policy may mention integrity without specifying how cyber incident response protects it. A cybersecurity plan may protect systems without articulating why metadata, provenance, and cultural memory require special recovery priorities. An AI policy may address privacy and bias without considering crisis communication or preservation workflows. A disaster plan may protect physical collections while leaving born-digital collections, discovery platforms, and remote access outside the emergency imagination. The problem is not the absence of expertise; it is the absence of an integrative governance language.

Information resilience can supply that language because it names the shared outcome across these domains: continued, trustworthy, ethical access to information under conditions of disruption. This outcome is broader than uptime and more operational than abstract institutional mission. It asks whether information remains findable, accessible, interoperable, reusable, authentic, secure, private, intelligible, and socially trustworthy when ordinary conditions fail. In doing so, it gives preservation officers, information technology staff, privacy officers, AI governance groups, administrators, and public service units a shared object of planning.

6.4 From asset protection to stewardship continuity

The results also suggest a move from asset protection to stewardship continuity. Traditional risk management often begins by identifying assets: buildings, servers, databases, collections, platforms, or records. This is necessary but insufficient for cultural heritage institutions, because the value of collections depends on relationships among assets. A digitized newspaper collection, for example, is not only image files. It is also metadata, OCR text, rights information, storage systems, discovery interfaces, persistent identifiers, user practices, staff knowledge, and trust in institutional mediation.

Stewardship continuity foregrounds these relationships. It asks whether an institution can maintain the chain of custody, the chain of interpretation, and the chain of access after disruption. This perspective explains why cyber controls should be treated as preservation controls. Multifactor authentication protects stewardship authority. Role-based access protects the chain of custody. Immutable backups protect recoverable continuity. Logs and fixity checks protect evidentiary accountability. Vendor risk assessment protects access dependencies. Privacy controls protect the ethical legitimacy of service restoration.

This shift also reframes recovery. Recovery is not complete when a server comes back online. For libraries and cultural heritage institutions, recovery must also restore confidence that records have not been altered, that metadata relationships remain intact, that user data has been protected or responsibly disclosed, that staff can explain what happened, and that communities can again rely on the institution. In this sense, the goal is not merely technical resilience but epistemic resilience: the capacity to preserve conditions of knowing.

6.5 AI as an emerging resilience stressor

AI governance appears in the corpus as an emerging but weakly integrated policy area. This is significant because AI systems increasingly mediate access, description, translation, summarization, discovery, and interpretation in libraries and cultural heritage institutions (Johnson et al., 2019; Pansoni et al., 2023; Stojanovic & Cajic, 2023). The dominant policy vocabulary around AI emphasizes responsible use, privacy, transparency, bias, copyright, and human oversight (Association of Research Libraries, 2024; International Federation of Library Associations and Institutions, 2020; UNESCO, 2021). These concerns are essential, but the results suggest that they have not yet been systematically connected to disaster planning or cybersecurity-as-preservation.

AI should therefore be understood as an emergent stressor and boundary case for the framework, not as an equal empirical pillar. AI may help institutions triage requests, generate multilingual crisis communication, enhance metadata, or support preservation workflows, but it may also introduce hallucinated information, opaque decision pathways, insecure data flows, proprietary dependencies, and untraceable description. The relevant question is not whether AI is innovative, but whether AI-mediated services remain verifiable, accountable, and provenance-aware during disruption.

6.6 Equity, geography, and the visibility of resilience

The cross-regional results should be read with care. North America and Europe appear more prominently in the corpus not necessarily because they are more resilient, but because their policies, incident reports, and professional guidance are more publicly discoverable in the search environment used for this study. The lower visibility of African, Latin American, and some Asia-Pacific materials is itself a research finding, but not a simple maturity ranking. It points to the need for multilingual, regionally grounded research that can account for different publication practices, institutional capacities, legal regimes, infrastructure constraints, and cultural heritage priorities.

This matters because information resilience is not evenly resourced. Institutions in regions facing climate risk, political instability, conflict, underfunding, or fragile infrastructure may have sophisticated local practices that are not captured in public English-language policy documents. Conversely, institutions with polished public policies may still have implementation gaps. A framework for information resilience must therefore avoid turning documentation visibility into a proxy for capability.

Equity also matters within institutions. Cybersecurity measures can protect users, but they can also restrict access, intensify surveillance, or create burdens for communities with limited connectivity, disability-related access needs, or precarious legal status. AI tools can expand access, but they can also misrepresent marginalized histories or expose sensitive cultural data. Disaster recovery can prioritize systems, but overlook the communities most dependent on public library access. For this reason, ethics and privacy are not optional additions to resilience; they are criteria for judging whether resilience preserves public value.

6.7 Implications for institutional practice

The discussion points toward a practical implication: resilience governance should be cross-functional before crisis. Preservation staff, IT security staff, privacy officers, records managers, public service staff, administrators, and community representatives should share risk registers, recovery priorities, incident exercises, and accountability structures. Information resilience requires shared terminology as much as shared infrastructure.

Taken together, these implications reinforce the article’s central claim: cybersecurity as preservation is not a metaphor. It is a necessary conceptual and practical realignment for institutions whose mission depends on sustaining trustworthy information across time, threat, and technological change.

7 Limitations and Future Research

This study is limited by its reliance on public documents. Public policies and incident materials are valuable because they show how institutions make governance visible, but they do not reveal all internal practices, technical controls, informal workflows, or post-incident lessons. The corpus should therefore be interpreted as evidence of public documentary governance fragmentation, not as a direct measure of institutional cybersecurity maturity.

The corpus is also regionally and linguistically uneven. North American and European documents are more visible in the dataset, while African, Latin American, and some Asia-Pacific materials are underrepresented. This imbalance reflects language, search visibility, public-sector transparency, and publication practices as much as actual institutional capacity. The purposive sampling strategy supports conceptual variation, but it does not support prevalence estimation.

The study also treats cyber incident documents as analytic stress tests rather than representative cases. Incidents make dependencies visible, but they may bias interpretation toward ransomware and crisis-visible organizations. AI governance is another temporal limitation: policies, tools, and institutional practices are changing rapidly, so the analysis should be read as a 2026 snapshot of public documentary representation.

Future empirical research should extend this framework through: interviews with preservation and security staff; multilingual comparative document corpora; post-incident recovery case studies; surveys of governance integration across preservation, cybersecurity, privacy, and public services; and audits of AI-mediated preservation workflows. Such studies could test whether the framework’s propositions hold across institutional settings and whether stewardship continuity can be operationalized as an evaluative criterion for resilience.

8 Conclusion

This article’s central claim is that preservation in networked cultural heritage institutions is no longer only the protection of objects across time. It is the protection of trustworthy stewardship relationships under conditions of adversarial disruption. Cybersecurity becomes preservation when it sustains the availability, integrity, authenticity, confidentiality, interpretability, and legitimacy of cultural memory. Framed this way, information resilience is not simply recovery from interruption; it is the recoverability of trust.

9 Appendix A: Corpus Table

Table 7 lists the full document corpus used for the analysis. The table is included as an audit trail for the qualitative document analysis and should be read as a record of public documentary evidence rather than a claim of global representativeness.

Table 7: Full corpus of public governance documents and incident materials

Document_ID	Institution	Country	Region	Year	Institution Type	Doc Type	Analytical Tags	URL
1	British Library	United Kingdom	Europe	2024	National library	Cyber incident review	Cyber-aware; Ethics-integrated	https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf/
2	Toronto Public Library	Canada	North America	2023	Public library system	Cyber incident update	Cyber-aware; Ethics-integrated	https://blogs.tpl.ca/dev-tpl/2023/11/cybersecurity-incident-3/
3	Toronto Public Library	Canada	North America	2024	Public library system	Digital strategy annual report	Cyber-aware; Hybrid Plan	https://blogs.tpl.ca/wp-content/uploads/board-meetings/2024-06-24/21-2020-2024-digital-strategy-annual-report-2024-combined.pdf
4	Seattle Public Library	United States	North America	2025	Public library system	Annual levy/report case material	Cyber-aware; Hybrid Plan	https://clerk.seattle.gov/search/clerk-files/323341
5	HathiTrust	United States / consortium	North America	2026	Digital library consortium	Cyber/data incident statement	Cyber-aware; Ethics-integrated	https://www.hathitrust.org/press-post/unauthorized-distribution-of-hathitrust-data/
6	Library of Congress	United States	North America	2019	National library	Digital strategy	Hybrid Plan	https://www.loc.gov/digital-strategy
7	Library of Congress	United States	North America	2025	National library	Recommended formats statement	Hybrid Plan	https://www.loc.gov/preservation/resources/rfs/RFS%202025-2026.pdf
8	National Archives and Records Administration	United States	North America	2022	National archives	Digital preservation strategy	Cyber-aware; Hybrid Plan	https://www.archives.gov/preservation/digital-preservation
9	National Archives and Records Administration	United States	North America	2024	National archives	Digital preservation framework	Hybrid Plan	https://www.archives.gov/news/articles/digital-preservation-framework-update-2024
10	National Library of Scotland	United Kingdom	Europe	2026	National library	Digital preservation policy	Cyber-aware; Hybrid Plan	https://www.nls.uk/about-us/plans-and-policies/corporate-documents/
11	The National Archives	United Kingdom	Europe	2024	National archives	Digital preservation guidance/strategy	Hybrid Plan	https://www.nationalarchives.gov.uk/archives-sector/advice-and-guidance/managing-your-collection/preserving-digital-collections/
12	National Library of New Zealand / Archives New Zealand	New Zealand	Asia-Pacific	2025	National library/archive	Digital preservation programme and policy manual	Hybrid Plan; Ethics-integrated	https://natlib.govt.nz/collections/digital-preservation/digital-preservation-programme
13	National Library of New Zealand	New Zealand	Asia-Pacific	2025	National library	Community digital preservation guide	Hybrid Plan; Ethics-integrated	https://natlib.govt.nz/collections/caring-for-your-collections/digital-collections
14	National Diet Library	Japan	Asia-Pacific	2010	National library	Disaster preparedness guideline	Traditional Plan	https://www.ndl.go.jp/en/aboutus/policy
15	National Diet Library	Japan	Asia-Pacific	2021	National library	Digital preservation basic plan	Hybrid Plan	https://www.ndl.go.jp/en/preservation/dlib/pdf/basic_plan_digital_preservation_en.pdf
16	National Library Board Singapore	Singapore	Asia-Pacific	2026	National/public library	Digital preservation public guide	Hybrid Plan; Ethics-integrated	https://reference.nlb.gov.sg/guides/digital-preservation/main/
17	National Library of Australia	Australia	Asia-Pacific	2021	National library	Digitisation strategy	Hybrid Plan	https://www.nla.gov.au/sites/default/files/2021-10/Digitisation%20Strategy.pdf
18	University of Tasmania Library	Australia	Asia-Pacific	2020	Academic library	Disaster management plan for library collections	Traditional Plan	https://www.utas.edu.au/__data/assets/pdf_file/0006/974553/2020-review-Library-Services-Disaster-Prevention-and-Management-Plan-for-Library-Collections-May-2017.pdf
19	University of Toronto Libraries	Canada	North America	2019	Academic library	Disaster plan for library materials	Traditional Plan	https://onesearch.library.utoronto.ca/sites/default/files/disaster-plan/disaster-manual-2019-general.pdf
20	Colorado State University Libraries	United States	North America	2016	Academic library	Disaster recovery plan manual	Hybrid Plan	https://lib.colostate.edu/images/mps/disasterplanmasterplanwebversion.doc
21	Yale University Library	United States	North America	2025	Academic library	Digital preservation policy framework	Hybrid Plan	https://web.library.yale.edu/sites/default/files/files/YUL%20Digital%20Preservation%20Policy%20Framework%20V1%200.pdf
22	Columbia University Libraries	United States	North America	2018	Academic library	Preservation policy	Cyber-aware; Hybrid Plan	https://library.columbia.edu/about/policies/preservation.html
23	Columbia University Libraries	United States	North America	n.d.	Academic library	Digital resources preservation policy	Hybrid Plan	https://library.columbia.edu/services/preservation/dlpolicy.html
24	Harvard Library	United States	North America	2026	Academic library	Digital preservation repository description	Hybrid Plan	https://preservation.library.harvard.edu/digital-preservation-repository
25	Harvard Library	United States	North America	2023	Academic library	Generative AI guidance	AI-aware; Ethics-integrated	https://library.harvard.edu/about/news/2023-07-13/letter-martha-whitehead-initial-guidelines-generative-ai
26	Cornell University Library	United States	North America	2025	Academic library	Repository preservation support policy	Hybrid Plan	https://guides.library.cornell.edu/ecommons/preservation
27	Stanford Libraries	United States	North America	2026	Academic library	Repository data management guidance	Cyber-aware; Hybrid Plan	https://sdr.library.stanford.edu/documentation/data-management-plans
28	Bibliothèque et Archives nationales du Québec	Canada	North America	2021	National library/archive	Digital preservation policy	Cyber-aware; Ethics-integrated; Hybrid Plan	https://www.banq.qc.ca/politique-de-preservation-numerique-des-documents-patrimoniaux-p-10/
29	Biblioteca Nacional do Brasil	Brazil	Latin America	2010	National library	Risk management/safeguard and emergency plan	Traditional Plan; Ethics-integrated	https://antigo.bn.gov.br/en/production/publications/risk-management-plan-safeguard-emergency-national
30	Biblioteca Nacional do Brasil / BNDigital	Brazil	Latin America	2021	National digital library	Digital preservation policy	Cyber-aware; Hybrid Plan; Ethics-integrated	https://bndigital.bn.gov.br/wp-content/uploads/2021/01/politica_de_preservacao_digital_FBN_web.pdf
31	Biblioteca Nacional Mariano Moreno	Argentina	Latin America	2026	National library	Physical preservation policy	Traditional Plan; Ethics-integrated	https://www.bn.gov.ar/bibliotecarios/preservacion
32	National Archives and Records Service of South Africa	South Africa	Africa	2020	National archives	Digitisation strategy/reformatting guidance	Hybrid Plan; Ethics-integrated	https://www.nationalarchives.gov.za/node/160
33	National Archives and Records Service of South Africa	South Africa	Africa	2020	National archives	Electronic records policy	Hybrid Plan; Ethics-integrated	https://www.nationalarchives.gov.za/node/6429934
34	KB National Library of the Netherlands	Netherlands	Europe	2025	National library	Preservation plan / digital preservation policy	Cyber-aware; Hybrid Plan	https://www.kb.nl/en/expertise/preservation-policy
35	KB National Library of the Netherlands	Netherlands	Europe	2021	National library	CoreTrustSeal/digital archive certification evidence	Cyber-aware; Hybrid Plan	https://www.kb.nl/en/about-us/expertise/digital-preservation
36	National Library of Sweden	Sweden	Europe	n.d.	National library	Preservation policy	Hybrid Plan	https://www.kb.se/om-oss/det-har-gor-vi/bevarande.html
37	German National Library	Germany	Europe	2025	National library	Digital deposit/file format policy	Hybrid Plan	https://www.dnb.de/netzpublikationen
38	Digital Preservation Coalition	International	International	2023	International organization	Digital preservation policy toolkit	Cyber-aware; Hybrid Plan	https://www.dpconline.org/digipres/implement-digipres/policy-toolkit
39	Digital Preservation Coalition	International	International	2021	International organization	Rapid assessment model	Hybrid Plan	https://www.dpconline.org/our-work/dpc-ram
40	IFLA	International	International	2020	International organization	AI statement for libraries	AI-aware; Ethics-integrated	https://repository.ifla.org/items/8c05d706-498b-42c2-a93a-3d47f69f7646
41	Association of Research Libraries	United States/Canada	North America	2024	Research library association	AI guiding principles	AI-aware; Ethics-integrated; Cyber-aware	https://www.arl.org/resources/research-libraries-guiding-principles-for-artificial-intelligence/
42	American Library Association	United States	North America	2025	Professional association	Privacy interpretation/guideline	Cyber-aware; Ethics-integrated	https://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy
43	IFLA PAC	International	International	2006	International organization	Disaster preparedness manual	Traditional Plan	https://repository.ifla.org/handle/20.500.14598/1315
44	UNESCO	International	International	2021	International organization	AI ethics recommendation	AI-aware; Ethics-integrated	https://www.unesco.org/en/legal-affairs/recommendation-ethics-artificial-intelligence

10 Appendix B: Corpus Audit Tables

Table 8, Table 9, Table 10, Table 11, Table 12, Table 13, Table 14, Table 15, and Table 16 provide descriptive audit information moved from the main text to reduce table burden. These tables support transparency and reproducibility, while the main text retains the analytic matrices used to build the framework.

Table 8: Search strategy and document discovery sources

Search_Target	Example_Search_Strings	Purpose
Institutional websites	“site:library.edu digital preservation policy PDF”; “site:national-library domain disaster plan PDF”	Locate official plans and policies
Professional and international organizations	“IFLA AI libraries statement”; “Digital Preservation Coalition policy toolkit”	Identify normative and sector-level guidance
Cyber incident materials	“library ransomware incident report”; “British Library cyber incident review”; “public library cybersecurity update”	Locate cyber incidents and recovery documents
Regional expansion	“preservacao digital biblioteca nacional”; “national archives digital preservation policy Africa”; “Asia Pacific national library digital preservation”	Reduce North Atlantic sampling concentration
Known exemplars and snowballing	References and links from official policy pages	Add mature policies, frameworks, and case materials

Table 9: Inclusion and exclusion criteria

Criterion_Type	Included	Excluded
Source authority	Official institutional, professional, or international organization source	Unofficial news reports, blogs, vendor marketing, duplicate mirrors
Document relevance	Disaster, preservation, cybersecurity, AI, privacy, continuity, incident, or repository governance material	General library webpages without governance content
Date	Primarily 2015-2026; older documents retained as baseline exemplars	Older documents without continuing conceptual or policy relevance
Institutional scope	Libraries, archives, cultural heritage institutions, repositories, and relevant professional bodies	General enterprise cybersecurity documents with no information-institution relevance
Access	Publicly available URL or PDF	Internal-only or inaccessible documents

Table 10: Corpus distribution by region

Region	Documents
North America	20
Asia-Pacific	7
Europe	7
International	5
Latin America	3
Africa	2

Table 11: Regional distribution of corpus documents

Region	Documents	Share
North America	20	45.5%
Asia-Pacific	7	15.9%
Europe	7	15.9%
International	5	11.4%
Latin America	3	6.8%
Africa	2	4.5%

Table 12: Corpus distribution by institution type

Institution Type	Documents
National library	14
Academic library	10
International organization	5
National archives	5
Public library system	3
National library/archive	2
Digital library consortium	1
National digital library	1
National/public library	1
Professional association	1
Research library association	1

Table 13: Corpus distribution by institution type

Institution Type	Documents
National library	14
Academic library	10
International organization	5
National archives	5
Public library system	3
National library/archive	2
Digital library consortium	1
National digital library	1
National/public library	1
Professional association	1
Research library association	1

Table 14: Coverage levels by analytical domain

Domain	Level	Documents
AI Mention	None	33
AI Mention	High	4
AI Mention	None explicit	4
AI Mention	Low	3
Cybersecurity	Medium	23
Cybersecurity	Low	12
Cybersecurity	High	9
Digital Preservation	High	25
Digital Preservation	Low	10
Digital Preservation	Medium	9
Ethics/Privacy	Medium	24
Ethics/Privacy	High	10
Ethics/Privacy	Low	10

Table 15: Analytical tag distribution

Analytical Tags	Documents
Hybrid Plan	30
Ethics-integrated	17
Cyber-aware	16
Traditional Plan	6
AI-aware	4

Table 16: Analytical tags by region

Region	Ethics-integrated	Hybrid Plan	Traditional Plan	Cyber-aware	AI-aware
Africa	2	2	0	0	0
Asia-Pacific	3	5	2	0	0
Europe	1	6	0	4	0
International	2	2	1	1	2
Latin America	3	1	2	1	0
North America	6	14	1	10	2

References

Ahlryd, S., & Hanell, F. (2024). Mitigating the infodemic of the pandemic: Hospital librarians’ enactment and development of information resilience in healthcare organisations. Journal of Documentation, 80(7), 267–286. https://doi.org/10.1108/JD-12-2023-0258

Akor, S. O., Nongo, C. J., & Udofot, C. (2024). Cybersecurity awareness: Leveraging emerging technologies in the security and management of libraries in higher education institutions. https://doi.org/10.25159/3005-4222/16671

American Library Association. (2025). Privacy: An interpretation of the library bill of rights. https://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy

Association of Research Libraries. (2024). Research libraries guiding principles for artificial intelligence. https://doi.org/10.29242/principles.ai2024

Barons, M. J., Bhatia, S., Double, J., Fonseca, T., Hale, G., & Krolikowska, N. (2021). Safeguarding the nation’s digital memory: Towards a bayesian model of digital preservation risk. Archives and Records, 42(1), 58–78. https://doi.org/10.1080/23257962.2021.1873121

Becker, C., Kulovits, H., Guttenbrunner, M., Strodl, S., Rauber, A., & Hofman, H. (2009). Systematic planning for digital preservation: Evaluating potential strategies and building preservation plans. International Journal on Digital Libraries, 10(4), 133–157. https://doi.org/10.1007/s00799-009-0057-1

Becker, C., & Rauber, A. (2011). Decision criteria in digital preservation: What to measure and how. Journal of the American Society for Information Science and Technology, 62(6), 1009–1028. https://doi.org/10.1002/asi.21527

Biblioteca Nacional do Brasil. (2010). Risk management plan: Safeguard and emergency. https://antigo.bn.gov.br/en/production/publications/risk-management-plan-safeguard-emergency-national

Biblioteca Nacional do Brasil. (2021). Politica de preservacao digital. https://bndigital.bn.gov.br/wp-content/uploads/2021/01/politica_de_preservacao_digital_FBN_web.pdf

Bibliotheque et Archives nationales du Quebec. (2021). Politique de preservation numerique des documents patrimoniaux. https://www.banq.qc.ca/politique-de-preservation-numerique-des-documents-patrimoniaux-p-10/

Borgman, C. L., Scharnhorst, A., & Golshan, M. S. (2019). Digital data archives as knowledge infrastructures: Mediating data sharing and reuse. Journal of the Association for Information Science and Technology, 70(8), 888–904. https://doi.org/10.1002/asi.24172

Bowen, G. A. (2009). Document analysis as a qualitative research method. Qualitative Research Journal, 9(2), 27–40. https://doi.org/10.3316/QRJ0902027

Braquet, D. M. (2010). Library experiences of hurricane katrina and new orleans flood survivors. Library and Information Science Research E-Journal, 20(1). https://doi.org/10.32655/libres.2010.1.1

British Library. (2024). Learning lessons from the cyber-attack: British library cyber incident review. https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf/

Carvalhaes, T., Markolf, S. A., Helmrich, A., Kim, Y., Li, R., Natarajan, M., Bondank, E., & Chester, M. V. (2020). COVID-19 as a harbinger of transforming infrastructure resilience. Frontiers in Built Environment, 6. https://doi.org/10.3389/fbuil.2020.00148

Columbia University Libraries. (2018). Preservation policy. https://library.columbia.edu/about/policies/preservation.html

Conway, P. (2010). Preservation in the age of google: Digitization, digital preservation, and dilemmas. The Library Quarterly, 80(1), 61–79. https://doi.org/10.1086/648463

Cybersecurity for information professionals. (2020). Auerbach Publications. https://doi.org/10.1201/9781003042235

Dappert, A., & Enders, M. (2008). Using METS, PREMIS and MODS for archiving eJournals. D-Lib Magazine, 14(9/10). https://doi.org/10.1045/september2008-dappert

Harvard Library. (2023). Initial guidelines for generative AI. https://library.harvard.edu/about/news/2023-07-13/letter-martha-whitehead-initial-guidelines-generative-ai

HathiTrust. (2026). Unauthorized distribution of HathiTrust data. https://www.hathitrust.org/press-post/unauthorized-distribution-of-hathitrust-data/

International Federation of Library Associations and Institutions. (2006). IFLA disaster preparedness and planning: A brief manual. https://repository.ifla.org/handle/20.500.14598/1315

International Federation of Library Associations and Institutions. (2020). IFLA statement on libraries and artificial intelligence. https://repository.ifla.org/items/8c05d706-498b-42c2-a93a-3d47f69f7646

Johnson, S. A., Ridley, M., & Henry, G. (2019). Ethics of artificial intelligence. Research Library Issues, (299). https://doi.org/10.29242/rli.299

KB National Library of the Netherlands. (2025). Preservation policy. https://www.kb.nl/en/expertise/preservation-policy

Lloyd, A. (2014). Building information resilience: How do resettling refugees connect with health information in regional landscapes - implications for health literacy. Australian Academic and Research Libraries, 45(1), 48–66. https://doi.org/10.1080/00048623.2014.884916

Lloyd, A. (2015). Stranger in a strange land; enabling information resilience in resettlement landscapes. Journal of Documentation, 71(5), 1029–1042. https://doi.org/10.1108/JD-04-2014-0065

Masten, A. S., & Motti-Stefanidi, F. (2020). Multisystem resilience for children and youth in disaster: Reflections in the context of COVID-19. Adversity and Resilience Science, 1(2), 95–106. https://doi.org/10.1007/s42844-020-00010-w

National Archives and Records Administration. (2022). Digital preservation strategy. https://www.archives.gov/preservation/digital-preservation

National Archives and Records Administration. (2024). Digital preservation framework update. https://www.archives.gov/news/articles/digital-preservation-framework-update-2024

National Archives and Records Service of South Africa. (2020). Digitisation strategy and reformatting guidance. https://www.nationalarchives.gov.za/node/160

National Diet Library. (2021). Basic plan for digital preservation. https://www.ndl.go.jp/en/preservation/dlib/pdf/basic_plan_digital_preservation_en.pdf

National Library of New Zealand. (2025). Digital preservation programme. https://natlib.govt.nz/collections/digital-preservation/digital-preservation-programme

National Library of Scotland. (2026). Digital preservation policy. https://www.nls.uk/about-us/plans-and-policies/corporate-documents/

Nguyen, C. D. (2024). Digital cultural heritage in the crossfire of conflict: Cyber threats and cybersecurity perspectives. Insights: The UKSG Journal, 37. https://doi.org/10.1629/uksg.647

Nicol, E., Willson, R., & Ruthven, I. (2022). Information intermediaries and information resilience: Working to support marginalised groups. Proceedings of the Association for Information Science and Technology, 59, 469–473. https://doi.org/10.1002/pra2.654

Owens, T. (2017). The theory and craft of digital preservation. Center for Open Science. https://doi.org/10.31229/osf.io/5cpjt

Pansoni, S., Tiribelli, S., Paolanti, M., Frontoni, E., & Malinverni, E. S. (2023). Artificial intelligence and cultural heritage: Design and assessment of an ethical framework. The International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences, XLVIII-M-2-2023, 1149–1155. https://doi.org/10.5194/isprs-archives-xlviii-m-2-2023-1149-2023

Pinnick, J. (2017). Exploring digital preservation requirements. Records Management Journal, 27(2), 175–191. https://doi.org/10.1108/RMJ-04-2017-0009

Rak, J., Jonsson, M., & Hutchison, D. (2017). Disciplines and measures of information resilience. 2017 19th International Conference on Transparent Optical Networks (ICTON). https://doi.org/10.1109/ICTON.2017.8024996

Seattle Public Library. (2025). 2024 library levy annual report. https://clerk.seattle.gov/search/clerk-files/323341

Stojanovic, Z., & Cajic, E. (2023). Application of artificial intelligence in cultural heritage. In Proceedings (pp. 333–352). https://doi.org/10.18485/akademac_nsk.2023.4.ch14

The National Archives. (2024). Preserving digital collections. https://www.nationalarchives.gov.uk/archives-sector/advice-and-guidance/managing-your-collection/preserving-digital-collections/

Threats, M. (2025). Toward information resilience: Applying intersectionality to the HIV/AIDS information practices of black sexual minority men. Journal of the Association for Information Science and Technology, 76(8), 1123–1140. https://doi.org/10.1002/asi.24999

Timmermans, S., & Tavory, I. (2014). Abductive analysis: Theorizing qualitative research. University of Chicago Press. https://doi.org/10.7208/chicago/9780226180458.001.0001

Toronto Public Library. (2023). Cybersecurity update. https://blogs.tpl.ca/dev-tpl/2023/11/cybersecurity-incident-3/

Toronto Public Library. (2024). 2020-2024 digital strategy annual report. https://blogs.tpl.ca/wp-content/uploads/board-meetings/2024-06-24/21-2020-2024-digital-strategy-annual-report-2024-combined.pdf

UNESCO. (2021). Recommendation on the ethics of artificial intelligence. https://www.unesco.org/en/legal-affairs/recommendation-ethics-artificial-intelligence

University of Tasmania Library. (2020). Library services disaster prevention and management plan for library collections. https://www.utas.edu.au/__data/assets/pdf_file/0006/974553/2020-review-Library-Services-Disaster-Prevention-and-Management-Plan-for-Library-Collections-May-2017.pdf

University of Toronto Libraries. (2019). Disaster plan for library materials. https://onesearch.library.utoronto.ca/sites/default/files/disaster-plan/disaster-manual-2019-general.pdf

Varheim, A., Skare, R., & Lenstra, N. (2018). A research program for studying LAMs and community in the digital age. Proceedings from the Document Academy, 5(2). https://doi.org/10.35492/docam/5/2/12

Vukovic, M., & Stefanac, T. (2023). Digital cultural heritage, cybersecurity, and the human factor. Preservation, Digital Technology and Culture, 52(4), 129–141. https://doi.org/10.1515/pdtc-2023-0040