risk management in participative web (2008)
TRANSCRIPT
Risk Managementin
Participative Web
Policies of the Use of Citizen Participative Servicesin the Context of Public Administrations
Miriam Ruiz - Fundación [email protected]
Index
Introduction and Global View
Examples
Services
Methodology
Dangers
Risk Control
Introduction
The Future of the Web
● Web 1.0: People connecting to the Web for Information: Unidirectional from the editors to the readers.
● Web 2.0: People connecting to People: social networks, wikis, colaboration, possibility of sharing.
● Web 3.0: Web applications connecting to other web applications to enrich people's experience.
Advantages of Web 2.0
● Provides a meeting point for all agents involved in the smooth running of society
● Information sharing: knowledge, experiences, suggestions or complaints
● Active collaboration and greater protagonism and involvement of citizens
● Vehicle for providing new ideas to the Public Administration
● Collective generation and gathering of knowledge● More transparency in the Public Administration● Continuous improvement of public services
Global View
Goals
● Develop a methodology to extract the maximum benefit of the web 2.0 paradigm, minimizing its risks
● Have a knowledge as accurate as possible of the web 2.0 phenomenon and its consequences
● Obtain the highest signal/noise ratio possible from the information generated in a decentralized way
● Systematize the design of new web 2.0 services
Participants
● Internal Staff: Contractual Relationship, indefinite stay
● Hired Staff: Contractual Relationship, temporary stay● External People: No contractual relationship, they use
the services provided● Outsiders: No kind of relationship established● Anonymous People: Unidentified
Identification Level
● Absolute identification by direct means: ID Card, Passport or similar.
● Absolute identification by indirect means: Telephone number or similar.
● Weak identification (pseudonym): Alias, e-mail, OpenID or similar.
● Anonymous participation: There is nothing that can identify the person
Authentication Level
● Biometric means: Biological Data● Safe Network: Connection from a controlled
Network (Intranet)● Strong Authentication: e-ID, digital signature, etc.● Intermediate Authentication: Private secret data● Weak Authentication: Password● No Authentication: No authentication
Services
Services
Collective generation of information:− Blogs or Weblogs
Other options: Microblogs or nanoblogs, photoblogs, videoblogs or vblogs
− Discussion boards− Mailing lists− Wikis− Survey− Comments− Contests
Services
Multimedia Contents (photos, audio, video, flash, etc.):− Photo Album or gallery− Podcast− Video Podcast, Vidcast or Vodcast
Collective Classification of Contents:− Evaluation− Tags, folksonomies and tag clouds− Classification systems based on reputation
Services
Information Export:− Content syndication (RSS, Atom)− Publishing of information in semantic formats
(RDF, RDFa)− Open APIs
Content Integration:− Blog aggregators, planets or metablogs− Mashups or hybrid web applications
Services
Relationships between people:− Chat or cybertalk
Instant Messaging Web Conferences Audio and Video Conferences Virtual Worlds
− Social Networks Commercial or Economical Exchanges
Methodology
Risk Management Process
Definition of the Global Strategy Risk Identification Initial Risk Evaluation Planification of measures to reduce the risks New Risk Evaluation Risk Control (application of planned measures)
�
Data Collection Periodic Review
Risk Management Process
GlobalStrategy
RiskIdentification
Initial RiskEvaluation
Final RiskEvaluation
DataCollection
Definition ofMeasures to
Control the Risks
RiskControl
Risk Calculation
Risk = Probability x Impact
Quantification of the Probability
High: The hazardous event will happen regularly
Medium: The hazardous event will happen from time to time
Low: The hazardous event will occur rarely Null: It's extremelly unlikely for the dangerous
event to occur
Quantification of the Impact
Severe or extremely harmful event: The damage would be very important if the dangerous event happened
Serious or harmful event: The damage would be considerable
Mild or slightly harmful event: The damage would not be too important
Harmless: There would be almost no damage even when the incident occurred
Risk Quantification
Consequences (impact)
Probability(danger)
M ild Ha rmful Severe
Low Trivial Tolerable Moderate
M edum Tolerable Moderate Important
High Moderate Important Intolerable
Risk Evaluation
T: Trivial (No specific actions are required)
�
TO: Tolerable (Improvements that do not imply a big cost. Regular checks)
�
MO: Moderate (Efforts to reduce risk)
�
I: Important (A new service shall not be started. Prioritize the solution of the problem if the service is already running)
�
IN: Intolerable (Stop the service inmediately)
�
Risk = Probability x Impact
Dangers
Dangers
R01: Violation of personal privacy, honor or self-image of people R02: Revelation and disclosure of secrets or confidential information R03: Illegal contents or illegal advocacy of crime R04: Undesired contents or advocacy of undesired activities R05: Exchanges of attacks or insults R06: Threats R07: Continuous psychological harassment R08: Sexual harassment R11: Use of the platform for personal or business promotion R12: Negative advertisement or destructive or negative participation R13: Irrelevant matters or unrelated to the topic being treated (off-
topic)
Dangers
R14: Low quality of the contributions R15: Spreading rumors and false information R16: Loss of confidence in the service R17: Loss of credibility of the institution R18: Forced participation of third parties R21: Violation of protection rights of personal data R22: Infringement of intellectual property rights of third persons R23: Impersonation R24: Violation of the protection rights of minors R25: Fraud R26: Deception or phishing
Dangers
R31: SPAM or unsolicited massive messages R32: Sabotage: malware, virus, trojans, spyware,... R33: Massive subscription R34: Massive theft of personal data R35: Accesibility problems R41: Low participation R42: Massive use of the service (“die of success”) R43: Biased participation or restricted to a part of the population R44: Emergency of power groups R51: Inappropriate use in external information services
Consequences
Legal: Legal action that could be taken against the organization due to contents published by third persons
Mediatic or Image-related: Potential impact on the media of the contents published in the collaborative services
Economical: Financial or monetary consequences that may affect the organization
Technical: Potential problems of a technical nature that, involuntarily or on purpose, may be caused by other people with their participation
Social: Related to the inherent quality of the service for users
Risk Control
Proactive or preventive measures
Definition and information of the conditions of use of the services Information and appropriate management of personal data Terms of licensing of the information and published contents Adequate information to the users of the services Training the staff of the organization Collaboration with copyright management organizations Limiting the involvement of minors Moderation prior to publication of contents provided by third parties Automatic filtering based on the format or the content Use of captchas (semantic or accesible) Identification and authentication of participants Restrictions on access to the contents or to participation Dinamization and motivation from within the community Proper planning of the starting up of the services
Reactive or corrective measures
Removal or modification of already published content Direct participation in the service by the organization Collective moderation by the community itself Canceling of user accounts Denial of access to a service Definition of contingency plans Notification or formal complaints to competent authorities
Supervision or monitoring
Active surveillance of published contents by the organization Warning system to allow the community itself to alert of problems Availability of an email account for personalized alerts Active surveillance of impact and contents reuse in external services Automated mechanisms for review of the published contents
Examples (mailing lists)
Example: Illegal Contents
Initial Probability (danger) Initial Consequences (damage) Initial Risk
High Harmful Important
Measures TakenProba-bility
Conse-quences
Identification and authentication of participants ↓ =
Moderation based on user's reputation ↓ =
Automatic filtering of contents ↓ =
Removal of the message = ↓
Warnings from other users = ↓
Final Probability (danger) Final Consequences (damage) Final Risk
Medium Mild Moderate
Example: SPAM
Initial Probability (danger) Initial Impact (damage) Initial Risk
High Mild Moderate
Measures TakenProba-bility
Conse-quences
Identification and authentication of participants ↓ =
Moderation based on user's reputation ↓ =
Automatic anti-SPAM filtering ↓↓ =
Removal of the message = ↓
Warnings from other users = ↓
Final Probability (danger) Final Impact (damage) Final Risk
Low Mild Trivial
Example: Low Participation
Initial Probability (danger) Initial Consequences (damage) Initial Risk
High Mild Moderate
Measures TakenProba-bility
Conse-quences
Identification and authentication of participant ↑ =
Moderation based on user's reputation ↑ =
Motivate users for participation ↓ =
Provide interesting contents from the organization ↓ =
Publicize the list ↓ =
Final Probability (danger) Final Consequences (damage) Final Risk
Medium Mild Tolerable
Risk Managementin
Participative Web
Policies of the Use of Citizen Participative Servicesin the Context of Public Administrations
Miriam Ruiz - Fundación [email protected]
Authors
Promoted and developed by:− Gobierno del Principado de Asturias - http://www.asturias.es− CTIC Centro Tecnológico - http://www.fundacionctic.org
Members of the Working Group, in Alphabetical Order:− Eloy Braña Gundin (Principado de Asturias)− Chus García (Fundación CTIC)− Marc Garriga (Ayuntamiento de Barcelona)− Raquel Gisbert (Ayuntamiento de Barcelona)− Mª Carmen Herrera (Principado de Asturias)− Dolors Pou (Xperience Consulting)− Andrés Ramos Gil de la Haza (Bardají & Honrado Abogados)− José Luis Rodríguez (Principado de Asturias)− Miriam Ruiz González (Fundación CTIC)
License
All the contents included in this work belong to Fundación CTIC and are protected by the intellectual and industrial property rights granted by law. Their use, reproduction, distribution, public communication, availability, processing or any other similar or analogous activity is totally prohibited, except in the cases that are explicitly allowed by the license under which it is published. Fundación CTIC reserves the right to pursue legal action
as appropriate against those who violate or infringe their intellectual property and / or industrial rights.
This work is published under a Creative Commons licenseAttribution-ShareAlike 3.0
(CC-by-sa 3.0).
To read the text of this license, visit http://creativecommons.org/licenses/by-sa/3.0/