Risk Managementin

Participative Web

Policies of the Use of Citizen Participative Servicesin the Context of Public Administrations

Miriam Ruiz - Fundación CTICmiriam.ruiz@fundacionctic.org

Index

Introduction and Global View

Examples

Services

Methodology

Dangers

Risk Control

Introduction

The Future of the Web

● Web 1.0: People connecting to the Web for Information: Unidirectional from the editors to the readers.

● Web 2.0: People connecting to People: social networks, wikis, colaboration, possibility of sharing.

● Web 3.0: Web applications connecting to other web applications to enrich people's experience.

Advantages of Web 2.0

● Provides a meeting point for all agents involved in the smooth running of society

● Information sharing: knowledge, experiences, suggestions or complaints

● Active collaboration and greater protagonism and involvement of citizens

● Vehicle for providing new ideas to the Public Administration

● Collective generation and gathering of knowledge● More transparency in the Public Administration● Continuous improvement of public services

Global View

Goals

● Develop a methodology to extract the maximum benefit of the web 2.0 paradigm, minimizing its risks

● Have a knowledge as accurate as possible of the web 2.0 phenomenon and its consequences

● Obtain the highest signal/noise ratio possible from the information generated in a decentralized way

● Systematize the design of new web 2.0 services

Participants

● Internal Staff: Contractual Relationship, indefinite stay

● Hired Staff: Contractual Relationship, temporary stay● External People: No contractual relationship, they use

the services provided● Outsiders: No kind of relationship established● Anonymous People: Unidentified

Identification Level

● Absolute identification by direct means: ID Card, Passport or similar.

● Absolute identification by indirect means: Telephone number or similar.

● Weak identification (pseudonym): Alias, e-mail, OpenID or similar.

● Anonymous participation: There is nothing that can identify the person

Authentication Level

● Biometric means: Biological Data● Safe Network: Connection from a controlled

Network (Intranet)● Strong Authentication: e-ID, digital signature, etc.● Intermediate Authentication: Private secret data● Weak Authentication: Password● No Authentication: No authentication

Services

Services

Collective generation of information:− Blogs or Weblogs

Other options: Microblogs or nanoblogs, photoblogs, videoblogs or vblogs

− Discussion boards− Mailing lists− Wikis− Survey− Comments− Contests

Services

Multimedia Contents (photos, audio, video, flash, etc.):− Photo Album or gallery− Podcast− Video Podcast, Vidcast or Vodcast

Collective Classification of Contents:− Evaluation− Tags, folksonomies and tag clouds− Classification systems based on reputation

Services

Information Export:− Content syndication (RSS, Atom)− Publishing of information in semantic formats

(RDF, RDFa)− Open APIs

Content Integration:− Blog aggregators, planets or metablogs− Mashups or hybrid web applications

Services

Relationships between people:− Chat or cybertalk

Instant Messaging Web Conferences Audio and Video Conferences Virtual Worlds

− Social Networks Commercial or Economical Exchanges

Methodology

Risk Management Process

Definition of the Global Strategy Risk Identification Initial Risk Evaluation Planification of measures to reduce the risks New Risk Evaluation Risk Control (application of planned measures)

�

Data Collection Periodic Review

Risk Management Process

GlobalStrategy

RiskIdentification

Initial RiskEvaluation

Final RiskEvaluation

DataCollection

Definition ofMeasures to

Control the Risks

RiskControl

Risk Calculation

Risk = Probability x Impact

Quantification of the Probability

High: The hazardous event will happen regularly

Medium: The hazardous event will happen from time to time

Low: The hazardous event will occur rarely Null: It's extremelly unlikely for the dangerous

event to occur

Quantification of the Impact

Severe or extremely harmful event: The damage would be very important if the dangerous event happened

Serious or harmful event: The damage would be considerable

Mild or slightly harmful event: The damage would not be too important

Harmless: There would be almost no damage even when the incident occurred

Risk Quantification

Consequences (impact)

Probability(danger)

M ild Ha rmful Severe

Low Trivial Tolerable Moderate

M edum Tolerable Moderate Important

High Moderate Important Intolerable

Risk Evaluation

T: Trivial (No specific actions are required)

�

TO: Tolerable (Improvements that do not imply a big cost. Regular checks)

�

MO: Moderate (Efforts to reduce risk)

�

I: Important (A new service shall not be started. Prioritize the solution of the problem if the service is already running)

�

IN: Intolerable (Stop the service inmediately)

�

Risk = Probability x Impact

Dangers

Dangers

R01: Violation of personal privacy, honor or self-image of people R02: Revelation and disclosure of secrets or confidential information R03: Illegal contents or illegal advocacy of crime R04: Undesired contents or advocacy of undesired activities R05: Exchanges of attacks or insults R06: Threats R07: Continuous psychological harassment R08: Sexual harassment R11: Use of the platform for personal or business promotion R12: Negative advertisement or destructive or negative participation R13: Irrelevant matters or unrelated to the topic being treated (off-

topic)

Dangers

R14: Low quality of the contributions R15: Spreading rumors and false information R16: Loss of confidence in the service R17: Loss of credibility of the institution R18: Forced participation of third parties R21: Violation of protection rights of personal data R22: Infringement of intellectual property rights of third persons R23: Impersonation R24: Violation of the protection rights of minors R25: Fraud R26: Deception or phishing

Dangers

R31: SPAM or unsolicited massive messages R32: Sabotage: malware, virus, trojans, spyware,... R33: Massive subscription R34: Massive theft of personal data R35: Accesibility problems R41: Low participation R42: Massive use of the service (“die of success”) R43: Biased participation or restricted to a part of the population R44: Emergency of power groups R51: Inappropriate use in external information services

Consequences

Legal: Legal action that could be taken against the organization due to contents published by third persons

Mediatic or Image-related: Potential impact on the media of the contents published in the collaborative services

Economical: Financial or monetary consequences that may affect the organization

Technical: Potential problems of a technical nature that, involuntarily or on purpose, may be caused by other people with their participation

Social: Related to the inherent quality of the service for users

Risk Control

Proactive or preventive measures

Definition and information of the conditions of use of the services Information and appropriate management of personal data Terms of licensing of the information and published contents Adequate information to the users of the services Training the staff of the organization Collaboration with copyright management organizations Limiting the involvement of minors Moderation prior to publication of contents provided by third parties Automatic filtering based on the format or the content Use of captchas (semantic or accesible) Identification and authentication of participants Restrictions on access to the contents or to participation Dinamization and motivation from within the community Proper planning of the starting up of the services

Reactive or corrective measures

Removal or modification of already published content Direct participation in the service by the organization Collective moderation by the community itself Canceling of user accounts Denial of access to a service Definition of contingency plans Notification or formal complaints to competent authorities

Supervision or monitoring

Active surveillance of published contents by the organization Warning system to allow the community itself to alert of problems Availability of an email account for personalized alerts Active surveillance of impact and contents reuse in external services Automated mechanisms for review of the published contents

Examples (mailing lists)

Example: Illegal Contents

Initial Probability (danger) Initial Consequences (damage) Initial Risk

High Harmful Important

Measures TakenProba-bility

Conse-quences

Identification and authentication of participants ↓ =

Moderation based on user's reputation ↓ =

Automatic filtering of contents ↓ =

Removal of the message = ↓

Warnings from other users = ↓

Final Probability (danger) Final Consequences (damage) Final Risk

Medium Mild Moderate

Example: SPAM

Initial Probability (danger) Initial Impact (damage) Initial Risk

High Mild Moderate

Measures TakenProba-bility

Conse-quences

Identification and authentication of participants ↓ =

Moderation based on user's reputation ↓ =

Automatic anti-SPAM filtering ↓↓ =

Removal of the message = ↓

Warnings from other users = ↓

Final Probability (danger) Final Impact (damage) Final Risk

Low Mild Trivial

Example: Low Participation

Initial Probability (danger) Initial Consequences (damage) Initial Risk

High Mild Moderate

Measures TakenProba-bility

Conse-quences

Identification and authentication of participant ↑ =

Moderation based on user's reputation ↑ =

Motivate users for participation ↓ =

Provide interesting contents from the organization ↓ =

Publicize the list ↓ =

Final Probability (danger) Final Consequences (damage) Final Risk

Medium Mild Tolerable

Risk Managementin

Participative Web

Policies of the Use of Citizen Participative Servicesin the Context of Public Administrations

Miriam Ruiz - Fundación CTICmiriam.ruiz@fundacionctic.org

Authors

Promoted and developed by:− Gobierno del Principado de Asturias - http://www.asturias.es− CTIC Centro Tecnológico - http://www.fundacionctic.org

Members of the Working Group, in Alphabetical Order:− Eloy Braña Gundin (Principado de Asturias)− Chus García (Fundación CTIC)− Marc Garriga (Ayuntamiento de Barcelona)− Raquel Gisbert (Ayuntamiento de Barcelona)− Mª Carmen Herrera (Principado de Asturias)− Dolors Pou (Xperience Consulting)− Andrés Ramos Gil de la Haza (Bardají & Honrado Abogados)− José Luis Rodríguez (Principado de Asturias)− Miriam Ruiz González (Fundación CTIC)

License

All the contents included in this work belong to Fundación CTIC and are protected by the intellectual and industrial property rights granted by law. Their use, reproduction, distribution, public communication, availability, processing or any other similar or analogous activity is totally prohibited, except in the cases that are explicitly allowed by the license under which it is published. Fundación CTIC reserves the right to pursue legal action

as appropriate against those who violate or infringe their intellectual property and / or industrial rights.

This work is published under a Creative Commons licenseAttribution-ShareAlike 3.0

(CC-by-sa 3.0).

To read the text of this license, visit http://creativecommons.org/licenses/by-sa/3.0/