Use Case: Risk Management for Social Media
Gobierno del Principado de Asturias (Principality of Asturias State Government), Fundación CTIC (CTIC Foundation), et al.
Internet services are moving towards a collaborative digital environment in which an important part of the information is generated from and classified by the users themselves, as well as extracted from other external sources, and at the same time exported to other external services. This new situation has proven to provide numerous advantages for all the parties involved, but it is at the same time the source of new risks for the organization, which are often quite difficult to evaluate and manage by those who have to take the decisions.
Currently, many eGovernment Web portals are using or evaluating the possibility of using collaborative Web 2.0 environments to increase and improve the involvement of citizens in the government issues. Anyway, associated to this participation, there are real risks coming out from the diversity and plurality of the participants involved. At the same time that the contributions of the users are increasing in importance, new problems keep arising too, for example:
- Infringements of Intellectual Property Rights (IPR) due to users’ contributions.
- Licenses for the use of third party services which might not be compatible to the one the organization is using.
- Risks associated with technical issues: virus propagation, malware, ...
The initial target population are the people who has to design and operate collaborative services on the Web inside public administrations and other organizations of any kind, as well as those who have to make the decisions on whether or not have those services available, and under which conditions.
Because of some of the issues described above, some public administrations decide to stop or to delay its use or deployment of this kind of services. In some other cases, administrations start with this kind of services without having a contingency plan at hand that allows them to be able to handle any serious problem that might arise.
The methodology developed by Gobierno del Principado de Asturias (Principality of Asturias State Government) allows Internet service managers to evaluate collaborative services on the Web, in terms of the risks they generate for the organization and the measures to be taken to control those risks in a systematic way, based on widely used and reliable risk management methods. Taking into account the different consequences that the users' actions can have on the organization in different aspects (legal, economical, technical and damage on the image of the organization) and the probability of the danger to really happen, the different risks can be evaluated, and different sets of control measures can be set on them in order to have them under control, with the final result of the organization being safe from damage caused by the non-controllable action of users.
This risk management methodology that can be applied to Web 2.0 services, takes into account:
- Kind of service
- Mailing Lists
- Risks associated to each service
- Modality of service
- Internal, usage of Web 2.0 services within the organization or offered by the organization itself (i.e. a blog within the Web site)
- External, usage of Web 2.0 services from third parties (i.e. usage of an external photo gallery service)
The proposed methodology applies risk management theory to establish a flexible modular system in which measures can be planned to control the risks that appear due to users’ input through collaborative Web 2.0 services, so that the organization has always the control over the risks that it’s assuming.
Potential risks are evaluated for every service, along with the probability of them to happen, the damage caused to the organization in the worst case scenario (if that risk materializes), and the possible measures to try to remove the risks detected, or keeping them down to a reasonable level if they cannot be removed.
The government will then evaluate every risk for every Web 2.0 service applying the methodology, and set the acceptance level to the desired one for every of those services.
The table below is an specific example showing the evaluation of an identified risk (infringement of Intellectual Property Rights (IPR)) for a specific service (a Photoblog), the measures to be taken to control the risk, and how those measures can vary the impact of the potential damage caused to the organization.
|A01||Identification of participants|
|A04||Information to the users about conditions of use|
|A12||Automatic filtering depending on the contents|
|A41||Notifications from the members of the community|
|A42||Private notifications from an user|
|A43||Removal of the content|
For example, the first row indicates that the stronger the identification of the users, the less probable IPR infringement can happen (e.g. someone uploading a photo not according to its copyright license), although the damage stays the same (i.e. the photo is displayed on the blog anyway until someone detects the infringement).
Once all the risks identified for the Photoblog service are evaluated, the government will decide the tolerance level for the Photoblog service.
This methodology can be applied to every collaborative service on the Web, independently of which software is implemented on.
Identified problems or limitations
Ideally, the method should be applied to every service, as the risk evaluation depends on different aspects of its environment, such as the kind of users or topics involved. Even though this would be the optimal situation, it might mean an undesired working load, and the organization might want to depend on service templates based on this system but evaluating general reference services instead of the real ones.
- Staff Contributions Guidelines (New Zealand State Services Commission)
- Principles for participation online (UK Civil Service)