Under the umbrella of “do we worry too much about safety”, I’ve realized I need a framework to categorize the worry bits. In the absence of a framework, safety covers too broad and diverse a set of topics. There are some worry-bits that are worth worrying about, and some that can be addressed with information and education. A framework might be similar to the UK version offered by Josie Fraser that assesses risk according to contact, content and commerce.
But that may more one-dimensional than I’m contemplating? (I’d love more info.) There are various perspectives or views – safety for the user, safe practice by the user, safety of the site, safety of the technology/system from intrusion. It’s about performing a threat/risk analysis.
So I’ve looked at the models from the ISO/IEC 27002 standard (security of information systems) that discusses a methodology using assessment of Threats, Vulnerabilities, and Controls. (See Wikipedia or Security Risk Analysis for more information.) There may be value in a 2-dimensional model that assesses Threats, Vulnerabilities and Controls not just from the system perspective but also from the different perspectives of user, internal technology/system (eg the school district), and external website/service. And is there a third dimension that assesses maturity or experience as these relate to risk?
Is anyone aware of a framework or model that organizes these worry-bits? Any experience with extending the traditional qualitative risk analysis methodology to other dimensions?
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment