Defining Safety (and security)

Under the umbrella of “do we worry too much about safety”, I’ve realized I need a framework to categorize the worry bits.  In the absence of a framework, safety covers too broad and diverse a set of topics.  There are some worry-bits that are worth worrying about, and some that can be addressed with information and education.  A framework might be similar to the UK version offered by Josie Fraser that assesses risk according to contact, content and commerce.  

But that may more one-dimensional than I’m contemplating? (I’d love more info.)  There are various perspectives or views – safety for the user, safe practice by the user, safety of the site, safety of the technology/system from intrusion.  It’s about performing a threat/risk analysis. 

So I’ve looked at the models from the ISO/IEC 27002 standard (security of information systems) that discusses a methodology using assessment of Threats, Vulnerabilities, and Controls.  (See Wikipedia or Security Risk Analysis for more information.) There may be value in a 2-dimensional model that assesses Threats, Vulnerabilities and Controls not just from the system perspective but also from the different perspectives of user, internal technology/system (eg the school district), and external website/service. And is there a third dimension that assesses maturity or experience as these relate to risk?

Is anyone aware of a framework or model that organizes these worry-bits?  Any experience with extending the traditional qualitative risk analysis methodology to other dimensions?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: