1. Policies of the Use of Citizen Participative Services
in the Context of Public Administrations
Risk Management
in
Participative Web
Miriam Ruiz - Fundación CTIC
miriam.ruiz@fundacionctic.org

2. Index
Introduction and Global View
Services
Methodology
Dangers
Risk Control
Examples

3. Introduction

4. The Future of the Web
●
Web 1.0: People connecting to the Web for
Information: Unidirectional from the editors to
the readers.
●
Web 2.0: People connecting to People: social
networks, wikis, colaboration, possibility of
sharing.
●
Web 3.0: Web applications connecting to other
web applications to enrich people's experience.

5. Advantages of Web 2.0
●
Provides a meeting point for all agents involved in the
smooth running of society
●
Information sharing: knowledge, experiences, suggestions
or complaints
●
Active collaboration and greater protagonism and
involvement of citizens
●
Vehicle for providing new ideas to the Public
Administration
●
Collective generation and gathering of knowledge
●
More transparency in the Public Administration
●
Continuous improvement of public services

6. Global View

7. Goals
●
Develop a methodology to extract the maximum
benefit of the web 2.0 paradigm, minimizing its
risks
●
Have a knowledge as accurate as possible of the web
2.0 phenomenon and its consequences
●
Obtain the highest signal/noise ratio possible from
the information generated in a decentralized way
●
Systematize the design of new web 2.0 services

8. Participants
●
Internal Staff: Contractual Relationship, indefinite
stay
●
Hired Staff: Contractual Relationship, temporary stay
●
External People: No contractual relationship, they use
the services provided
●
Outsiders: No kind of relationship established
●
Anonymous People: Unidentified

9. Identification Level
●
Absolute identification by direct means: ID
Card, Passport or similar.
●
Absolute identification by indirect means:
Telephone number or similar.
●
Weak identification (pseudonym): Alias, e-mail,
OpenID or similar.
●
Anonymous participation: There is nothing that
can identify the person

10. Authentication Level
●
Biometric means: Biological Data
●
Safe Network: Connection from a controlled
Network (Intranet)
●
Strong Authentication: e-ID, digital signature, etc.
●
Intermediate Authentication: Private secret data
●
Weak Authentication: Password
●
No Authentication: No authentication

11. Services

12. Services

Collective generation of information:
− Blogs or Weblogs

Other options: Microblogs or nanoblogs,
photoblogs, videoblogs or vblogs
− Discussion boards
− Mailing lists
− Wikis
− Survey
− Comments
− Contests

13. Services

Multimedia Contents (photos, audio, video,
flash, etc.):
− Photo Album or gallery
− Podcast
− Video Podcast, Vidcast or Vodcast

Collective Classification of Contents:
− Evaluation
− Tags, folksonomies and tag clouds
− Classification systems based on reputation

14. Services

Information Export:
− Content syndication (RSS, Atom)
− Publishing of information in semantic formats
(RDF, RDFa)
− Open APIs

Content Integration:
− Blog aggregators, planets or metablogs
− Mashups or hybrid web applications

15. Services

Relationships between people:
− Chat or cybertalk

Instant Messaging

Web Conferences

Audio and Video Conferences

Virtual Worlds
− Social Networks

Commercial or Economical Exchanges

16. Methodology

17. Risk Management Process

Definition of the Global Strategy

Risk Identification

Initial Risk Evaluation

Planification of measures to reduce the risks

New Risk Evaluation

Risk Control (application of planned measures)

Data Collection

Periodic Review

18. Risk Management Process
Global
Strategy
Data
Collection Risk
Identification
Risk
Control Initial Risk
Evaluation
Final Risk
Evaluation Definition of
Measures to
Control the Risks

19. Risk Calculation
Risk = Probability x Impact

20. Quantification of the Probability

High: The hazardous event will happen
regularly

Medium: The hazardous event will happen from
time to time

Low: The hazardous event will occur rarely

Null: It's extremelly unlikely for the dangerous
event to occur

21. Quantification of the Impact

Severe or extremely harmful event: The
damage would be very important if the
dangerous event happened

Serious or harmful event: The damage would
be considerable

Mild or slightly harmful event: The damage
would not be too important

Harmless: There would be almost no damage
even when the incident occurred

22. Risk Quantification
Co nseq uences (impact)
M ild Ha rm ful Severe
Probability
Low Trivial Tolerable Moderate
(danger) M edum Tolerable Moderate Important
Hig h Moderate Important Intolerable

23. Risk Evaluation
Risk = Probability x Impact

T: Trivial (No specific actions are required)

TO: Tolerable (Improvements that do not imply a big
cost. Regular checks)

MO: Moderate (Efforts to reduce risk)

I: Important (A new service shall not be started.
Prioritize the solution of the problem if the service is
already running)

IN: Intolerable (Stop the service inmediately)

24. Dangers

25. Dangers

R01: Violation of personal privacy, honor or self-image of people

R02: Revelation and disclosure of secrets or confidential information

R03: Illegal contents or illegal advocacy of crime

R04: Undesired contents or advocacy of undesired activities

R05: Exchanges of attacks or insults

R06: Threats

R07: Continuous psychological harassment

R08: Sexual harassment

R11: Use of the platform for personal or business promotion

R12: Negative advertisement or destructive or negative participation

R13: Irrelevant matters or unrelated to the topic being treated (off-
topic)

26. Dangers

R14: Low quality of the contributions

R15: Spreading rumors and false information

R16: Loss of confidence in the service

R17: Loss of credibility of the institution

R18: Forced participation of third parties

R21: Violation of protection rights of personal data

R22: Infringement of intellectual property rights of third persons

R23: Impersonation

R24: Violation of the protection rights of minors

R25: Fraud

R26: Deception or phishing

27. Dangers

R31: SPAM or unsolicited massive messages

R32: Sabotage: malware, virus, trojans, spyware,...

R33: Massive subscription

R34: Massive theft of personal data

R35: Accesibility problems

R41: Low participation

R42: Massive use of the service (“die of success”)

R43: Biased participation or restricted to a part of the population

R44: Emergency of power groups

R51: Inappropriate use in external information services

28. Consequences

Legal: Legal action that could be taken against the
organization due to contents published by third persons

Mediatic or Image-related: Potential impact on the media
of the contents published in the collaborative services

Economical: Financial or monetary consequences that
may affect the organization

Technical: Potential problems of a technical nature that,
involuntarily or on purpose, may be caused by other
people with their participation

Social: Related to the inherent quality of the service for
users

29. Risk Control

30. Proactive or preventive measures

Definition and information of the conditions of use of the services

Information and appropriate management of personal data

Terms of licensing of the information and published contents

Adequate information to the users of the services

Training the staff of the organization

Collaboration with copyright management organizations

Limiting the involvement of minors

Moderation prior to publication of contents provided by third parties

Automatic filtering based on the format or the content

Use of captchas (semantic or accesible)

Identification and authentication of participants

Restrictions on access to the contents or to participation

Dinamization and motivation from within the community

Proper planning of the starting up of the services

31. Reactive or corrective measures

Removal or modification of already published content

Direct participation in the service by the organization

Collective moderation by the community itself

Canceling of user accounts

Denial of access to a service

Definition of contingency plans

Notification or formal complaints to competent authorities

32. Supervision or monitoring

Active surveillance of published contents by the organization

Warning system to allow the community itself to alert of problems

Availability of an email account for personalized alerts

Active surveillance of impact and contents reuse in external services

Automated mechanisms for review of the published contents

33. Examples (mailing lists)

34. Example: Illegal Contents
Initial Probability (danger) Initial Consequences (damage) Initial Risk
High Harmful Important
Proba- Conse-
Measures Taken
bility quences
Identification and authentication of participants ↓ =
Moderation based on user's reputation ↓ =
Automatic filtering of contents ↓ =
Removal of the message = ↓
Warnings from other users = ↓
Final Probability (danger) Final Consequences (damage) Final Risk
Medium Mild Moderate

35. Example: SPAM
Initial Probability (danger) Initial Impact (damage) Initial Risk
High Mild Moderate
Proba- Conse-
Measures Taken
bility quences
Identification and authentication of participants ↓ =
Moderation based on user's reputation ↓ =
Automatic anti-SPAM filtering ↓↓ =
Removal of the message = ↓
Warnings from other users = ↓
Final Probability (danger) Final Impact (damage) Final Risk
Low Mild Trivial

36. Example: Low Participation
Initial Probability (danger) Initial Consequences (damage) Initial Risk
High Mild Moderate
Proba- Conse-
Measures Taken
bility quences
Identification and authentication of participant ↑ =
Moderation based on user's reputation ↑ =
Motivate users for participation ↓ =
Provide interesting contents from the organization ↓ =
Publicize the list ↓ =
Final Probability (danger) Final Consequences (damage) Final Risk
Medium Mild Tolerable

37. Policies of the Use of Citizen Participative Services
in the Context of Public Administrations
Risk Management
in
Participative Web
Miriam Ruiz - Fundación CTIC
miriam.ruiz@fundacionctic.org

38. Authors

Promoted and developed by:
− Gobierno del Principado de Asturias - http://www.asturias.es
− CTIC Centro Tecnológico - http://www.fundacionctic.org

Members of the Working Group, in Alphabetical Order:
− Eloy Braña Gundin (Principado de Asturias)
− Chus García (Fundación CTIC)
− Marc Garriga (Ayuntamiento de Barcelona)
− Raquel Gisbert (Ayuntamiento de Barcelona)
− Mª Carmen Herrera (Principado de Asturias)
− Dolors Pou (Xperience Consulting)
− Andrés Ramos Gil de la Haza (Bardají & Honrado Abogados)
− José Luis Rodríguez (Principado de Asturias)
− Miriam Ruiz González (Fundación CTIC)

39. License
All the contents included in this work belong to Fundación CTIC and are
protected by the intellectual and industrial property rights granted by law.
Their use, reproduction, distribution, public communication, availability,
processing or any other similar or analogous activity is totally prohibited,
except in the cases that are explicitly allowed by the license under which
it is published. Fundación CTIC reserves the right to pursue legal action
as appropriate against those who violate or infringe their intellectual
property and / or industrial rights.
This work is published under a Creative Commons license
Attribution-ShareAlike 3.0
(CC-by-sa 3.0).
To read the text of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/