Risk Assessment For Making Use Of Third Party Web 2.0 Services

Background

This briefing document provides advice for Web authors, developers and policy makers who are considering making use of Web 2.0 services which are hosted by external third party services. The document describes an approach to risk assessment and risk management which can allow the benefits of such services to be exploited, whilst minimising the risks and dangers of using such services.

Note that other examples of advice are also available [1] [2].

About Web 2.0 Services

This document covers use of third party Web services which can be used to provide additional functionality or services without requiring software to be installed locally. Such services include:

• Search facilities, such as Google University Search and Atomz.
• Social bookmarking services, such as del.icio.us.
• Wiki services, such as WetPaint.
• Usage analysis services, such Google Analytics and SiteMeter.
• Chat services such as Gabbly and ToxBox.

Advantages and Disadvantages

Advantages of using such services include:

• May not require scarce technical effort.
• Facilitates experimentation and testing.
• Enables a diversity of approaches to be taken.

Possible disadvantages of using such services include:

• Potential security and legal concerns e.g. copyright, data protection, etc.
• Potential for data loss or misuse.
• Reliance on third parties with whom there may be no contractual agreements.

Risk Management and Web 2.0

A number of risks associated with making use of Web 2.0 services are given below, together with an approach to managing the dangers of such risks.

Risk	Assessment	Management
Loss of service (e.g. company becomes bankrupt, closed down, ...)	Implications if service becomes unavailable. Likelihood of service unavailability.	Use for non-mission critical services. Have alternatives readily available. Use trusted services.
Data loss	Likelihood of data loss. Lack of export capabilities.	Evaluation of service. Non-critical use. Testing of export.
Performance problems. Unreliability of service.	Slow performance	Testing. Non-critical use.
Lack of interoperability.	Likelihood of application lock-in. Loss of integration and reuse of data.	Evaluation of integration and export capabilities.
Format changes	New formats may not be stable.	Plan for migration or use on a small-scale.
User issues	User views on services.	Gain feedback.

Note that in addition to risk assessment of Web 2.0 services, there is also a need to assess the risks of failing to provide such services.

Example of a Risk Management Approach

A risk management approach [3] was taken to use of various Web 2.0 services on the Institutional Web Management Workshop 2006 Web site.

Use of established services:

Google and Google Analytics are used to provide searching and usage reports.

Alternatives available:

Web server log files can still be analysed if the hosted usage analysis services become unavailable.

Management of services:

Interfaces to various services were managed to allow them to be easily changed or withdrawn.

User Engagement:

Users are warned of possible dangers and invited to engage in a pilot study.

Learning:

Learning may be regarded as the aim, not provision of long term service.

References

1. Checklist for assessing third-party IT services, University of Oxford,
   <http://www.oucs.ox.ac.uk/internal/3rdparty/checklist.xml>
2. Guidelines for Using External Services, University of Edinburgh,
   <https://www.wiki.ed.ac.uk/download/attachments/8716376/GuidelinesForUsingExternalWeb2.0Services-20080801.pdf?version=1>
3. Risk Assessment, IWMW 2006, UKOLN,
   <http://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-2006/risk-assessment/>