Glossary for DoCRA Terms and definitions.
The Standard uses terms that are defined as:
Appropriate risk: Risk that, as evaluated and stated, would appear to an organization, its interested parties, and authorities as acceptably low.
Assessing organizations: Organizations that analyze risks that they may pose to others.
Authorities: Usually regulators or judges who may evaluate reasonableness of safeguards as compared to harm to others and may impose penalties as a result of their evaluation.
Due care: A degree of protection that a reasonable person applies to protect others from harm.
Duty of care: The responsibility of one party to prevent harm to others.
Duty of Care Risk Analysis: Describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks.
Impact: The magnitude of harm that may be suffered by any party as a result of a threat. Can be stated qualitatively and quantitatively.
Interested parties: Individuals or organizations that may benefit by engaging in risk or that may be harmed if risk is realized.
Likelihood: The frequency, commonality, or foreseeability of a threat creating an impact. Can be stated qualitatively and quantitatively.
Reasonable Person: Someone who thinks through the likelihood and impact of threats that might create harm and designs safeguards that are not more burdensome than those risks.
Reasonable safeguards: Protections against the foreseeability or magnitude of risks that do not pose a burden that is greater than the risk it protects against.
Risk Acceptance Criteria: The likelihood of an impact that the organization equates with appropriate risk.
Threat: An act or an omission that may create harm.
Vulnerability: A weakness or lack of a safeguard that may permit a threat to create harm.
*Sedona Conference Working Group 11, “Test for Reasonable Security Controls”