Created
June 4, 2025 21:51
-
-
Save kampar/da6e036e9f5e35284629274248ba5b5a to your computer and use it in GitHub Desktop.
Duty of Care Risk Analysis (DoCRA) - An Infographic, generated on 2025-06-05 by Google Gemini
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <title>Duty of Care Risk Analysis (DoCRA) - An Infographic</title> | |
| <script src="https://cdn.tailwindcss.com"></script> | |
| <script src="https://cdn.jsdelivr.net/npm/chart.js"></script> | |
| <link rel="preconnect" href="https://fonts.googleapis.com"> | |
| <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> | |
| <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@300;400;600;700&display=swap" rel="stylesheet"> | |
| <style> | |
| body { | |
| font-family: 'Poppins', sans-serif; | |
| } | |
| .chart-container { | |
| position: relative; | |
| width: 100%; | |
| max-width: 500px; | |
| margin-left: auto; | |
| margin-right: auto; | |
| height: 320px; | |
| max-height: 400px; | |
| } | |
| @media (min-width: 768px) { | |
| .chart-container { | |
| height: 400px; | |
| } | |
| } | |
| .flowchart-node { | |
| border: 2px solid #0a9396; | |
| background-color: white; | |
| color: #005f73; | |
| } | |
| .flowchart-arrow { | |
| color: #0a9396; | |
| font-weight: bold; | |
| } | |
| </style> | |
| </head> | |
| <body class="bg-gray-100 text-gray-800"> | |
| <header class="bg-[#005f73] text-white text-center p-8 shadow-lg"> | |
| <h1 class="text-4xl md:text-5xl font-bold mb-2">Duty of Care Risk Analysis (DoCRA)</h1> | |
| <p class="text-lg md:text-xl text-gray-200 max-w-3xl mx-auto">A modern, legally-grounded methodology for establishing "Reasonable Security" and managing enterprise risk.</p> | |
| </header> | |
| <main class="container mx-auto p-4 md:p-8"> | |
| <section id="introduction" class="mb-12"> | |
| <div class="bg-white rounded-lg shadow-xl p-8 text-center"> | |
| <h2 class="text-3xl font-bold text-[#005f73] mb-4">What is DoCRA?</h2> | |
| <p class="text-lg mb-6 max-w-4xl mx-auto">The Duty of Care Risk Analysis (DoCRA) standard provides a structured process for evaluating risks and safeguards, ensuring the analysis is communicable to authorities and all parties potentially harmed. It balances the burden of safeguards against the organization's mission while considering the interests of all stakeholders, moving beyond conventional, organization-centric risk models.</p> | |
| <div class="grid grid-cols-1 md:grid-cols-3 gap-6"> | |
| <div class="bg-gray-50 p-6 rounded-lg border border-gray-200"> | |
| <div class="text-5xl mb-2">🛡️</div> | |
| <h3 class="text-xl font-semibold text-[#0a9396]">Legally Defensible</h3> | |
| <p class="text-gray-600 mt-2">Aligns with judicial "balancing tests" to demonstrate due care and reasonableness in security decisions.</p> | |
| </div> | |
| <div class="bg-gray-50 p-6 rounded-lg border border-gray-200"> | |
| <div class="text-5xl mb-2">🤝</div> | |
| <h3 class="text-xl font-semibold text-[#0a9396]">Stakeholder-Centric</h3> | |
| <p class="text-gray-600 mt-2">Considers harm to all potentially affected parties, including customers, employees, and the public.</p> | |
| </div> | |
| <div class="bg-gray-50 p-6 rounded-lg border border-gray-200"> | |
| <div class="text-5xl mb-2">⚖️</div> | |
| <h3 class="text-xl font-semibold text-[#0a9396]">Proportional Controls</h3> | |
| <p class="text-gray-600 mt-2">Ensures safeguards are not more burdensome than the risks they are intended to mitigate.</p> | |
| </div> | |
| </div> | |
| </div> | |
| </section> | |
| <section id="pillars" class="mb-12"> | |
| <h2 class="text-3xl font-bold text-center text-[#005f73] mb-8">The Three Foundational Pillars of DoCRA</h2> | |
| <div class="grid grid-cols-1 md:grid-cols-3 gap-8 text-center"> | |
| <div class="bg-white rounded-lg shadow-lg p-6 transform hover:scale-105 transition-transform duration-300"> | |
| <div class="text-6xl text-[#ee9b00] mb-4">1</div> | |
| <h3 class="text-2xl font-bold text-[#005f73] mb-3">Consider All Parties</h3> | |
| <p class="text-gray-700">Risk analysis must comprehensively evaluate the foreseeability and magnitude of potential harm that any party might experience, looking beyond the organization to customers, partners, and the public.</p> | |
| </div> | |
| <div class="bg-white rounded-lg shadow-lg p-6 transform hover:scale-105 transition-transform duration-300"> | |
| <div class="text-6xl text-[#ca6702] mb-4">2</div> | |
| <h3 class="text-2xl font-bold text-[#005f73] mb-3">Reduce Risk Appropriately</h3> | |
| <p class="text-gray-700">Risks must be reduced to a level that a "reasonable person" would find appropriate. This includes authorities, regulators, and those who might be impacted by the residual risk.</p> | |
| </div> | |
| <div class="bg-white rounded-lg shadow-lg p-6 transform hover:scale-105 transition-transform duration-300"> | |
| <div class="text-6xl text-[#ae2012] mb-4">3</div> | |
| <h3 class="text-2xl font-bold text-[#005f73] mb-3">Balance the Burden</h3> | |
| <p class="text-gray-700">Safeguards must not be more burdensome—financially, operationally, or otherwise—than the risks they protect against, ensuring a proportional and reasonable security posture.</p> | |
| </div> | |
| </div> | |
| </section> | |
| <section id="process" class="mb-12"> | |
| <div class="bg-white rounded-lg shadow-xl p-8"> | |
| <h2 class="text-3xl font-bold text-center text-[#005f73] mb-4">Operationalizing DoCRA: A Practical Workflow</h2> | |
| <p class="text-lg text-center text-gray-600 max-w-3xl mx-auto mb-8">DoCRA principles are not just theoretical. They are operationalized through practical frameworks like the Center for Internet Security Risk Assessment Method (CIS RAM), which guides the implementation of tangible security controls.</p> | |
| <div class="flex flex-col items-center justify-center space-y-4"> | |
| <div class="flowchart-node w-full max-w-md p-4 rounded-lg text-center shadow"> | |
| <h4 class="font-bold text-lg">DoCRA Principles</h4> | |
| <p class="text-sm">Define "Reasonable Security" through balancing tests.</p> | |
| </div> | |
| <div class="text-4xl flowchart-arrow">↓</div> | |
| <div class="flowchart-node w-full max-w-md p-4 rounded-lg text-center shadow"> | |
| <h4 class="font-bold text-lg">CIS Risk Assessment Method (RAM)</h4> | |
| <p class="text-sm">Provides the structured methodology to assess risk based on DoCRA.</p> | |
| </div> | |
| <div class="text-4xl flowchart-arrow">↓</div> | |
| <div class="flowchart-node w-full max-w-md p-4 rounded-lg text-center shadow"> | |
| <h4 class="font-bold text-lg">CIS Critical Security Controls</h4> | |
| <p class="text-sm">Actionable, prioritized safeguards are implemented based on the risk assessment.</p> | |
| </div> | |
| <div class="text-4xl flowchart-arrow">↓</div> | |
| <div class="bg-[#e9d8a6] text-[#9b2226] w-full max-w-md p-4 rounded-lg text-center shadow-inner"> | |
| <h4 class="font-bold text-lg">Legally Defensible & Optimized Security</h4> | |
| <p class="text-sm">The result is a security posture that is both effective and justifiable.</p> | |
| </div> | |
| </div> | |
| </div> | |
| </section> | |
| <section id="industries" class="mb-12"> | |
| <h2 class="text-3xl font-bold text-center text-[#005f73] mb-8">DoCRA Adoption & Application Across Industries</h2> | |
| <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-8"> | |
| <div class="bg-white rounded-lg shadow-lg p-6"> | |
| <h3 class="text-xl font-bold text-center text-[#0a9396] mb-4">Healthcare (HIPAA)</h3> | |
| <p class="text-gray-600 text-sm mb-4">Described as "HIPAA Risk Analysis 2.0," DoCRA moves beyond organizational impact to prioritize foreseeable harm to patients, improving safety and reducing liability.</p> | |
| <div class="chart-container"><canvas id="healthcareChart"></canvas></div> | |
| </div> | |
| <div class="bg-white rounded-lg shadow-lg p-6"> | |
| <h3 class="text-xl font-bold text-center text-[#0a9396] mb-4">Financial Services (SEC, NYDFS)</h3> | |
| <p class="text-gray-600 text-sm mb-4">Provides a defensible rationale for meeting "reasonableness" mandates, justifying controls, and balancing security with obligations to customers and the market.</p> | |
| <div class="chart-container"><canvas id="financeChart"></canvas></div> | |
| </div> | |
| <div class="bg-white rounded-lg shadow-lg p-6"> | |
| <h3 class="text-xl font-bold text-center text-[#0a9396] mb-4">Corporate Governance</h3> | |
| <p class="text-gray-600 text-sm mb-4">Empowers boards with a "universal translator" for cyber risk, aligning security decisions with strategic goals, risk appetite, and fiduciary duties.</p> | |
| <div class="chart-container"><canvas id="governanceChart"></canvas></div> | |
| </div> | |
| <div class="bg-white rounded-lg shadow-lg p-6"> | |
| <h3 class="text-xl font-bold text-center text-[#0a9396] mb-4">General Cybersecurity</h3> | |
| <p class="text-gray-600 text-sm mb-4">Translates technical vulnerabilities into business impacts, enabling CISOs to justify investments and build a proactive, legally sound security program.</p> | |
| <div class="chart-container"><canvas id="cyberChart"></canvas></div> | |
| </div> | |
| </div> | |
| </section> | |
| <section id="comparison" class="mb-12"> | |
| <div class="bg-white rounded-lg shadow-xl p-8"> | |
| <h2 class="text-3xl font-bold text-center text-[#005f73] mb-4">DoCRA in the Risk Management Landscape</h2> | |
| <p class="text-lg text-center text-gray-600 max-w-3xl mx-auto mb-8">While frameworks like NIST RMF, ISO 27005, and FAIR have their strengths, DoCRA provides a unique, legally-grounded perspective that focuses on external accountability and the equitable balancing of all stakeholder interests.</p> | |
| <div class="chart-container mx-auto" style="max-width: 600px;"><canvas id="comparisonChart"></canvas></div> | |
| </div> | |
| </section> | |
| <section id="practices" class="mb-12"> | |
| <div class="bg-white rounded-lg shadow-xl p-8"> | |
| <h2 class="text-3xl font-bold text-center text-[#005f73] mb-4">The 10 DoCRA Practices for Reasonable Security</h2> | |
| <p class="text-lg text-center text-gray-600 max-w-3xl mx-auto mb-8">The DoCRA Practice Checklist distills the standard into actionable practices that guide organizations in conducting a fair, thorough, and defensible risk analysis.</p> | |
| <ol class="list-decimal list-inside space-y-4 text-gray-700 max-w-4xl mx-auto"> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Analyze likelihood and measurable impact for threats.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Use the same criteria to evaluate both risks and safeguards for valid comparison.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Include qualitative descriptions to ensure clear communication to all stakeholders.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Use quantitative calculation where possible to permit comparability.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Equate the magnitude of harm across different parties to ensure fairness.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Establish explicit boundaries between acceptable and unacceptable harm.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Address impact on the organization’s mission, objectives, and obligations.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Rely on a recognized standard of care for analyzing controls.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Use subject matter experts and evidence-based analysis.</li> | |
| <li class="bg-gray-50 p-3 rounded-md border-l-4 border-[#94d2bd]">Re-assess risks regularly to ensure ongoing due diligence.</li> | |
| </ol> | |
| </div> | |
| </section> | |
| </main> | |
| <footer class="bg-[#005f73] text-white text-center p-6 mt-8"> | |
| <p>This infographic provides a summary based on the Duty of Care Risk Analysis (DoCRA) standard.</p> | |
| <p class="text-sm text-gray-300">The DoCRA Standard is maintained by The DoCRA Council, a non-profit organization.</p> | |
| </footer> | |
| <script> | |
| (function() { | |
| const wrapLabel = (label, maxWidth) => { | |
| const words = label.split(' '); | |
| let lines = []; | |
| let currentLine = ''; | |
| words.forEach(word => { | |
| if ((currentLine + ' ' + word).trim().length > maxWidth && currentLine.length > 0) { | |
| lines.push(currentLine); | |
| currentLine = word; | |
| } else { | |
| currentLine = (currentLine + ' ' + word).trim(); | |
| } | |
| }); | |
| if (currentLine) { | |
| lines.push(currentLine); | |
| } | |
| return lines; | |
| }; | |
| const commonTooltipCallback = { | |
| plugins: { | |
| legend: { | |
| position: 'bottom', | |
| }, | |
| tooltip: { | |
| callbacks: { | |
| title: function(tooltipItems) { | |
| const item = tooltipItems[0]; | |
| let label = item.chart.data.labels[item.dataIndex]; | |
| if (Array.isArray(label)) { | |
| return label.join(' '); | |
| } | |
| return label; | |
| } | |
| } | |
| } | |
| } | |
| }; | |
| const palette = { | |
| blue: '#0a9396', | |
| teal: '#94d2bd', | |
| sand: '#e9d8a6', | |
| orange: '#ee9b00', | |
| darkOrange: '#ca6702', | |
| red: '#ae2012', | |
| darkBlue: '#005f73' | |
| }; | |
| const createDonutChart = (ctx, label, dataLabels, dataValues) => { | |
| new Chart(ctx, { | |
| type: 'doughnut', | |
| data: { | |
| labels: dataLabels, | |
| datasets: [{ | |
| label: label, | |
| data: dataValues, | |
| backgroundColor: [palette.blue, palette.sand, palette.darkOrange, palette.red], | |
| borderColor: '#fff', | |
| borderWidth: 2 | |
| }] | |
| }, | |
| options: { | |
| responsive: true, | |
| maintainAspectRatio: false, | |
| ...commonTooltipCallback | |
| } | |
| }); | |
| }; | |
| const healthcareCtx = document.getElementById('healthcareChart').getContext('2d'); | |
| createDonutChart(healthcareCtx, 'Healthcare Risk Focus', ['Patient Data Privacy', 'System Availability', 'Regulatory Fines', 'Patient Safety'], [45, 25, 20, 10]); | |
| const financeCtx = document.getElementById('financeChart').getContext('2d'); | |
| createDonutChart(financeCtx, 'Financial Services Risk Focus', ['Customer Asset Protection', 'Market Stability', 'Non-Public Information', 'Systemic Integrity'], [40, 30, 20, 10]); | |
| const governanceCtx = document.getElementById('governanceChart').getContext('2d'); | |
| createDonutChart(governanceCtx, 'Corporate Governance Focus', ['Strategic Alignment', 'Fiduciary Duty', 'Risk Appetite Definition', 'Business Value'], [35, 30, 25, 10]); | |
| const cyberCtx = document.getElementById('cyberChart').getContext('2d'); | |
| createDonutChart(cyberCtx, 'Cybersecurity Program Focus', ['Business Impact Analysis', 'Threat Intelligence', 'Vulnerability Management', 'Incident Response'], [30, 25, 25, 20]); | |
| const comparisonCtx = document.getElementById('comparisonChart').getContext('2d'); | |
| new Chart(comparisonCtx, { | |
| type: 'radar', | |
| data: { | |
| labels: [ | |
| 'Legal Defensibility', | |
| wrapLabel('Stakeholder Focus (External)', 16), | |
| 'Implementation Simplicity', | |
| 'Quantitative Rigor', | |
| wrapLabel('Business Impact Translation', 16) | |
| ], | |
| datasets: [{ | |
| label: 'DoCRA / CIS RAM', | |
| data: [9, 9, 7, 6, 9], | |
| backgroundColor: 'rgba(10, 147, 150, 0.2)', | |
| borderColor: 'rgba(10, 147, 150, 1)', | |
| pointBackgroundColor: 'rgba(10, 147, 150, 1)', | |
| borderWidth: 2 | |
| }, { | |
| label: 'NIST RMF', | |
| data: [6, 5, 4, 7, 6], | |
| backgroundColor: 'rgba(238, 155, 0, 0.2)', | |
| borderColor: 'rgba(238, 155, 0, 1)', | |
| pointBackgroundColor: 'rgba(238, 155, 0, 1)', | |
| borderWidth: 2 | |
| }, | |
| { | |
| label: 'FAIR', | |
| data: [4, 3, 5, 9, 8], | |
| backgroundColor: 'rgba(174, 32, 18, 0.2)', | |
| borderColor: 'rgba(174, 32, 18, 1)', | |
| pointBackgroundColor: 'rgba(174, 32, 18, 1)', | |
| borderWidth: 2 | |
| }] | |
| }, | |
| options: { | |
| responsive: true, | |
| maintainAspectRatio: false, | |
| scales: { | |
| r: { | |
| angleLines: { | |
| color: '#ccc' | |
| }, | |
| grid: { | |
| color: '#ddd' | |
| }, | |
| pointLabels: { | |
| font: { | |
| size: 12 | |
| }, | |
| color: '#333' | |
| }, | |
| ticks: { | |
| backdropColor: 'rgba(255, 255, 255, 0.75)', | |
| color: '#666' | |
| } | |
| } | |
| }, | |
| ...commonTooltipCallback | |
| } | |
| }); | |
| })(); | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment