Technology is increasingly being used by organisations to mediate social/business relationships and social/business transactions. While traditional models of impact assessment have focused on the loss of confidentiality, integrity and availability, we propose a new model based upon socio-technical systems thinking that places the people and the technology within an organisation’s business/functional context. Thus in performing risk management in a cyber security and safety context, a detailed picture of the impact that a security/safety incident can have on an organisation is developed. This in turn stimulates a more holistic view of the effectiveness, and appropriateness, of a counter measure.
 Lili Sun, R. P. Srivastava and T. J. Mock, “An Information Systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions,” Journal of Management Information Systems, Vol. 22, No. 4, 2006, pp. 109-142. doi:10.2753/MIS0742-1222220405
 K. Padayschee, “An Interpretive Study of Software Risk Management Perspectives, SAICSIT’02,” Proceedings of the 2002 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on Enablement Through Technology, 2002, Port Elizabeth, pp. 118-127.
 H. W. Lewis, et al., “Risk Assessment Review Group Report to the U.S. Nuclear Regulatory Commission,” National Technical Information Service, Technical Report, Alexandria, 1978. doi:10.2172/6489792
 C Feltus, “Strengthening Employee’s Responsibility to Enhance Governance of IT: COBIT RACI Chart Case Study,” Proceedings of the First ACM Workshop on Information Security Governance, New York, 9-13 November 2009, pp. 23-32. doi:10.1145/1655168.1655174