End-users have a very real contribution to make towards the evaluation of risks to the automated information systems which they use. Their knowledge and understanding of what might happen and how people may respond in reaction to a security breach is vital to the proper understanding of risk.

The objective of SEISMED (a \underbar{S}ecure \underbar{E}nvironment for \underbar{I}nformation \underbar{S}ystems in \underline{MED}icine) was to develop a consistent, harmonised framework for the security of medical data throughout Europe. The specific technical proposals of SEISMED are supported by a high level security policy which describes the underlying principles.

Part of the overall SEISMED process was the development of a relatively fast and simple method for understanding the risks faced by IT systems in a health care environment and the measures which could be taken to counter those risks. The relevant risks were identified from the results of risk analysis exercises carried out as part of the SEISMED project at a number of health care establishments across Europe. The risk analysis method proposed in this guideline has evolved from that work and is described in detail in the accompanying guideline “Guidelines on IT Security Risk Analysis for IT and Security Personnel”. A separate guideline is available for management.

All staff carry some measure of responsibility for security. With the assistance of this guideline, users will be able to examine their own environment and make an initial assessment of the risks involved with the operation of the information system they use. This could contribute directly to an improvement in the level of protection afforded to the system or may initiate further action by those with a more technical appreciation of the issues involved.

These guidelines explain the basic theory of risk analysis in terms of the consequences of failures in security combined with the likelihood of events which could bring about such failures. No one can afford to be complacent about the risks faced by their IT systems and the consequences for the organisation as a whole. Nor should they react blindly to possible problems of which they have an imperfect understanding. Risk analysis provides that proper understanding and improves the quality of decisions on what constitutes appropriate security.

A specific approach to risk analysis is described. The results will be a profile of risks across a range of issues and a package of countermeasures to meet those risks. Where there are insufficient resources to apply all those measures, at least in the first instance, users will need to discuss with management and other Health Care Professionals which risks should be met and to what extent, and which risks should be accepted. A detailed description of how users can contribute is given in this guideline.