Digital Benefits and Disbenefits Cornucopia
Digital Benefits and Disbenefits Cornucopia (DBD Cornucopia) is a practical tool for those who implement digitisation of government welfare benefit services. It uses gamification to assist the review of the whole or part of a system to identify how digitisation choices (things not defined explicitly in legislation and regulations) affect claimants adversely, and referred to as harms. It is technology agnostic, and can be used with many different methods of working e.g. during sprints, for test cases, at gateway reviews, in specifications, audit plan definition.
The cards include welfare benefit and UK-specific terminology. The deck could be adapted for different digitised welfare benefits, non social protection/social security e-government services, or for non UK jurisdictions.
Harms from Digital Design Discretion
The tool helps explore choices, which are discretionary decisions made during the implementation of e-government services.
The policy's legislation and regulations define requirements for the digitised service.
There will be a difference between the legislation and regulations with what is planned.
Some matters defined in the legislation and regulations will not be implemented (yet?).
The planned implementation will also create things that are not explicitly defined by the legislation and regulation,
many of which are implied (e.g. by convention) or implicit (e.g. by necessity), and may well be necessary.
Some will be the finer detail of methods, functions, features and constraints, left unspecified in the legislation and regulations.
The plan may exclude certain aspects from digitisation, or only plan partial digitisation; these constitute part of the design of what is implemented.
Also, as with all systems, what is deployed never exactly matches what was planned:
some intents are not completed (e.g. not implemented at all, implemented partially),
and the system does additional things that were not planned (e.g. implemented contrary to the regulations, implemented incorrectly, additional functionality created, consequential effects).
Numerous factors in life can affect claimants negatively.
Many are nothing to do with the service, but some harms (the "disbenefits") are defined in the legislation and regulations, some are the result of choices about the intended implementation and some arise only in the actual implementation.
Some harms manifest themselves in claimants' wider ecosystems that contribute to service access.
There will also be gains (the "benefits") for claimants such as receiving an award payment, learning a new skill, receiving coaching, or understanding more about how government works.
DBD Cornucopia only seeks to explore the digitisation related harms of a service
associated with choices made during implementation
(shown in the chart as red-filled area bounded by white line). The project purposely excluded three types of other adverse effects on claimants
which have been explored well by others:
1) negative effects defined in the legislation and regulations
(e.g. award levels, housing allowance rates, assessment criteria, conditionality regime, benefits cap, five-week wait, monthly payment cycle, two-child-limit);
2) negative effects related to the inherent nature of digital channels (e.g. device availability, internet access, ability to use software)
which would apply to all digital access; and
3) negative effects which already exist i.e. separate from the digitised service.
Multitudinous other harms can arise from choices made during digital implementation, inadvertently or otherwise. Harms include increased time, more effort, greater financial cost, loss of reputation, extra discrimination, additional mental stress, diminished knowledge, curtailed capacity, added neglect, loss of rights (and reductions in gains). The threats which lead to the harms, can be in parts of the service interacted with directly by claimants, but they can also arise in back end systems and processes, and for all of this in digitised parts and also in partly or non-digitised parts. The threats can also arise because something is not included in the digitised or non-digitised parts, because choosing not to automate something is still a choice.
The DBD Cornucopia tool intend to help explore, identify and encourage thinking about ways to treat these harms to lessen their burden on claimants. Harms affect individuals in different ways due to their situations and circumstances, or affect fewer or more claimants, or the harmful effects can arise indirectly in claimants' support networks and wider society.
DBD Cornucopia
Cornucopia is used to mean "an abundance"; in this case an abundance of threats which lead to harms. The tool is based on Colin Watson's well-established OWASP Cornucopia, which was originally created in 2012 to help software teams undertake application security threat modelling review, and is now widely-adopted. Likewise, the DBD Cornucopia tool is in the form of a deck of playing cards. Each card describes a threat from choices made during service implementation and has links to related information (the 19 design implications from the project, and almost 200 examples of harms which in turn are mapped to the 10 categories in the project's taxonomy of harms). The target of review must be selected: this might be part or all of an existing or planned e-government service, or a change. A group of those involved with the service and know it intimately play a card game with some or all of the deck (any game, but a trump trick-taking card game is described in the instruction leaflet). Each turn, the player has to consider the threat and identify how that might arise in the target of assessment. Thus, gradually all threats are reviewed as the game is played.
DBD Cornucopia is available in multiple formats, including all the source data and design files.
DBD CORNUCOPIA INSTRUCTION LEAFLET, 2024
DBD CORNUCOPIA ONLINE CARD DECK, 2024
DBD CORNUCOPIA CARD OF THE DAY, DAILY
DBD CORNUCOPIA SELF-PRINT CARD DECK, 2024
DBD CORNUCOPIA SOURCE DESIGN FILES, 2024
The daily cards in the RSS feed are also published on Mastodon at https://mastodon.social/@DBD_Cornucopia
Acknowledgements
Research Acknowledgements: See acknowledgements at the end of the project's home page.
Cornucopia Acknowledgements: The Elevation of Privilege (EoP) Threat Modelling Game developed by Adam Shostack and the Microsoft SDL Team was the inspiration to Colin Watson for the original OWASP Cornucopia. OWASP's card decks and information are open source and available at cornucopia.owasp.org; its past and present leaders and numerous other volunteers have continued to support and develop the game. DBD Cornucopia incorporates content and knowledge from the OWASP project, using the same game play, but different suits, threats, harms and reference materials.
Deck Packaging Acknowledgements: The first professionally printed OWASP deck was distributed in a box which resembled a pack of cigarettes labelled with health warnings. Acknowledging that idea and the domestic nature of the harms, the DBD Cornucopia box is presented in the style of a powdered laundry detergent package, based on the notion that reducing harms is, in some way, cleaning up the e-government service. Sometimes humour is also necessary to counteract harms, and fun can help awareness and encourage use.
Licensing
DBD Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence to this one.