To me it makes sense to send via GET to the page you are currently on.
That way you just hook into admin_init
and check for your GET variables.
As for security you can pass nonces via URLS: http://codex.wordpress.org/Function_Reference/wp_nonce_url