Triangulating the Views of Human and Non-Human Stakeholders in Information System Security Risk Assessment

The risk assessment methodologies that are portrayed in traditional information security management literature often do not scale into the multi-level stakeholder environment of corporate governance. This is because they focus on one type of stakeholder, the IT infrastructure. A risk assessment methodology that is to successfully operate in such an environment must have effective mechanisms of including and incorporating the risk perceptions of the different stakeholders. This does not mean that the traditional forms of information security risk assessment should be replaced; on the contrary they are extremely necessary. Rigorous IT infrastructure risk assessment is fundamental to good security management. However in environments where the operational processes for using the information are complex and dynamic, another aspect of risk, namely business or operational process security risk assessment needs to take place. Whilst this view of security risk assessment in itself is not a new concept and can be found as dominant aspects of security risk assessment methodologies such as Sherwood Applied Business Security Architecture (SABSA) and Facilitated Risk Analysis and Assessment Process (FRAAP), there has been little discussion as to how to include the operational process view without detracting from the technical IT asset view. This work considers how interaction between the stakeholders might take place and this short paper explores the different techniques to promote inclusiveness of the different stakeholder communities in the risk assessment process. The case studies that are used in this paper are the results of five years of field observations.