Mutual Influence of Management Processes of Stakeholders and Risk Management

in Cyber Security Environment

Jaromir PITAS
Department of Military Management and Tactics, University of Defence
Brno, Czech republic

and

Vladimir NEMEC
Department of Air Transport, Czech Technical University in Prague
Prague, Czech Republic

and

Radovan Sousek
Transport Technology Unit, University of Pardubice
Pardubice, Czech Republic

ABSTRACT
The objective of the stakeholders’ management is to find out
promoters who can significantly help us at problem solving in
cyber security environment (including those who must be
integrated into the risk management). On one side there is a
necessity to find opponents who can become partakers of
generated threat and who make an effort to prevent the set
objectives to be achieved/or to inflict a significant damage by
way of found vulnerabilities of critical assets (risk scenario).
Knowledge of the stake holders according to their interests,
objectives, influence on the objective set, and their knowledge
in the field of cyber management belong to the key knowledge
to be able define the attitude strategies towards stake holders in
cyber security environment. During further monitoring the
implementation of attitude strategy it is possible to assess the
success of realized activities towards stake holders.
Risk management of cyber security comes out from
identification and analyses of human resources assets
(stakeholders), that must be protected against the threat impacts
of cyber security. It also comes out from identification of
promoters who generate the threats of cyber security (stake
holders – opponents). After a risk judgment the stake holders
who are crucial from the point of controlling the risk
(implementation of proposed activities to control and monitor
risks) are identified.
business and their private lives. We, as stakeholders, use these
technologies to enter the cyber environment. This means,
however, that we also encounter the risks of the cyber
environment.
As well as we manage everyday risks connected to our daily
routines (e.g. driving a car or riding a bike) we have to
purposely manage the risks connected to information and
communication technologies (both from the supplier’s and
customer’s points of view). However, the problem of today is to
manage the right risks in an adequate way making use of active
participation of stakeholders that have corresponding abilities to
participate in risk management.
Companies should see risk management as a process that helps
create values for stakeholders using their own resources to
optimize costs towards the realizing value (creating added
value). On the other hand, organizations also have to know
those stakeholders that try to impede meeting the targets via
generated threats. That is why the stakeholder management
should be seen as a process that helps with the risk
management; thus create required value for stakeholders.
2. RISK MANAGEMENT AND STAKEHOLDER
MANAGEMENT PROCESSES

Keywords: Asset, Human resources, Risk management,
Stakeholder management, Supporter, Opponent, Process,
Threat.
1. INTRODUCTION
Information and communication technologies are currently
a part of all organizations. Management without these
technologies is virtually impossible. People (citizens, managers,
politicians) have become dependent on information and
communication infrastructure when managing the society,
The process of risk management consists of 5 sub-processes –
establishing the context, risk assessment, risk management,
monitoring and review, communication and consultation (see
Figure 1). Establishing the context as the first sub-process plays
an important role during the process of setting up the risk
management criteria based on understanding the specified goal,
defined activities and resources needed to achieve this goal.
Required outputs coming out of the process of establishing the
context include the list of participants (stakeholders –
opponents) and threats, the list of evaluated assets (including
human resources – stakeholders), critical factors and
vulnerability. The output from the risk assessment and risk
management analysis is a risk register or a risk managing plan.
These documents contain the risk owners and human resources
needed to manage the risks (stakeholders). Monitoring and
review sub-processes (parallel sub-process) is feedback, output
of which are updated documents coming out of the sub-
Figure 1 Risk management process (authors according to ISO 31000)
The goal of the risk management is to increase the probability
that set up goals will be achieved at all management levels,
create real bases for the decision making process, and
efficiently use the resources (also human resources) of the
organization to manage the risks with as minimum losses as
possible.
The risk management process description points out the relation
of stakeholders that directly participate in this process or are
influenced by this process (in both positive and negative ways)
processes of establishing the context, risk assessment and risk
management. Communication and consultation sub-processes
(parallel sub-process) serve as information transfer between
individual sub-processes. Both sub-processes are realized by
stakeholders. [1, 2]
and that can influence this process in both positive and negative
ways. [5]
The stakeholder management process includes the following
steps: establishing the context, success criteria and requirements
identification, stakeholder identification and levels of interest,
analyses and evaluation, strategy creation, monitoring of
changes (internal, external) and satisfaction of stakeholders.
Monitoring is a feedback step for incorporating identified
changes into individual steps (see Figure 2). Outputs of
individual steps are formulated in Figure 2.
 Figure 2 Stakeholder Management Process (own source)
Stakeholders identification and levels of their interest includes
searching people, interest groups, and organizations; their
sorting and classification. Goals and interests that are followed
by stakeholders are described within the stakeholder
identification.
Stakeholder analysis lies in identification of their knowledge of
the goal and ways to achieve it. Information concerning interest,
power and direction (supporter, opponent), stakeholders’
influence, relations among them (coalitions, opponents) is
analyzed. The stakeholder who has a high level of interest and
influence is assessed as a key one; then it is stated whether it is
a supporter or an opponent.
When analyzing, attention must be paid to those stakeholders
who do not have big influence but only big interest. Created
coalitions of stakeholders with a high level of interest and low
level of influence can cause a situation when the coalition
members become the key ones because their collective
influence can be big. Figure 3 demonstrates the influence of
creating coalitions between parts B, C (supporters) and E, F
(opponents). Creating a coalition of stakeholders with low
influence and high interest makes these stakeholders the ones
with high influence and interest. Such stakeholders must be
taken into account. The stakeholder analysis is rounded off by
their final judgment.
Figure 3 – Stakeholder coalition analysis (own source)
For all stakeholders, strategy creation is the last but one process
step in the stakeholder management process. An analysis of
stakeholders is a starting point for strategy creation against the
stakeholders. In a team there is usually a person responsible for
realization of the given strategy, monitoring of changes and
satisfaction of key stakeholders. Approach strategy towards
stakeholders can be divided into 5 basic groups: inform,
consult, include, cooperate and authorize. Approach strategy as
well as its content is chosen on the basis of interest, level of
influence, knowledge and abilities of the particular stakeholder.
The goal of stakeholder management in the process of risk
management is to find and efficiently use own human resources,
find those human resources that need to be protected from
threats. It is also necessary to find those stakeholders who have
the ability and intention to generate threats and who dispose of
corresponding power to use the threats (misuse existing
vulnerability). [3]
3. COMMON POINT WITHIN THE PROCESSES OF
STAKEHOLDER AND RISK MANAGEMENTS
In the process of risk management and stakeholder management
following common decision points have been identified:
a) Critical assets selected (establishing the context) /
identified and analyzed the necessary stakeholders to
implement activities to achieve the objectives (including
the owners of these assets),
b) Threats identified (establishing the context) / identified
and analyzed actors (stakeholders) who have the ability
and intention to generate threats,
c) Defined measures / goals are acceptable considering the
new assessment of risk level – shown in the risk profile
(risk managing) / identify and analyze stakeholders
needed to manage the risks by aggregating,
d) Unmanageable risk transfer (escalate) to the senior
manager (risk management) / identify and analyze
stakeholders needed to manage the risk by escalation,
e) Risk managing changed – senior manager’s decision
(based on aggregation of identical and dependent risks
into a unified risk profile) / identify and analyze
stakeholders needed to manage the risks by aggregating,
f) Risk owners identified and authority delegated to the
preparation or implementation of measures to manage
risks (risk managing) / identify and analyze stakeholders
needed to manage risk (risk owners).
The common decision points described above indicate the need
to implement the process of stakeholder management in two
cycles. After the risk escalation process there is another cycle of
the stakeholder management process at the level of a senior
manager. During the dependent risk aggregation the stakeholder
management process cycle is carried out twice because even the
process of risk management is carried out from the beginning
(context). [4]
Based on the analysis of both processes it is possible to create a
unified model of risk management and stakeholder management
processes (see Figure 4). The unified model works on the
analysis of common features of risk management and
stakeholder management processes. The model of the processes
(see Figure 4) is designed to achieve the desired goal in both
risk management as well as in stakeholder management.
 Figure 4 Unified process of risk management and stakeholder management (own source)

4. CONCLUSIONS 5. REFERENCES

Cyber security is not only technical means and information. [1] ČSN ISO/IEC 27005 - Informační technologie -
Cyber security is controlled by people (stakeholders) who Bezpečnostní techniky - Řízení rizik bezpečnosti
cooperate or try to make use of the vulnerability of assets to informací.
their own benefit (to achieve their own goals). These are the
[2] ČSN ISO/IEC 31000 - Management rizik – Principy a
people who control the technical means and create information
that is shared by them. Cyber security risk management thus směrnice.
cannot be realized independently on stakeholder management [3] GRASSEOVÁ, Monika et al. Efektivní rozhodování –
because people actively participate in this process and are analyzování, rozhodování, implementace a hodnocení.
influenced by it. 1st ed. Brno: Edika. 2013. ISBN 978-80-266-0179-1.
[4] HRŮZA, Petr et al. Kybernetická bezpečnost II. 1st ed.
The process of stakeholder management must be cyclically Brno: Univerzita obrany. 2013. ISBN 978-80-7231-931-2.
repeated. It is necessary to realize the first cycle of the
stakeholder management process in a sub-process of [5] SOUŠEK, R. et al. Doprava a krizový management.
establishing the context of risk management in order to Pardubice: IJP. 2010. ISBN 978-80-86530-64-2.
recognize own assets (human resources within an organization)
as well as assets outside an organization (customers,
subcontractors). The point is to recognize the stakeholders that
we need to achieve our goal (activities realization) and protect
them. These stakeholders can significantly help with risk
identification, analysis and generation of risk management
variants. As for the first cycle we have to focus on stakeholders’
identification – actors (identification of actors). Actors can
generate threats (ability and intention) and affect the
vulnerability of assets (make use of an opportunity).

The second cycle of the stakeholder management can be seen in

the sub-process of risk management. The purpose of this cycle
is to find suitable human resources necessary to risk managing
considering the choice of suitable strategy necessary to manage
the risks.

In the field of cyber security, recognition of assets (their

vulnerability) and actors (their ability to generate threats) is one
of the key points necessary to define measures that prevent
/reduce losses within an organization and their customers.