Вы находитесь на странице: 1из 4

Mutual Influence of Management Processes of Stakeholders and Risk Management

in Cyber Security Environment

Jaromir PITAS
Department of Military Management and Tactics, University of Defence
Brno, Czech republic


Vladimir NEMEC
Department of Air Transport, Czech Technical University in Prague
Prague, Czech Republic


Radovan Sousek
Transport Technology Unit, University of Pardubice
Pardubice, Czech Republic

ABSTRACT business and their private lives. We, as stakeholders, use these
technologies to enter the cyber environment. This means,
The objective of the stakeholders’ management is to find out however, that we also encounter the risks of the cyber
promoters who can significantly help us at problem solving in environment.
cyber security environment (including those who must be
integrated into the risk management). On one side there is a As well as we manage everyday risks connected to our daily
necessity to find opponents who can become partakers of routines (e.g. driving a car or riding a bike) we have to
generated threat and who make an effort to prevent the set purposely manage the risks connected to information and
objectives to be achieved/or to inflict a significant damage by communication technologies (both from the supplier’s and
way of found vulnerabilities of critical assets (risk scenario). customer’s points of view). However, the problem of today is to
Knowledge of the stake holders according to their interests, manage the right risks in an adequate way making use of active
objectives, influence on the objective set, and their knowledge participation of stakeholders that have corresponding abilities to
in the field of cyber management belong to the key knowledge participate in risk management.
to be able define the attitude strategies towards stake holders in
cyber security environment. During further monitoring the Companies should see risk management as a process that helps
implementation of attitude strategy it is possible to assess the create values for stakeholders using their own resources to
success of realized activities towards stake holders. optimize costs towards the realizing value (creating added
Risk management of cyber security comes out from value). On the other hand, organizations also have to know
identification and analyses of human resources assets those stakeholders that try to impede meeting the targets via
(stakeholders), that must be protected against the threat impacts generated threats. That is why the stakeholder management
of cyber security. It also comes out from identification of should be seen as a process that helps with the risk
promoters who generate the threats of cyber security (stake management; thus create required value for stakeholders.
holders – opponents). After a risk judgment the stake holders
who are crucial from the point of controlling the risk
(implementation of proposed activities to control and monitor 2. RISK MANAGEMENT AND STAKEHOLDER
risks) are identified. MANAGEMENT PROCESSES

Keywords: Asset, Human resources, Risk management, The process of risk management consists of 5 sub-processes –
Stakeholder management, Supporter, Opponent, Process, establishing the context, risk assessment, risk management,
Threat. monitoring and review, communication and consultation (see
Figure 1). Establishing the context as the first sub-process plays
an important role during the process of setting up the risk
1. INTRODUCTION management criteria based on understanding the specified goal,
defined activities and resources needed to achieve this goal.
Information and communication technologies are currently Required outputs coming out of the process of establishing the
a part of all organizations. Management without these context include the list of participants (stakeholders –
technologies is virtually impossible. People (citizens, managers, opponents) and threats, the list of evaluated assets (including
politicians) have become dependent on information and human resources – stakeholders), critical factors and
communication infrastructure when managing the society, vulnerability. The output from the risk assessment and risk
management analysis is a risk register or a risk managing plan. processes of establishing the context, risk assessment and risk
These documents contain the risk owners and human resources management. Communication and consultation sub-processes
needed to manage the risks (stakeholders). Monitoring and (parallel sub-process) serve as information transfer between
review sub-processes (parallel sub-process) is feedback, output individual sub-processes. Both sub-processes are realized by
of which are updated documents coming out of the sub- stakeholders. [1, 2]

Figure 1 Risk management process (authors according to ISO 31000)

The goal of the risk management is to increase the probability and that can influence this process in both positive and negative
that set up goals will be achieved at all management levels, ways. [5]
create real bases for the decision making process, and
efficiently use the resources (also human resources) of the The stakeholder management process includes the following
organization to manage the risks with as minimum losses as steps: establishing the context, success criteria and requirements
possible. identification, stakeholder identification and levels of interest,
analyses and evaluation, strategy creation, monitoring of
The risk management process description points out the relation changes (internal, external) and satisfaction of stakeholders.
of stakeholders that directly participate in this process or are Monitoring is a feedback step for incorporating identified
influenced by this process (in both positive and negative ways) changes into individual steps (see Figure 2). Outputs of
individual steps are formulated in Figure 2.
Figure 2 Stakeholder Management Process (own source)
Stakeholders identification and levels of their interest includes stakeholders. In a team there is usually a person responsible for
searching people, interest groups, and organizations; their realization of the given strategy, monitoring of changes and
sorting and classification. Goals and interests that are followed satisfaction of key stakeholders. Approach strategy towards
by stakeholders are described within the stakeholder stakeholders can be divided into 5 basic groups: inform,
identification. consult, include, cooperate and authorize. Approach strategy as
well as its content is chosen on the basis of interest, level of
Stakeholder analysis lies in identification of their knowledge of influence, knowledge and abilities of the particular stakeholder.
the goal and ways to achieve it. Information concerning interest,
power and direction (supporter, opponent), stakeholders’ The goal of stakeholder management in the process of risk
influence, relations among them (coalitions, opponents) is management is to find and efficiently use own human resources,
analyzed. The stakeholder who has a high level of interest and find those human resources that need to be protected from
influence is assessed as a key one; then it is stated whether it is threats. It is also necessary to find those stakeholders who have
a supporter or an opponent. the ability and intention to generate threats and who dispose of
corresponding power to use the threats (misuse existing
When analyzing, attention must be paid to those stakeholders vulnerability). [3]
who do not have big influence but only big interest. Created
coalitions of stakeholders with a high level of interest and low
level of influence can cause a situation when the coalition 3. COMMON POINT WITHIN THE PROCESSES OF
members become the key ones because their collective STAKEHOLDER AND RISK MANAGEMENTS
influence can be big. Figure 3 demonstrates the influence of
creating coalitions between parts B, C (supporters) and E, F In the process of risk management and stakeholder management
(opponents). Creating a coalition of stakeholders with low following common decision points have been identified:
influence and high interest makes these stakeholders the ones
with high influence and interest. Such stakeholders must be a) Critical assets selected (establishing the context) /
taken into account. The stakeholder analysis is rounded off by identified and analyzed the necessary stakeholders to
their final judgment. implement activities to achieve the objectives (including
the owners of these assets),
b) Threats identified (establishing the context) / identified
and analyzed actors (stakeholders) who have the ability
and intention to generate threats,
c) Defined measures / goals are acceptable considering the
new assessment of risk level – shown in the risk profile
(risk managing) / identify and analyze stakeholders
needed to manage the risks by aggregating,
d) Unmanageable risk transfer (escalate) to the senior
manager (risk management) / identify and analyze
stakeholders needed to manage the risk by escalation,
e) Risk managing changed – senior manager’s decision
(based on aggregation of identical and dependent risks
into a unified risk profile) / identify and analyze
stakeholders needed to manage the risks by aggregating,
f) Risk owners identified and authority delegated to the
preparation or implementation of measures to manage
risks (risk managing) / identify and analyze stakeholders
needed to manage risk (risk owners).

The common decision points described above indicate the need

to implement the process of stakeholder management in two
cycles. After the risk escalation process there is another cycle of
the stakeholder management process at the level of a senior
manager. During the dependent risk aggregation the stakeholder
management process cycle is carried out twice because even the
process of risk management is carried out from the beginning
(context). [4]
Based on the analysis of both processes it is possible to create a
unified model of risk management and stakeholder management
processes (see Figure 4). The unified model works on the
Figure 3 – Stakeholder coalition analysis (own source) analysis of common features of risk management and
stakeholder management processes. The model of the processes
For all stakeholders, strategy creation is the last but one process (see Figure 4) is designed to achieve the desired goal in both
step in the stakeholder management process. An analysis of risk management as well as in stakeholder management.
stakeholders is a starting point for strategy creation against the
Figure 4 Unified process of risk management and stakeholder management (own source)


Cyber security is not only technical means and information. [1] ČSN ISO/IEC 27005 - Informační technologie -
Cyber security is controlled by people (stakeholders) who Bezpečnostní techniky - Řízení rizik bezpečnosti
cooperate or try to make use of the vulnerability of assets to informací.
their own benefit (to achieve their own goals). These are the
[2] ČSN ISO/IEC 31000 - Management rizik – Principy a
people who control the technical means and create information
that is shared by them. Cyber security risk management thus směrnice.
cannot be realized independently on stakeholder management [3] GRASSEOVÁ, Monika et al. Efektivní rozhodování –
because people actively participate in this process and are analyzování, rozhodování, implementace a hodnocení.
influenced by it. 1st ed. Brno: Edika. 2013. ISBN 978-80-266-0179-1.
[4] HRŮZA, Petr et al. Kybernetická bezpečnost II. 1st ed.
The process of stakeholder management must be cyclically Brno: Univerzita obrany. 2013. ISBN 978-80-7231-931-2.
repeated. It is necessary to realize the first cycle of the
stakeholder management process in a sub-process of [5] SOUŠEK, R. et al. Doprava a krizový management.
establishing the context of risk management in order to Pardubice: IJP. 2010. ISBN 978-80-86530-64-2.
recognize own assets (human resources within an organization)
as well as assets outside an organization (customers,
subcontractors). The point is to recognize the stakeholders that
we need to achieve our goal (activities realization) and protect
them. These stakeholders can significantly help with risk
identification, analysis and generation of risk management
variants. As for the first cycle we have to focus on stakeholders’
identification – actors (identification of actors). Actors can
generate threats (ability and intention) and affect the
vulnerability of assets (make use of an opportunity).

The second cycle of the stakeholder management can be seen in

the sub-process of risk management. The purpose of this cycle
is to find suitable human resources necessary to risk managing
considering the choice of suitable strategy necessary to manage
the risks.

In the field of cyber security, recognition of assets (their

vulnerability) and actors (their ability to generate threats) is one
of the key points necessary to define measures that prevent
/reduce losses within an organization and their customers.