> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 1 Abstract - The risk assessment methodologies that are portrayed in traditional information security management literature often do not scale into the multi-level stakeholder environment of corporate governance. This is because they focus on one type of stakeholder, the IT infrastructure. A risk assessment methodology that is to successfully operate in such an environment must have effective mechanisms of including and incorporating the risk perceptions of the different stakeholders. This does not mean that the traditional forms of information security risk assessment should be replaced; on the contrary they are extremely necessary. Rigorous IT infrastructure risk assessment is fundamental to good security management. However in environments where the operational processes for using the information are complex and dynamic, another aspect of risk, namely business or operational process security risk assessment needs to take place. Whilst this view of security risk assessment in itself is not a new concept and can be found as dominant aspects of security risk assessment methodologies such as Sherwood Applied Business Security Architecture (SABSA) and Facilitated Risk Analysis and Assessment Process (FRAAP), there has been little discussion as to how to include the operational process view without detracting from the technical IT asset view. This work considers how interaction between the stakeholders might take place and this short paper explores the different techniques to promote inclusiveness of the different stakeholder communities in the risk assessment process. The case studies that are used in this paper are the results of five years of field observations. Index Terms - Risk assessment, triangulation, organic organisations, system characterisation, reflexivity Manuscript received February 15 t, 2001. Lizzie Coles-Kemp is a PhD student at King’s College., London. elizabeth-coles-kemp@kcl.ac.uk. Dr. Richard Overill is a Senior Lecturer at King’s College, London.. richard.overill@kcl.ac.uk. Department of Computer Science, King’s College London, Strand, London WC2R 2LS, UK T: +44(0)20 7848 2833 F: +44(0)20 7848 2913 I. INTRODUCTION Risk assessment is considered to be a mandatory element of information security management. An ISO 27001 information security management system demands that a risk assessment using a defined methodology takes place on the scope of the information security management system (ISO 27001, 2005a). The intention is that the risk assessment drives the selection of security controls and is also used as a means of review to assess the appropriateness and effectiveness of existing safeguards. This relationship is underlined by the requirement that all security controls are justified by the results of the risk treatment decisions and can be traced to the security policies and security objectives (ISO 27001, 2005b). Given that risk assessment is a mandatory requirement of such management systems, the organisation often views its security from the perspective of the assets that are identified as part of the early stages of risk assessment. This is because risk assessment not only acts as a decision making activity but also a sensemaking activity within security management and it is through risk assessment that an organisation begins the process of understanding which aspects of information are important. Sense making can be quite literally described as the process of “making sense” and best explained with the question: “How can I know what I think until I see what I say?” (Wallas 1926). When conducting information security risk assessments it is often the case that the system infrastructure is broken up into different technical components and the information assets are characterised in terms of the devices that store them. Therefore information security is often viewed in terms of the technical elements: the systems and networks that store the information, the people that use the information and the physical environment in which they use the information. It follows that if the network and the system are secure then the information that is held by these devices is secure. In this model the primary stakeholder is non-human, the IT equipment and this stakeholder is supported by the human stakeholder groups that manage the IT equipment. In this context the definition of stakeholder is “any group or individual who can affect or is affected by the achievement of the organisations objective” (Freeman 1984:46 as explained by Benn and Dunphy 2007). The consideration of non-human stakeholders has taken place as part of environmental governance research but is nevertheless a useful perspective to consider when the different types of information security risk assessment methodologies are analysed. In traditional information security risk assessment the IT system as a stakeholder is considered through the identification of system specific threats and vulnerabilities, the organisation as a stakeholder is considered through the valuation of impacts Lizzie Coles-Kemp and Richard E Overill, King’s College, London, UK Triangulating the Views of Human and non- Human Stakeholders in Information System Security Risk Assessment