February 07, 2007

Stakeholders in Security

Over on anti-fraud, Gervase asked:

>> Perhaps you should define "stakeholder" while you are here.

Ok, fair question. I received a huge tome entitled Phishing and Countermeasures in the post a week or so ago, and it includes lots of academic articles. In one, in a discussion of behavioural studies of phishing, it says:

As previously stated, Smetters and Grinter [39] have made the claim that there are three groups of stakeholders to consider in the design of security technologies, namely developers, administrators, and end-users. They claim also that the latter two groups are the primary focus of most security-related research. Finally, they claim that end-users are more frequently forced to be their own systems administrators nowadays, leading to an undesirable condition in which managing security is more complex for end-users than ever.

The notion that the stakeholders are developers, administrators, and end-users is perhaps the most obvious inventory. In a larger sense, all of society is affected by the security and trustworthiness of the online world, and we should not here discount the effects on all of society that arise when the security rights of individuals are violated. In global terms, the very notion of transactions between people and societies can be effected by the level of collective trust that depends on the reported experience of individuals.

[discussion of personas, snipped] ... it is not enough to design a system that makes it easy for security experts to manage the security of their transactions systems, but also it is necessary to design systems that make it possible for other kinds of people to easily become aware and act compliantly.

The full article is "Behavioural Studies," Jeffrey Bardzell, Eli Blevis, and Youn-kyung Lim.

To complete the discussion, "stakeholder" is a term that sits in opposition to "shareholder;" it both identifies others who are important, and also asks organisations without shareholders to go through the same exercise as those with.

See also the 2nd (managament) definition on wikipedia.

Posted by iang at February 7, 2007 04:09 PM | TrackBack

Stakeholders seems to me to be the jargon of the modern project manager. In general its the people one has to please to keep ones job. It suggest some kind of equity principle being applied to a process of security, when in fact the objective is to avert risk from the design and render secuirty an assumed risk of the end user. The perfect example of this is Microsoft. The company has released its source code to questionable entities and with held it from those that would use it to make the system more secure. Security is from the creators standpoint a risk to be avoided at all cost and assumed by the enduser.
There are no stakeholders, there are however those that have assumed a risk without the proper knowledge to apply it to the creators of the products they purchase. The great area of unknowing assumption of liability by consumers as it is pushed out the door. The unrealized expectations of users is a void waiting to be filled by a design of a creator who sees it. None have seen it because it is seen as a marketing event, and item that can be branded. Apple is suggesting it in their anti-Vista advertising and probably does have a good ethic behind their work. The stakeholder is not the end user since the risk of producing unsecure applications does not find a home in the stakeholder and is displaced to the enduser. This transfer will eventually become the epic of legal matters once the legal expertise exist to present this complex transfer of risk and produce a judgement that make gains against the malware that litters the world today. More lawyers are needed to present in a civil venue the complex nature of the this transfer.

Posted by: JimN at February 7, 2007 06:32 PM

The term, like many, can be broadly used and overused, as well as abused. Obviously in those areas where consultants rampage and charge for the privilege, it is much trampled upon.

This means that it is easy for people who've been burnt by the consultants to blame the terms. Sad, but inevitable, those who wait for others to tell them what to do generally get burnt when someone ... tells them what to do.

Posted by: Iang at February 8, 2007 01:59 PM

From a recent interview with Wendell Weeks, CEO of Corning:

"When you don't have very many long-term shareholders and you have a company that thinks in decades, that can create some tension between stakeholders, and what we have to do is balance that. We also have to run our company for the stakeholders of the future, as well as the stakeholders of the moment. We try to overcome that by being very transparent, so people know what it is they're buying into. We try to be very open about what our plans are. And we try to be very open about the risks of our model."


Doug Ludy

Posted by: Doug Ludy at February 9, 2007 11:14 AM

And there I was, always thinking that stakeholders are those specimen that generally like to hover in the vicinity, patiently waiting to plunge their (wooden) stake in when things don't go exactly as predicted.

See also sword of daemocles.

Posted by: Saso at February 12, 2007 06:26 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.