Estimated time: 15 min
In this activity, the main idea is to continue exploring the organization, gathering information directly related to its security, also necessary to raise an optimal threat model in the future. In addition, it is a valuable input to study the evolution of the organization, its environment, and changes in the corresponding threat model.
This activity is based on the section Expanding our knowledge of actors of the Holistic Security guide of Tachtical Technology Collective available in the references.
- People, groups and institutions related to the organization.
- Core projects and processes of the organization.
- Information managed by the organization into its processes.
- Possible negative consequences when violating the information managed by the organization.
- Stakeholder map.
- Group awareness about stakeholders of the organization.
- Research the organization well enough to have clear ideas of its stakeholders. This might help in case of starting or resuming brainstorming in the event that the group feels stuck or slow during the following activity.
In case of doing the activity on paper:
- Post-its or sticky notes and markers or
- Large pieces of paper to stick on the wall and markers. In case of doing the activity in digital equipment:
- Spreadsheet ready to fill, showing the headings with stakeholder categories.
Once the objectives of the organization have been related to the previous activity, it should be clearer for the participants about the approach of the group, the type of stakeholders linked to their work, and their motivations for the safety of the organization.
- Explain briefly that the main idea is to create a spectrum of allies sorted by their attitude towards the organization, seeking to use just a few options in order to facilitate the process. Take for example the following:
- Active opponents
- Neutral stakeholders
- Active allies
Organization Stakeholder Mapping
If the group and the facilitator, consider it necessary, they may spend a few minutes discussing the criteria by which the categories to be studied would be developed.
- Explain briefly that stakeholders are: people, groups and institutions, regardless of their formality as long as they have an existing or potential relationship along with the organization. For example, it is a good habit not to forget stakeholders like:
- Regulatory entities (taxes, work, communications).
- Utility companies.
- Maintenance personnel and general services.
- People to whom services are provided (victims, unprotected groups, citizens seeking advice, etc.).
- Similar organizations.
- Ask the participants to say and / or write the stakeholders, so then afterwards being placed in the columns where they consider that they must located according to their judgment. If there is any disagreement with the rest of the audience in the chosen category, it can be discussed until there is consensus and the group is satisfied with all the names on the list.
- Once the list is considered complete ask the participants for those stakeholders placed at the boundaries (active opponents and allies in the previous example). The main idea is to discuss not only the capabilities and motivations of these names in order to harm or help the organization, but also preparing participants for the data mapping and threat model activities.
- Discuss along with the participants some considerations on stakeholder mapping:
- Maps of stakeholders may vary in time very quickly. Today an active ally tomorrow might be an active opponent, or a neutral stakeholder might take sides in the wake of a particular event.
- Categorization of the stakeholders is perceptual, perhaps for a group a certain name seems an ally, but in practice can play a different role unknown to the organization.
- Generally, an organization is linked to many more stakeholders than can be obtained in a 10-minute brainstorm. It is worthwhile for the group to feel comfortable applying this methodology so they can replicate it by themselves once they consider it convenient.
It is highly important that the map obtained to be available for future activities, if done on paper, it is recommended not to dismantle these post-its and / or sticky notes, but move them to a place where they are visible and do not interfere with other activities. In a case of doing the activity on digital equipment, it is recommended to have at hand the file where the information was collected.