Skip to main content

Run a workshop with stakeholders

Running a workshop with the key stakeholders of the information system allows you to more accurately identify its risks.

Workshops — different perspectives and skill sets

There are many tools and techniques that can be used for working together, but we find that multi-disciplinary workshops are the most effective. They make sure that you’re seeing multiple perspectives and drawing on the different skill sets of each stakeholder.

Identifying risks — do not skip or skim over this step

Being thorough in identifying risks to an information system is critical. If a risk is not identified at this stage, it will not be included in the risk analysis phase.


A risk is a threat that can exploit a vulnerability in an information system. This results in an undesirable outcome that prevents, degrades or delays your organisation in achieving its business objectives.

Workshop for identifying risks

In this workshop, you and the participants discuss the sources of threats and their possible reasons for occurring. You may need to schedule a follow-up workshop to:

  • describe the risk scenarios
  • list the causes of each risk
  • list the effects if the risks happen.

What can go wrong with workshops

You might miss identifying risks if:

  • you have not included all stakeholders that are relevant to the information system
  • people are not committed to setting up a successful risk assessment.

Setting up successful risk assessments

Sources of threats to an information system

Government organisations can decide if they need to create risk scenarios for each group or specific threats, or both.

Example of deciding which threats to create risk scenarios for

It may be appropriate for a government organisation to consider the threats from employees and external hackers instead of each type of individual or external organisation. However, they may need to consider each type of technical, accidental and natural event.

Threat groups and their types

These lists are for helping you to get the workshop discussions going — they are not complete lists of all possible threats to an information system.


  • Employees or contractors
  • Customers or clients
  • Service provider employees or contractors
  • Hackers
  • Hacktivists or activists
  • Criminals
  • Terrorists

External organisations

  • Service providers
  • Hacktivist or activist groups
  • Foreign governments
  • State-sponsored action groups
  • Organised crime syndicates
  • Terrorist groups

Technical events

  • Malicious code — for example, viruses and worms
  • Defective code
  • Equipment failure
  • Failure of air-conditioning
  • Loss of power supply

Accidental events

  • Fire
  • Water damage
  • Major accident
  • Destruction of equipment or media

Natural events

  • Weather — for example, an electrical storm
  • Earthquake
  • Volcanic eruption
  • Flood

Possible reasons for threats from individuals and external organisations

Government organisations can decide if it’s important to consider the intent of the threat source — their actions may be accidental, deliberate or malicious.

Examples of considering the intent of threat sources

An employee:

  • forgets to perform a step — accidental
  • chooses not to perform a step, as they believe it is unnecessary — deliberate
  • decides not to perform a step because they know it will harm the organisation — malicious.


Individuals might exploit a vulnerability in an information system to:

  • minimise their effort to complete a process or procedure
  • receive a financial gain
  • seek revenge
  • gain knowledge or information
  • assert power
  • achieve peer recognition and respect
  • satisfy curiosity
  • further political or social aims
  • terrorise certain target groups or individuals
  • enhance personal status with other individuals or groups.

External organisations

External organisations might exploit a vulnerability in an information system to:

  • gain a competitive advantage
  • achieve an economic advantage
  • get a military advantage
  • acquire a political advantage
  • further political or social aims
  • receive a financial gain
  • terrorise certain target groups.

Other factors 

The motivation for individuals and external organisations exploiting vulnerabilities in an information system might be sped up or slowed down by other factors, such as:

  • available equipment
  • quality of equipment
  • expertise
  • experience
  • opportunities being available — for example, an employee has full access to source code or an information system is exposed to the internet.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated