Section 4.5. Select Participants

4.5 Select Participants

Since the OCTAVE Method is an organizationwide evaluation, it requires people from throughout the organization to participate in it. The core analysis team members lead all activities during the evaluation; other members of the organization are required to participate in selected activities. The analysis team selects people from multiple organizational levels to participate in processes 1 to 3, and the team can augment its skills, experience, and expertise for specific activities in processes 4 to 8 by including additional participants if necessary.

Evaluation Participants

Table 4-2 provides a summary of the participants for each process required by the OCTAVE Method, as well as estimates for their time. In most cases the people participating in processes 1, 2, and 3 can provide supplementary support for the analysis team in other processes if necessary. For example, one of the information technology staff members from process 3 could also be a supplemental analysis team member for processes 5, 6, and 8. Note that all of the times in Table 4-2 are estimates. The actual time required to complete each workshop depends upon factors such as the abilities and experience of analysis team members, the extent to which the analysis team members are familiar with the evaluation process, and the scope of the evaluation.

Peer-Level Workshops for Processes 1 to 3

As shown in Table 4-2, participation in processes 1 to 3 is restricted according to organizational level. After developing a variety of risk evaluation techniques, we have learned that each knowledge elicitation workshop should contain a group of peers in the organization; there should be no real or perceived reporting relationships among the participants in any of the workshops for processes 1 to 3.

Table 4-2. Participants in the OCTAVE Method

Process Participants Estimated Time

Process 1 At least 3 senior managers ½ day

Process 2 At least 4 operational area managers, including one manager from eachoperational area being evaluated ½ day

Process 3 3 to 4 staff members from each operational area being evaluated ½ day

Process 4 1 staff member with good analysis skills to supplement the analysis team (optional) 1 day

Process 5 1 to 3 information technology staff members to supplement the analysis team in selecting key infrastructure components (optional) ½ day

Process 6 1 to 2 information technology staff members to supplement the analysis by running vulnerability assessment tools (optional) ½–1 day

Process 7 1 operational area manager and/or 1 staff member with sufficient insight into the organization to supplement the analysis team (optional) 1 day

Process 8A 1 operational area manager with good planning skills and organizational insight, 1 staff member with good planning skills, and/or 1 to 2 information technology staff members with strong technology skills to supplement the analysis team (optional) 1 day

Process 8B At least 3 senior managers ½ day

Remember that one of the most important risk management principles is open communication. In risk evaluations, people discuss sensitive information about what is not working well in an organization and how the organization's critical assets are at risk. To build an environment where people will share such sensitive information, it is essential that there be no reporting relationships among the people in a workshop. People tend to keep issues to themselves if they are in a workshop with someone to whom they report. We have even seen people refrain from active participation when they perceive that someone in the workshop has a higher position in the organizational hierarchy (e.g., a manager to whom a person does not directly report, a senior member of the general staff). When this happens, you will not get a free exchange of information so be careful when you select participants for the workshops of processes 1 to 3.

We have one final caution for you about processes 1 to 3. You should make sure that no information discussed in a workshop is attributed to a specific individual. People who know that information will not be attributed to them, tend to be more open in the knowledge elicitation workshops. You need to structure processes 1 to 3 to ensure that people openly discuss risk-related information, and you need to make sure that you let them know how the information will (and will not) be used after the workshop.

Selecting Senior Managers

As indicated in Table 4-2, you need senior management participation in processes 1 and 8B (the second workshop of process 8). Typically, the senior managers will decide which of them will participate; the analysis team can coordinate the selection process and provide guidance as necessary. In process 1, at least three senior managers are needed who

Are familiar with the types of information-related assets used in your organization
Are able to commit to the time required for this assessment
Have the authority to select and authorize time for operational area managers
Preferably have been in their position for at least a year

The managers who participate in process 1 generally also participate in the evaluation's final workshop, process 8B.

Selecting Operational Area Managers

Operational area managers need to participate in the process 2 knowledge elicitation workshop. Senior managers select managers from the operational areas that are being evaluated during the OCTAVE Method. The analysis team provides guidance during the selection of operational area managers. There is usually only one operational area management workshop (process 2), although additional workshops can be held if needed. At least four operational area managers, including the information technology manager, participate in the process 2 workshop. You should guide senior managers to select operational area managers who

Have key responsibilities for the selected operational areas
Are familiar with the types of information-related assets used in your organization
Are familiar with the ways in which these information-related assets are used
Are able to commit to the time required for this assessment
Preferably have been in their position for at least a year
Have the authority to select and authorize time for staff members

Operational area managers in your organization will contribute a half day of their time to attend the process 2 workshop. In addition, you might want to supplement your team's skills during processes 7 and 8A (the first workshop of process 8) by including an operational area manager.

Selecting Staff Members

General staff members and information technology staff members participate in the process 3 knowledge elicitation workshops. Operational area managers select three to four key staff members from their areas to participate in process 3. There should be at least three workshops involving staff: two for general staff and one for IT staff. Depending upon the number of operational areas selected, you may need more than two workshops for the general staff.

You should limit the size of the staff workshops to five people. If you include more than five people in a workshop, it will be difficult for all of them to participate actively, and some participants might be too overwhelmed to contribute. Higher numbers of participants can also be difficult to manage for a new analysis team. For the process 3 knowledge elicitation workshops, you should select at least three to four staff members from each selected operational area who

Are familiar with the types of information-related assets used in their area
Are familiar with the ways in which the information-related assets are used
Are able to commit to the time required for this assessment
Preferably have been in their position for at least a year

Additional members of the general staff may be needed to supplement the knowledge or skills of the analysis team during processes 4, 7, and 8. During process 4, someone with analysis skills might be included to help with threat identification. In processes 7 and 8A, additional help may be needed to analyze risks, define evaluation criteria, or develop mitigation plans. You will probably find that you will be better able to identify specific people to help with targeted pieces of the evaluation when you start preparing for those parts of the evaluation process. Refer to Table 4-2 for ideas about whom to include.

Briefing All Participants

After you have identified the participants, you will need to help them understand the purpose of the evaluation and define their roles for them before any of the workshops begin. We suggest that you hold a briefing for the selected participants. Make sure you mention that any information identified during the knowledge elicitation workshops will not be attributed to specific individuals; this is a good place to emphasize the need for open communication of sensitive issues. It is also a good idea for one or more senior managers to be present for the briefing. These managers can then use this opportunity to reinforce their sponsorship of the evaluation.

This concludes our overview of selecting participants and brings us to the last preparation activity remaining before you can begin the evaluation: coordinating logistics for the evaluation.