In the figure (Figure 8) the stakeholders with highest ranks (1-3) are strongly aligned with the

common goal of improving the security of cyber space. In contrast, the stakeholders with
low ranks (5-8) are not primarily interested in the security of cyber space and can be said as
a light argument to introduce most of the vulnerabilities and threats to the security of cyber
space. The hacker is ranked with the lowest rank and must be understood as a pure threat to
cyber security without practical capability or willingness to contribute to the security of the
cyber space directly. A hacker, in this case, can be considered an umbrella term for all
miscreants in cyber space. In this example situation, cyber security policies to manage
stakeholders in cyber space would be most beneficial and efficient when enforced against
the low-to-mid (5-8) ranked stakeholders, where the motivation and capability to influence
towards common goal, is rather low. If the stakeholders cannot influence positively towards
a common goal, they must be controlled. The high-end ranked stakeholders are therefore
more difficult to be managed through cyber security policies as they would already have a
strong motivation and influence capabilities to drive change in cyber space (for their own
interests coherent with the given organization), making management of these stakeholders
inefficient. However, these stakeholders participate in critical roles in public-private
partnerships regarding information sharing and incident coordination. 8.3 Transferring the
results to ISMS Integrating the cyber security management into the Information Security
Management System (ISMS) makes sense in terms of manageability. One solid system to
manage both information and cyber security risks will most likely be beneficial not only in
terms of resource use but also from the assets manageability and risk assessment point of
view. Most of the assets protected under the cyber security domain are genuinely based on
information, which is also proved later in this thesis. Rest of the assets, such as interests of
stakeholders and non-information-based assets can be easily integrated as part of the risk
management process by these guidelines (9.5 Transferring the results to ISMS) when the
place of stakeholders in the ISMS has been fully understood and documented in relation to
the interested parties that have been already identified as a requirement originating from
the information security standard [1]