Prepare and publish the report
The assessor should prepare her SIA report, and the organisation should publish it on its website and/or submit it to an appropriate repository.
An outline and recommended contents of a SIA report are provided in section 3 of this paper.
Research funding bodies may have specific reporting requirements for societal impact assessment exercises.
Some organisations may be reluctant to publish their SIAs because they fear negative publicity or they have concerns about competitors learning something they don’t want them to. Such concerns seem overdone. Publication offers many benefits and opportunities to the organisation. It demonstrates that the organisation treats societal issues seriously, and consequently its customers or citizens. Customers and citizens are more likely to invest their trust in an organisation that treats their wellbeing, environment, individual rights and other concerns with respect. It offers an opportunity to gather additional feedback from stakeholders. It offers the organisation an opportunity to distinguish itself from its competitors. For organisations concerned about publishing commercially sensitive information or security sensitive information, there are solutions. The organisation can simply redact the sensitive bits or put them into a confidential annex or just publish a summary of the project or, if necessary, provide a copy to the regulator.
Implement the recommendations
The project manager and/or the organisation does not need to accept all these recommendations, but they should say which recommendations they have implemented already or intend to implement and which they do not intend to implement and the reasons why they do not intend to do so. The organisation’s response to the assessor’s recommendations should be posted on the organisation’s website. This transparency will show that the organisation treats the SIA recommendations seriously, which in turn should show consumers and citizens that the organisation merits their trust. The organisation should put in place a mechanism or system for updating the SIA report as necessary and, especially, for monitoring the implementation of the recommendations.
Research funding and support institutions may also wish to be informed of how a research institution is implementing the recommendations.
Recommendations from the SIA may have implications for the research methods and research design used in a security research project.
Ensure a third-party review and or/audit of the SIA
The value of independent third-party review or audit has been established for privacy impact assessments, in term of guaranteeing quality and rigour (Stoddart 2013). This is likely to hold true for societal impact assessments. For research projects this review will need to planned for in advance, with appropriate third parties identified. Existing review bodies, for example research funding agencies, will have their own evaluation and reporting requirements, which may support the external review of the SIA, but these agencies may not yet have the capacity to fully audit the SIA process.
Update the SIA if there are any changes in the project
Many projects undergo changes before completion. Research on technological development may go in several different directions before achieving its goal. Research with a social dimension may also uncover previously unidentified societal impacts. Whenever material changes occur, the project manager and/or assessor should revisit the societal impact assessment to see whether it needs to be amended, which will almost certainly be the case where new societal impacts become apparent that were not previously considered. The value of the spiral methodology is that it highlights the importance of revisiting key questions through the lifetime of the project, and holding initial findings contingent. Depending on the magnitude of the changes, the assessor may need to revisit the SIA as if it were a new initiative, including a new consultation with stakeholders.
Refer to the SIA in any post-project evaluation
The SIA process does not end with the publication of the report, but should be continued into any evaluation work related to the security research project. Depending upon the scope and scale of the project, additional resources and methods may be available to evaluate the efficacy of the security research or applied security measure, these activities should include consideration of societal impact.