This approach acknowledges that for many types of security research, there is a need to conduct societal impact assessments during the research planning or proposal stage. At this stage, there may be minimal resources available to support extensive societal impact efforts, including in-depth consultation. Structured consideration of societal impact at this stage can improve the quality of the research design being proposed or considered, and is crucial to ensure that negative societal impacts are not locked into the research design.
Identify the SIA team and set the team’s terms of reference, resources and time frame
The research project manager should be responsible for the conduct of a SIA, but she may need some additional expertise, perhaps from outside her organisation. Depending on the estimated scale of the SIA, the project manager or the designated societal impact assessor may need to form a team to undertake the SIA. The team could bring together expertise from information security experts, lawyers, operations managers, ethicists, public relations experts, etc. As the SIA progresses, the assessor may find that she needs still other expertise. The benefits of a dedicated manager and interdisciplinary team, which ideally includes some social science expertise, is supported by existing methodologies of social impact assessment (Kemp 2011:30). Eurobarometer research suggests that the European public is most receptive to accounts of research that come from researchers themselves (TNS Opinion & Social 2013).
The project manager and/or the organisation’s senior management should decide on the terms of reference for the SIA team, its budget and its time frame. The assessor may come under considerable pressure to complete the SIA quickly so as not to delay the project, but she may need to resist compromising the integrity and adequacy of her SIA mission and may need to ensure she has the full support of the organisation’s CEO and/or its management board. The terms of reference should make clear that the societal impact assessment is a process, and that the process will need to continue beyond preparation of the SIA report. If the assessor’s work or that of an external consultant comes to an end with publication of the report, the project manager and/or the organisation’s CEO and/or management board should decide how implementation of recommendations will be monitored and who will be responsible for the monitoring and what factors will determine whether the SIA report needs to be updated.
For research projects, it may be appropriate to dedicate a work package or stream of activity to the societal impact role. If this is done, it is important to ensure that this work package is integrated with the other elements of the project, perhaps through shared personnel or making later elements of the work dependent upon stages of the SIA report.
Prepare the SIA plan
The assessor should prepare a plan for conducting the SIA. She can prepare the SIA plan using this SIA process document, but may need to tailor it to the exigencies of the project to be assessed. The plan should spell out the objectives of the SIA, what is to be done to complete the SIA, who on the SIA team will do what, the SIA schedule and, especially, how the consultation will be carried out. An important part of the plan should address consultation. It should specify why it is important to consult across each of the six societal impact areas, who will be consulted and how they will be consulted (e.g. via public opinion survey, workshops, focus groups, public hearings, online experience, specialist consultation tools).
The SIA should also include if and how societal impact will be included in any post-research evaluation activity.
Determine the budget for the SIA
Once the project manager and/or assessor have prepared an SIA plan, they can estimate the costs of undertaking the SIA and seek the budgetary and human resources necessary from the organisation’s senior management. Unfortunately, the assessor may be constrained in what she can do in the SIA by the budget allocated by the organisation. If the assessor is unable to do an adequate SIA, she should note this in her SIA report. The assessor may need to revise her SIA plan based on the budget available.
Describe the project to be assessed
The assessor should describe the project or technology or service to be assessed. As the development of the project or technology or service may still be at an early stage, there may not yet be that much known about the project. The assessor can update the description as more becomes known. The description can be used in at least two ways – it can be included in the SIA report and it can be used as a briefing paper for consulting stakeholders. The description of the project should provide some contextual information (why is the project being undertaken, how is it funded, who are the project members and participants, who are the intended audiences for the findings of the research, how does it relate to other ongoing security research activity conducted by the project members). The project description should state who is responsible for the project. It should indicate important milestones and, especially, when decisions are to be taken that could affect the project’s design.
A critical component of societal impact assessment is the participative inclusion of stakeholders in the assessment of the security research project or security measure application. The assessor should identify stakeholders, i.e. those who are or might be interested in or affected by the project, technology, service or other initiative. The stakeholders could include people who are internal as well as external to the organisation. Involving a variety of stakeholders provides an opportunity for any potential risks to be highlighted and eventually managed. Given the potential breadth of societal impact across different categories of impact, the way that “stakeholders” is understood should be broad and inclusive.
Kemp provides a list of parties who could potentially be affected by a planned project or policy and should thus be engaged within the context of SIA (Kemp 2011). Building upon this list, and customising it for the security research process provides the following summary:
- personnel or managers with carriage of the social agenda within project proponent organisations;
- researchers, designers, engineers, developers, potential suppliers, security experts and others who will carry out the research activity;
- assessors who are commissioned to undertake or facilitate the societal impact assessment process, either internally or from outside of the organizational structure of the project proponent;
- project-affected peoples, up to and including representatives of the general public
- civil society organisations, including civil rights advocates;
- the media;
The assessor should identify these different categories and then identify specific individuals from within each category, preferably as representative as possible. The stakeholders of a project, and particular people who might be affected by the project, will be dependent upon the context of the project and the way in which it is conducted. This means that the above list cannot be inclusive and the project assessor must make efforts to identify other stakeholders as appropriate. Social relations are complex, and stakeholders, especially those affected by unintended consequences, may not be apparent to the SIA team. The SIA process should therefore include opportunities for individuals, groups and organisations to self-identify as stakeholders and request participation in the assessment activity. Some stakeholders may only become apparent as the SIA progresses. If necessary or useful, they too should be brought into the consultation process. The range and number of stakeholders to be consulted should be a function of the likely societal impact as identified in early stages of the spiral methodology, including the number of people who could be affected. Thus, the number of stakeholders to be consulted could be relatively limited if the project or service is also expected to be small, e.g. the project or service might involve only employees of a small or medium-size enterprise. The proper involvement of stakeholders may require additions to the SIA team, either to encourage participation by stakeholders, or to bring key stakeholders, who may be most affected by the project into the SIA team directly.
Next: Consultation & Analysis
 In the course of the SIA, it may become apparent to the assessor that the organisation needs to spend more time on raising the awareness of employees (including researchers) about societal impact issues. The background context section of the report can be used to state what the organisation does now to raise employee awareness of societal impacts, and where it could improve.
Kemp, Deanna (2011) ‘Understanding the Organizational Context’. In Frank Vanclay, Frank and Ana Maria Esteves, (Eds.), New Directions in Social Impact Assessment: Conceptual and Methodological Advances, Cheltenham: Edward Elgar.