Stakeholder-Based Approach

Stakeholder-Based Approach is a risk management methodology that identifies and integrates all parties with an interest in the system's security—including users, vendors, employees, and regulators—into the design process. This approach recognizes that modern systems, especially autonomous vehicles, are socio-technical systems where human behavior significantly impacts security outcomes. Unlike purely technical approaches, this method requires a holistic view of the system's operational environment. It aligns with the principles of ISO/SAE 21434, which mandates the consideration of all threats, including those arising from human factors. This ensures that security measures are not just technically sound but also practically applicable in real-world scenarios, addressing the full spectrum of risks from both technical vulnerabilities and human-centric attack vectors.

Implementation typically follows three phases: Identification, Scenario-based Assessment, and Control Integration. First, the organization must map all stakeholders, including internal roles (developers, operators) and external parties (customers, third-party vendors, regulatory bodies). Second, the company performs scenario-based risk assessments, modeling how different stakeholders might be exploited or could inadvertently introduce risks—such as a technician using unauthorized diagnostic tools. Third, controls are implemented across both technical and organizational layers, ensuring that technical measures (e.g., secure boot,-encrypted communication) are supported by organizational policies (e.g., vendor onboarding requirements, employee awareness programs). Leading automotive manufacturers in Europe and Asia have reported up to a 30% reduction in security incidents after adopting this approach, primarily due to the reduction in human-error-related vulnerabilities.

Taiwan enterprises face three primary challenges: organizational silos, supply chain visibility, and regulatory ambiguity. Many companies operate with technical teams isolated from legal and operational departments, making it difficult to be truly stakeholder-centric. To overcome this, companies should establish a cross-functional Information Security Steering Committee. Second, the fragmented nature of the automotive supply chain in Taiwan makes it hard to track third-party risks; this can be mitigated by implementing standardized supplier security requirements based on TISAX or ISO 27701. Third, the lack of localized autonomous vehicle regulations creates uncertainty. Companies should proactively adopt international standards like UNECE WP.29 R155/R156 as their baseline, ensuring they are prepared for domestic regulations once they are enacted. A 90-day implementation roadmap starting with a stakeholder impact analysis is recommended for most Taiwan-based enterprises.

Winners Consulting Services Co., Ltd. specializes in Stakeholder-Based Approach for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact