Previous projects have studied the prerequisites for structured threat, risk and vulnerability assessments based on existing frameworks and research. There is a large amount of frameworks and methodologies in this area, but they lack a theoretical basis in many respects. As a consequence, it is unclear what the best solution looks like, given the needs of the Swedish Armed Forces and the type of IT systems they use. For example it is unclear what skills are required in order for an assessment of IT risks to be correct, or what the data model should look like for the typical analyzes of different types of systems.
This project aims at improving the knowledge base that forms the basis for security analysis of the IT systems of the Swedish Armed Forces by trying to answer the following questions.
- What knowledge should the project focus on to, in the long term, increase the efficiency of the Armed Forces' methods for performing security analyses in the context of authorization and accreditation of IT systems?
- What knowledge exists in other sectors of society and in the international research and how can it be adapted for the context of the Swedish Armed Forces?
- How can the Swedish Armed Forces' approaches to security analysis for IT systems be improved based on this?