IT Security Assessment

To assess the security of an IT system is not easy. There are methods of assessment for individual components and methods of documenting processes in large systems. These do not lend themselves successfully to being converted or combined as a means of assessing security levels in large systems. At the same time, large systems present us with the clearest need for support in the assessment process, since their complexity makes such systems difficult to consider as an entity.

As illustrated in the figure below, IT security assessments consist of the following six steps.

  1. Establish user need
  2. Define relevant IT security characteristics
  3. Transform the relevant IT security characteristics into measurable system  properties and effects
  4. Measure selected properties and effects
  5. Compute compound values
  6. Interpret values

It is vital that the assessment starts and ends at the user. Consequently, security assessment methods must be developed, selected, and used with the targeted users of the results in mind. Approaches considering these issues will result in improved system comprehension, more generally applicable security tools, better correspondence between needs and solutions, and noticeable gains in system and cost efficiency.


Jonas Hallberg

Deputy Research Director