Needs analysis regarding system security assessment


  • Hallberg Jonas
  • Hallberg Niklas
  • Hunstad Amund

Publish date: 2005-01-01

Report number: FOI-R--1820--SE

Pages: 41

Written in: Swedish


Network-centric organizations depend on reliable information systems. The sensitivity of information handled by the Swedish armed forces results in IT security being critical for the implementation of the network-based defense (NBD). To ensure adequate IT security, the ability to assess security levels of systems is required. This report descibes an effort to identify needs regarding IT security assessment. These needs constitute important input to further development, including requirements engineering, of methods and tools for IT security assessment in complex information systems. The effort descibed in this report consists of four main tasks: (1) data collection, (2) identification of statements, (3) analysis of statements, and (4) analysis and structuring of needs. During the data collection, six interviews were conducted and 13 relevant documents were collected. The analysis of the transcribed interviews and the documents resulted in the identification of 215 statements. The analysis of the statements resulted in 525 needs. The outcome of further analysis and structuring was 13 main categories with 419 needs, in total. Examples of identified needs are: requirements engineering, risk management, ability to adapt the security posture of systems during operation, knowledge of to what extent security functions address different aspects of security, and input to decision-making processes.