Tests of methods for information security assessment


  • Johan Bengtsson
  • Jonas Hallberg
  • Amund Hunstad
  • Kristoffer Lundholm

Publish date: 2009-12-31

Report number: FOI-R--2901--SE

Pages: 68

Written in: Swedish


  • information security
  • IT security
  • assessment
  • testing


In order to manage information security, it is essential to accumulate knowledge on information security. An aid in this task is presented by methods for the assessment of information security. The purpose of these methods is to reveal the levels of information security provided by the assessed systems. In this report, methods currently available for IT security assessment are characterized. The presented effort includes a literature study performed in order to identify relevant methods and tests performed to reveal the characteristics of a selection of the relevant methods. The literature study revealed 25 methods considered to fulfill the stated prerequisites for testing. Seven of the 25 identified methods were tested. The test results illustrate that none of the tested methods are relevant for the Swedish Armed Forces. One conclusion is that more specific descriptions, of when needs of security assessment occur, are needed in order to test the methods more thoroughly.