Information needs in security analyses: A systematic review of established methods for IT systems

Authors:

  • Teodor Sommestad
  • Johan Bengtsson
  • Jonas Hallberg

Publish date: 2013-12-16

Report number: FOI-R--3723--SE

Pages: 39

Written in: Swedish

Keywords:

  • Information security risk analysis
  • IT system
  • risk

Abstract

This report aims at answering which information, according to established methods, should be the basis for security risk analyses of IT systems. A study was performed to identify what established methods use as the basis for the analysis. The initial search for relevant methods resulted in 74 methods. 12 of the 74 methods met the specified selection criteria and stated the information needed to perform the analysis. Only one seventh of the required information is security-specific information. Thus the emphasis of the methods is on more general information. General information could for example refer to information about different types of structures, such as business structures and structures for technical systems. The most frequently requested information is business related. The overall priority is not on information about the information contained in or processed by a system. Information about behavior or information about technical solutions is not emphasized. Another result is that the type of information used by the different methods varies. Some methods are completely focused on business whereas most also include technical information, particularly with regard to the structure of technical solutions. Overall, the results show that there is a large variety of different types of information of widely different character that can be used as the basis of information security risk analysis.