Information needs in security analyses: A systematic review of established methods for IT systems


  • Teodor Sommestad
  • Johan Bengtsson
  • Jonas Hallberg

Publish date: 2013-12-16

Report number: FOI-R--3723--SE

Pages: 39

Written in: Swedish


  • Information security risk analysis
  • IT system
  • risk


This report aims at answering which information, according to established methods, should be the basis for security risk analyses of IT systems. A study was performed to identify what established methods use as the basis for the analysis. The initial search for relevant methods resulted in 74 methods. 12 of the 74 methods met the specified selection criteria and stated the information needed to perform the analysis. Only one seventh of the required information is security-specific information. Thus the emphasis of the methods is on more general information. General information could for example refer to information about different types of structures, such as business structures and structures for technical systems. The most frequently requested information is business related. The overall priority is not on information about the information contained in or processed by a system. Information about behavior or information about technical solutions is not emphasized. Another result is that the type of information used by the different methods varies. Some methods are completely focused on business whereas most also include technical information, particularly with regard to the structure of technical solutions. Overall, the results show that there is a large variety of different types of information of widely different character that can be used as the basis of information security risk analysis.