Describe and assess threats to IT systems - Why is it so difficult?


  • Johan Bengtsson
  • Jonas Hallberg
  • Henrik Karlzén

Publish date: 2016-12-09

Report number: FOI-R--4330--SE

Pages: 75

Written in: Swedish


  • Risk assessment
  • threat description
  • likelihood
  • consequence
  • AHP


It is a demanding task to describe the threats to IT systems and to assess the likelihood and consequence of these threats. This report describes studies related to the difficulties in describing and assessing threats to IT systems. Within the studies, two experiments were conducted focusing on aspects that could affect the correlation between different people's assessment of the likelihood and consequence of threats. The first experiment focused on whether the presentation of the threat description affects the assessments of likelihood and consequence. The threat presentations consisted of either structured tables or running text. No statistically significant differences could be found in the results from the experiment. The second experiment was based on an experiment conducted in the project in 2015. The experiment was carried out to identify any differences in interrater consistency when assessments are made according to the method Säkerhetsanalys (Swedish Armed Forces) compared to a comparison-based assessment method. When comparison-based assessments were conducted by experts, having good knowledge in the field of information security as well as experience in assessing information security risks, the results showed statistically significant higher consistency of the assessments regarding both likelihood and consequence. The report ends with findings related to the presentation of threat descriptions and prerequisites for the assessment of threat likelihood and consequence