Experiences of development and maintenance of IT systems


  • Henrik Karlzén
  • Daniel Eidenskog
  • Jacob Löfvenberg

Publish date: 2017-04-26

Report number: FOI-R--4423--SE

Pages: 36

Written in: Swedish


  • Information security
  • accreditation
  • IT architecture
  • IT security
  • risk management
  • risk based security


Information security can be perceived as a hindrance to the development and usage of IT systems. Regarding systems with particularly high demands on IT security the protective measures are extensive, requiring a lot of work to get the system accredited and approved. This report presents an interview study with a focus on experiences of working with security regarding IT systems that handle information of national security concern. The respondents' work encompass IT security in the Swedish Armed Forces, civilian government agencies, and the business sector. Their collective experience entails technology and processes during development, accreditation and maintenance. Their responses are analysed in two ways in order to effectively describe the problem area. The respondents' view is that there are many challenges in reaching the ideal, but unreachable, goal of absolute security. Systems are increasingly complex, making the accreditation process more demanding. Excessive security focus may lead to systems that demand more time and financial resources to develop, while new architectures and features remain absent. The respondents generally agree that the current way of thinking needs to be adjusted so that focus is shifted to a continuous and active security process for the entire IT system life span and a broadening from merely technical security. A certain change in how risk is viewed has already been introduced in the Armed Forces but statements on security still seem to be interpreted in an absolute way without taking operational needs into account. A conclusion is that it would be valuable to investigate how IT security and accreditation should be handled in the Armed Forces to better meet operational needs in the future.