Beskrivning av hot vid säkerhetsanalyser. Innehåll och utformning

Authors:

  • Jonas Hallberg
  • Johan Bengtsson
  • Henrik Karlzén

Publish date: 2018-12-18

Report number: FOI-R--4676--SE

Pages: 53

Written in: Swedish

Keywords:

  • risk
  • information security
  • probability
  • consequence

Abstract

The assessment of probabilities and consequences is fundamental for the specification of information security risks. In structured risk assessments, written descriptions of the identified threats constitute the basis for these assessments. However, there is currently insufficient knowledge regarding how the content and phrasing of threat descriptions affects the assessment of the probability and the consequence. To support the production of adequate threat descriptions, a proposal concerning the content and phrasing of threat descriptions is presented. As the basis for specifying the content, a set of information elements to be included in threat descriptions is presented. To support the phrasing of threat descriptions, a set of principles to be adhered to is presented. The proposal is not to be considered as final but rather as a starting point for discussions and further development of the knowledge considering what to be included in threat descriptions and how to phrase them. As a first step in assessing the proposal concerning the content of threat descriptions, a quantitative survey-based study was performed. The study was designed in order to investigate whether the specification of the actor has any influence on the assessment of the probability and the consequence. The results of the study show, among other things, that there are large variations between the respondents regarding their assessments of probability and consequence.

Share page on social media