Risk management for IT systems - twelve years of research and technological development


  • Johan Bengtsson
  • Henrik Karlzén

Publish date: 2019-12-19

Report number: FOI-R--4835--SE

Pages: 62

Written in: Swedish


  • information security
  • IT security
  • cyber security
  • IT system
  • risk
  • severity
  • probability
  • risk management
  • risk assessment
  • risk analysis
  • threat risk and vulnerability analysis
  • security analysis
  • security objective
  • security evaluation
  • KSF
  • risk acceptance
  • business process modelling
  • security protection analysis
  • final report


This report summarises studies in risk management in IT systems which have been performed at FOI in the past twelve years (2008-2019). The studies have been financed by the Swedish Armed Forces (SwAF) and had the purpose of, through research, providing support for the SwAF's work on analysing the security of their IT systems. Some of the most important conclusions from the studies are that: there are needs of maintaining the knowledge level for risk assessments in the SwAF; there are needs for clearer instructions for how the risk management work should be performed; other prevalent methods for risk management are of limited use for the SwAF since large adaptions are necessary; IT security experts' assessments are in more agreement if comparison based methods are used instead of the current approach. There are several important questions that have arisen in the course of the studies and have been left unanswered: - How large is typically the difference between results from risk assessments for two different IT systems? - How persistent are risk assessments over time and how should one stay informed of changes that occur in systems, threats and contexts? - How large differences do different risk assessment results lead to later in the process in the form of recommended security measures? - How should different risk assessments be better aligned while capturing unique insights?