Security in cyber systems is not an isolated technical area but strongly connected to the purpose of the use of the IT systems. Who will need access to what information as well as when and on which location is difficult to know when the system is developed. It is also difficult to foresee what other systems that information will be shared with in the future. It is therefore crucial to have methods for managing the access to information and in an efficient way change authorization for users and systems. Moreover, vulnerabilities in IT systems enable adversaries to bypass applied security solutions. Consequently, issues related to the vulnera­bilities themselves as well as methods for the handling of vulnerabilities are studied. Within this subarea we develop and apply knowledge about e.g:

• Methods to handle specific aspects of cyber security, such as the management of information access and the monitoring of the security in IT systems,
• The ability of different solutions to fulfil the security properties they are claimed to possess,
• Methods for the assessment of the trust­worthiness of systems.

Efficient management of cyber security incidents requires preparation. One important issue is to build practical experience and that can be done via education, training and exercises. However, relevant training and exercises in IT defence require well developed methodologies, extensive technical infrastructure and skilled personnel. Within this subarea knowledge about methods and technologies is developed and applied. Furthermore, a dedicated infrastructure CRATE (Cyber Range and Training Environment) for education, training and exercises is developed and used to host labs, training sessions, and computer defence exercises.

Managing cyber security risks is a vital aspect of contemporary organizations. To be adequate the management of cyber security should be based on the faced cyber security risks. Thus, it is essential to be able to assess these cyber security risks and to be able to strike the right balance between the cyber security and the business use of the information. Within this subarea, various issues related to the assessment and management of cyber security risks are studied. The accumulated knowledge is applied to the development of methods for cyber security risk management and assessment.

Since 2010, FOI runs the National centre for security in control systems for critical infra­structure (NCS3) as a part of the Swedish Civil Contingencies Agency’s (MSB) Programme for increased security in industrial information. Within NCS3, FOI conducts studies and gives courses with the goal to increase the awareness, knowledge, and ability to manage security issues regarding industrial control systems.

A large number of cyber security issues are triggered by the interplay of humans and technical systems. As the security-level of the technical systems improves, the number of attacks utilizing human error, ignorance, and misjudgment to circumvent the security controls increases. This raises questions related to the interplay between different factors affecting the cyber security in socio-technical systems. Within this subarea, knowledge is developed on the social factors affecting the acceptance and success of changes intended to improve cyber security. This knowledge is essential to other aspects of cyber security, such as cyber security risk management.

CRATE - Cyber Range And Training Environment

The Swedish Defence Research Agency (FOI) develops and maintains a Cyber Range And Training Environment (CRATE). CRATE makes it possible to smoothly deploy and configure a large number (thousands) of virtual machines in a controlled environment. CRATE is also equipped with host based traffic generators emulating user behaviour and tools for logging and monitoring the environment. This lab resource is used to create computer networks for use during experiments, competitions and exercises in cyber security.

Read more about CRATE