Our activities in the field of IT security stem from deep technical considerations of vital importance to the security of computer-based systems as well as from social aspects, which are increasingly important for the information security of organisations. The combination of social and technical aspects paves the way for results that are based both on the insight into the possibilities of technology and the capabilities of users and organisations as well as the needs of the customer.
Security in IT systems is not an isolated technical area but strongly connected to the purpose of the use of the IT systems. Who will need access to what information as well as when and on which location is difficult to know when the system is developed. It is also difficult to foresee what other systems that information will be shared with in the future. It is therefore crucial to have methods for managing the access to information and in an efficient way change authorization for users and systems. Moreover, vulnerabilities in IT systems enable adversaries to bypass applied security solutions. Consequently, issues related to the vulnerabilities themselves as well as methods for the handling of vulnerabilities are studied. Within this subarea we develop and apply knowledge about e.g:
Efficient management of IT-security incidents requires preparation. One important issue is to build practical experience and that can be done via education, training and exercises. However, relevant training and exercises in IT defense require well developed methodologies, extensive technical infrastructure and skilled personnel. Within this subarea knowledge about methods and technologies is developed and applied. Furthermore, a dedicated infrastructure CRATE (Cyber Range and Training Environment) for education, training and exercises is developed and used to host labs, training sessions, and computer defence exercises.
Managing information security risks is a vital aspect of contemporary organizations. To be adequate the management of information security should be based on the faced information security risks. Thus, it is essential to be able to assess these information security risks and to be able to strike the right balance between the information security and the business use of the information. Within this subarea, various issues related to the assessment and management of information security risks are studied. The accumulated knowledge is applied to the development of methods for information security risk management and assessment.
Since 2010, FOI runs the National centre for security in control systems for critical infrastructure (NCS3) as a part of the Swedish Civil Contingencies Agency’s (MSB) Programme for increased security in industrial information. Within NCS3, FOI conducts studies and gives courses with the goal to increase the awareness, knowledge, and ability to manage security issues regarding industrial control systems.
A large number of information security issues are triggered by the interplay of humans and technical systems. As the security-level of the technical systems improves, the number of attacks utilizing human error, ignorance, and misjudgment to circumvent the security controls increases. This raises questions related to the interplay between different factors affecting the information security in socio-technical systems. Within this subarea, knowledge is developed on the social factors affecting the acceptance and success of changes intended to improve information security. This knowledge is essential to other aspects of information security, such as information security risk management.