Rationale for and Capabilities of IT Security Assessment

The abundance of security threats makes IT security a prerequisite for the use of information technology (IT). Striving for appropriate security, costs for IT security controls should be related to their impact on the level of IT security. This requires the level of IT security to be assessed. However, this insight is to general to guide the design of methods and tools for IT security assessments. Thereby, there is a necessity to explore what are the rationale for IT security assessments, i.e., why, where, and when is it needed. The objective of this study is to explore the rationale for and capabilities required of methods and tools for IT security assessment. The knowledge, about rationale and needed capabilities, should constitute as a foundation for the future development of methods and tools regarding IT security assessment. The study was performed as a case study within the Swedish Armed Forces. Based on interviews and relevant documents, statements directly or indirectly indicating the need for IT security assessments were identified. These statements were carefully analyzed to identify IT security issues. Thereafter, the IT security issues were categorized into six categories: (1) systems development, (2) system operation, (3) risk management, (4) communication and management of security work, (5) competence regarding IT security and (6) attainment and preservation of trust. From these categories, 18 contributions to the rationale for IT security assessments were identified and used to determine capabilities needed of tools and methods for IT security assessments. These capabilities of IT security assessment are presented by criteria ordered in the categories: security assessment domains, security relevant factors, characteristics of security controls, and assessments results.