Metodutveckling för säkerhetsskyddsanalys : Behovsanalys och kravunderlag för en generisk metod / Method Development for Protective Security Analysis

Werkelin, Siri, Uggerud, Elsa

January 2022

The security of Sweden is currently being challenged on multiple fronts, and the threats have over the recent years tended to become more complex. As a response to this shift, a new law – the Protective Security Act – was brought into effect in 2019, replacing the old legislation from 1996. The law is meant to protect security-sensitive activities from a national perspective against antagonistic attacks, such as espionage, sabotage, and terrorism. Everyone who conducts such activities are obliged by the law to carry out a protective security analysis. In short, this analysis is meant to identify what needs to be protected, against what it needs to be protected, and how it will be protected. The analysis establishes the foundation of further protective security work.  The Swedish Security Service (Säkerhetspolisen) has acknowledged flaws in organizations’ protective security analyses, and at the consultant agency AFRY, staff have seen the need of new methods to assist with the analysis process. This thesis aims to lay the foundation of a requirement specification for a generic method that can be used by public services as well as private businesses and for both military and civilian activities.  Relevant legal documents were studied to identify the legal requirements of the protective security analysis, and a recital of existing methods by the Swedish Security Service and the Swedish Armed Forces (Försvarsmakten) was carried out to give an idea of what aid organizations have at their disposal today. By conducting semi-structured interviews with representatives from seven organizations along with a small survey study, insight was gained into what the analysis process looks like in practice and what challenges they face. Through the interviews and written sources regarding protective security analysis, several methods designed for other areas of applications, such as CARVER and a risk- and vulnerability analysis model by the Swedish Defence Research Agency (Totalförsvarets forskningsinstitut), were briefly presented and discussed if and how they could be of assistance to the analysis process.  The resulting list of requirements, based on the prior investigation, specified that a future method for protective security analysis need to support an iterative and systematic way of working; handle internal, external, and within-field communication; and be adjustable according to the organizations’ needs. In conclusion, constructing a method that can be used by everyone of importance to Sweden’s security implies some major challenges and dilemmas, such as how the method could provide clarity without being too explicit concerning security-sensitive information, or how to specify boundaries and preconditions for the complex process that is protective security analysis.

säkerhetsskydd

säkerhetsskyddsanalys

metodutveckling

kravunderlag

Information Systems