Threats in Information Security : Beyond technical solutions. - Using Threat Tree Analysis

Abstract: To be able to protect an organisation's resources, it is important to understand what there is to protect and what to protect it from. The first step is to try to analyse the security threats that exist against an organisation's resources to explore the risks. Threats have to be identified, for the organisation to protect its resources and find where the optimal placement against threats is. This thesis analysis whether it is possible to obtain a Threat Tree Analysis that is useful for developing an information security policy for the municipality in Ronneby, using the SS 62 77 99-1 standard. A co-operation between the technical solutions and the administrative security is necessary to achieve information security, together with ordinary common sense. True, each of these can help improve security, but none of them is a complete solution. Security is not a product - it is a process. Threat trees form the basis of understanding that process. In this thesis, we have been using a qualitative method. The analysis method is a case study at the Social Department, at the municipality in Ronneby. Through interviews it has come us to hand, that the organisation has not established an information security policy which should give the code of practice for how the work of information security will pursue within the organisation. The organisation does neither use a model for structuring threats nor a method for collecting threats against information today. Through the structure of possible threats, the personnel generates an understanding of the organisation and takes active part finding adequate threats within the Social Department. As users understand the importance of security, how to use it, and where to report suspected violations, they can do a great deal to reduce the risk to loose information. Important to remember is that the education is an ongoing process, new users need training and trained users need reminding, especially when new technologies or processes are introduced. Thus, Threat Tree Analysis is useful for continuing towards developing an information security policy according to SS 62 77 99-1 standard.