Skip to main content

How do you carry out a protective security analysis?

When you start to work with protective security, the first step is to carry out a protective security analysis. Such an analysis is the basis for all protective security work. So, how do you do a protective security analysis?

When you start to work with protective security, the first step is to carry out a protective security analysis. Such an analysis is the basis for all protective security work. So, how do you do a protective security analysis?

Technological development gives us many new opportunities. The problem is that the authorities' protective security has not kept pace with this development, which means that more shortcomings and vulnerabilities are exposed to potential attackers. To avoid the gap between threats and protection continuing to grow, more security measures are needed. The basis is a protective security analysis.

 

What is protective security?

Protective security means preventative measures to protect Sweden's security against espionage, sabotage, terrorist crimes and other crimes. The technological development in recent years means that we need to broaden the concept of security. In addition, public sector organisations and private companies should now also be included within the framework of protective security.

The term ‘Sweden's security’ refers to both military and civilian activities that may be of importance to Sweden's security. What needs to be protected to prevent threats to Sweden's security may to some extent change over time, but the activities that are important for Sweden's security today all fall into one or more of the following categories:

  • Activities that are important for Sweden's external security: This means Sweden's ability to maintain national defence (territorial sovereignty) as well as Sweden's integrity, independence, and freedom of action (political independence).
  • Activities that are important for Sweden's internal security: This refers to Sweden's ability to maintain and ensure basic structures in the form of the democratic state, the judiciary, and a law enforcement capacity at national level.
  • Nationally important activities: This means deliveries, services and functions that are necessary for society's functionality at national level.
  • Activities that are important for Sweden's economy: This refers to the national ability to pay.
  • Damage-generating activities: This includes an activity that, if exposed to an antagonistic act, can generate damaging consequences for other security-sensitive activities.

 

Protective security

 

The new Protective Security Act places higher demands on protective security

On April 1st 2019, a new Protective Security Act was introduced in Sweden. It applies to all activities that are important for Sweden's security, for example various forms of critical infrastructure. Since these companies are not always state-owned, but can also be private actors, the new act will affect many businesses. The act entails new higher requirements regarding protective security work and is introduced in order to reduce vulnerabilities.

 

How do you conduct a protective security analysis?

When starting to work with protective security, the first step is to carry out a protective security analysis. Such an analysis is the basis for all protective security work. You are obliged to make a protective security analysis if you conduct security-sensitive activities to investigate the need for protective security. But how do you do a protective security analysis?

By asking yourself the following questions, you will get what is required:
 

1. What is the goal of the business?

Make a business description where it is clear what responsibilities and processes that exist in the business. Also note any dependence on other functions, both internal and external.

 

2. Which are the protection values of the business?

Think about what the protection values of the business are, i.e. what are the most sensitive parts, the parts that can affect Sweden's security if someone comes across them?

 

3. Which consequences can arise?

Make an impact assessment and assess where the limit for acceptance goes.

 

Impact assessment

 

4. What is the threat?

Make a clear description of the threats and the opponent. What does the threat picture look like? What type of attacker could be considered a threat? Are there any known potential attackers and what is the threat associated with them?

 

5. Which vulnerabilities exist?

Perform a vulnerability analysis that shows vulnerabilities that are linked to the business's protection values. These can be used by a potential attacker, and therefore it is important to know where they are.

 

6. Which protective measures should be chosen?

Finally, identified vulnerabilities should be linked to appropriate protection measures. The measures can be divided into three different areas: information security, physical security, and personnel security.

 

Protective security plan

Once you have completed your protective security analysis, a protective security plan must be drawn up based on your analysis, which deals with information security, physical security, and personnel security. The protection plan must clarify which protective security measures that must be taken.

 

Security culture

 

Security Culture

Cybersecurity today is not only a technical challenge but also a human challenge – it is a matter of security culture. Criminals do not always use only technical shortcomings but often rely on people to access sensitive data and therefore the human factor is the main cause of the most serious security breaches. Building and maintaining a strong security culture is therefore an extremely important part of the work with cybersecurity.

Security culture is the shared values, conceptions, attitudes, knowledge and behaviour of individuals and groups in an organisation focused on creating security in the business. Security culture is about how employees' values affect the way they think and act in relation to risk and security. It therefore has a great impact on how people work and influence employees on a daily basis.

To become better at security culture, attitudes and behaviours need to change. The organisation needs to see cybersecurity and security culture as an activity-critical activity and not as an isolated IT issue – it is also important that the management prioritises the issue. What should define the work with security culture is to think of security as something that enables the work, not hindering it.

Read more about how to improve your security culture here!

 

Do you want to know more about the Protective Security Act? Read more here!

Do you need help with your security challenges? We will help you!