On Achieving an Appropriate Level of Security for National Security Purposes

The purpose of the Norwegian Security Act is to prevent, detect and counter activities which present a threat to national security. Pursuant to the act, all ministries shall identify fundamental national functions (FNFs) within their areas of responsibility and appoint and classify the criticality of objects, infrastructures and information systems underpinning their FNFs. The act mandates organizations responsible for critical national assets to implement security measures to establish an appropriate level of security, but despite several guidelines, complying with the act appears to be difficult in practice. We have explored these challenges by using a fictitious case based on the Ministry of Defence own FNF "Situational Awareness". The first challenge is to establish how FNFs are realized in practice through various processes and sub-functions in complex organizations. Secondly, sectorial and specialized knowledge is required to define performance requirements and how much each sub-function contributes to the FNF. Thirdly, local organizations responsible for a sub-function struggle to define an appropriate security level since they lack the overall picture that would allow for adequate cost-benefit assessments. Our recommendations are therefore to: (i) establish a model for detailing the FNFs into more a more granular functional breakdown, (ii) develop national scenarios from which it is possible to link an organization's functions and assets to the FNFs and the current national planning, including in crises and war, and metrics to support criticality assessments and (iii) develop common guidelines for organization-specific threat scenarios to support a more consistent and verifiable identification of an appropriate level of security.

Keywords: Risk assessment, National security, Appropriate level of security, Cost-benefit analysis.