The chapter is focused mainly on assessing the factors of the external environment in the area of security of information systems in the organization through SWOT analysis. At first the method is characterized from the viewpoint of its purpose and nature. The emphasis is laid on the principles of SWOT analysis, the possible use of methods and tools, and also the most common problems occurring during the implementation of the analysis. The recommended methodical procedure for the implementation of SWOT analysis is described in another part of the chapter with individual phases and particular activities, which are appropriate to be carried out within these phases. The main part of the chapter is focused on the ways of semi-quantitative assessment of threats to the area of information systems of the organization, while evaluating their risks, and the assessment of opportunities, while evaluating their benefits. Both cases include a detailed description of procedure leading to an objective outcome during the classification of identified threats and opportunities according to the set criteria.
Setting The Scene
SWOT is an acronym for Strengths, Weaknesses, Opportunities, and Threats. Thus SWOT is the acronym for the internal strengths and weaknesses of organization and the opportunities and threats identified in the external environment of organization. SWOT analysis is one of the methods of strategic analysis of the initial state of an organization and/or its parts, generating the alternatives to strategies (see Figure 1) on the basis of internal analysis (strengths and weaknesses) and external analysis (opportunities and threats). A comprehensive SWOT analysis puts strengths and weaknesses of an organization or its parts against identified opportunities and threats ensuing from the surrounding environment and defines the position of the organization and/or its parts as a starting point for defining the strategies of further development.
The basic framework of SWOT analysis
The method was developed by Albert Humphrey, who led a research project in the 1960s-1970s at Stanford University. The project was financially supported by the 500 biggest corporations in the USA (Fortune 500) and its aim was to analyze shortcomings in the planning process of those corporations and develop a new system of change management for them. A team method for planning was called SOFT analysis and later revised as SWOT analysis.
SWOT analysis may be included among the most implemented analytical methods. Specialized literature usually includes only the outcome of the last phase of SWOT analysis, i.e. SWOT matrix (see Figure 2).
During SWOT analysis it is necessary to determine the purpose of its use, i.e. what the outcomes will be used for. SWOT analysis may be used for one or more of the following purposes:
As a basis for defining the vision
As a basis for defining the strategic goals
As a basis for the first generation of strategic alternatives
For identifying critical areas.
Many organizations finish SWOT analysis with a detailed list of strengths, weaknesses, opportunities and threats. However, if the facts discovered are not used for the purposes as outlined above, the findings are basically useless. The question is, what the purpose of discovering the weaknesses of the organization is, e.g. in securing the information systems, if the organization does not work with such information any more. Many organizations carry out SWOT analysis just to claim it has been completed during the preparation of the information systems security crisis plan, for example. However, the fact that the plan does not reflect the outcomes of analysis is not considered. Therefore when implementing SWOT analysis it is necessary to consider the purpose of it and the further use of outcomes.