Threat, risk and vulnerability analyses are the basis for IT security in the IT systems of the Swedish Armed Forces. The current documentation of these tasks is scarce in the Swedish armed forces. The focus is on what to deliver, not on how to perform the analyses. The following recommendations are given to the Swedish Armed Forces for future work on developing the threat, risk and vulnerability analysis of IT systems. ? Develop basic knowledge about the fundamental issues of analysis ? Develop clear instructions on how to implement the assessments ? Provide relevant training ? Develop supporting tools for the analyses ? Focus the analyses on the specific rather than the general aspects ? Develop support to determine demands of the operations on IT security