Research Repository

Real-Time Information Security Incident Management: A Case Study Using the IS-CHEC Technique

Evans, Mark and He, Ying and Luo, Cunjin and Yevseyeva, Iryna and Janicke, Helge and Zamani, Efpraxia and Maglaras, Leandros A (2019) 'Real-Time Information Security Incident Management: A Case Study Using the IS-CHEC Technique.' IEEE Access, 7. 142147 - 142175. ISSN 2169-3536

[img]
Preview
Text
08853242.pdf - Published Version
Available under License Creative Commons Attribution.

Download (9MB) | Preview

Abstract

Information security recognised the human as the weakest link. Despite numerous international or sector-specific standards and frameworks, the information security community has not yet adopted formal mechanisms to manage human errors that cause information security breaches. Such techniques have been however established within the safety field where human reliability analysis (HRA) techniques are widely applied. In previous work we developed Information Security Core Human Error Causes (IS-CHEC) to fill this gap. This case study presents empirical research that uses IS-CHEC over a 12 month period within two participating public and private sector organisations in order to observe and understand how the implementation of the IS-CHEC information security HRA technique affected the respective organisations. The application of the IS-CHEC technique enabled the proportions of human error related information security incidents to be understood as well as the underlying causes of these incidents. The study captured the details of the incidents in terms of the most common underlying causes, selection of remedial and preventative measures, volumes of reported information security incidents, proportions of human error, common tasks undertaken at the time the incident occurred, as well as the perceptions of key individuals within the participating organisations through semi-structured interviews. The study confirmed in both cases that the vast majority of reported information security incidents relate to human error, and although the volumes of human error related incidents pertaining to both participating organisations fluctuated over the 12 month period, the proportions of human error remained consistently as the majority root cause.

Item Type: Article
Divisions: Faculty of Science and Health > Computer Science and Electronic Engineering, School of
Depositing User: Elements
Date Deposited: 22 Jun 2020 14:35
Last Modified: 22 Jun 2020 15:15
URI: http://repository.essex.ac.uk/id/eprint/27724

Actions (login required)

View Item View Item