Chapter 11 - Development and application of the Information Security Core Human Error Causes (IS-CHEC) technique

Abstract

It is reported in the literature that the human being is the weakest link with regard to information security assurance. However, there is no agreed understanding of the proportion of information security incidents that relate to unintentional human errors. Humans will always make mistakes and it is recognized that human error is the consequence, not the cause, of organizational failings. Despite this, blame cultures are still present within organizations, with there being no established information security approach to dealing with the common problem of human errors. Human errors can lead to information security incidents and breaches, which can affect organizations as well as their customers, employees, service users, and the general public. This chapter presents research aimed at understanding holistic themes, proportions, and causes underlying information security weaknesses and information security incidents within participating organizations. The research objective was to establish whether implementation of the Information Security Core Human Error Causes (IS-CHEC) technique, which is an adaptation of the Human Error Assessment and Reduction Technique (HEART) human reliability analysis (HRA) technique within an information security application, can have positive benefits for both public and private sector organizations as an enhancement to existing information security assurance approaches. The IS-CHEC technique has been developed to be applied within the information security field in both a retrospective manner related to incident management and a proactive manner in terms of probabilistic risk assessment.