Abstract
Information security recognised the human as the weakest link. Despite numerous international or sector-specific standards and frameworks, the information security community has not yet adopted formal mechanisms to manage human errors that cause information security breaches. Such techniques have been however established within the safety field where human reliability analysis (HRA) techniques are widely applied. In previous work we developed Information Security Core Human Error Causes (IS-CHEC) to fill this gap. This case study presents empirical research that uses IS-CHEC over a 12 month period within two participating public and private sector organisations in order to observe and understand how the implementation of the IS-CHEC information security HRA technique affected the respective organisations. The application of the IS-CHEC technique enabled the proportions of human error related information security incidents to be understood as well as the underlying causes of these incidents. The study captured the details of the incidents in terms of the most common underlying causes, selection of remedial and preventative measures, volumes of reported information security incidents, proportions of human error, common tasks undertaken at the time the incident occurred, as well as the perceptions of key individuals within the participating organisations through semi-structured interviews. The study confirmed in both cases that the vast majority of reported information security incidents relate to human error, and although the volumes of human error related incidents pertaining to both participating organisations fluctuated over the 12 month period, the proportions of human error remained consistently as the majority root cause.
Highlights
The field of information security has developed numerous standards and frameworks governing how information should be processed by organisations
This paper evaluates the application of the Information Security Core Human Error Causes (IS-CHEC) technique [8] applied to information security incident management over a 12 month period of time within participating public sector and private sector organisations simultaneously
Both are aligned to the IS-CHEC technique and its core components such as root cause, General Information Security Affecting Tasks (GISAT), CHEC and Remedial and preventative measures (RPM) which are presented as underlying incident themes
Summary
The field of information security has developed numerous standards and frameworks governing how information should be processed by organisations. These standards include the ISO27000 series [1], Payment Card Industry Data Security Standard [2] and sector specific policies and standards such as the Data Security and Protection Toolkit [3] applied to the National Health Service in Britain. In previous work we demonstrated that human errors account for the majority of incidents [7]. Executive Summary Human Error Information Security Incidents Reporting Period. PEARSON’S CORRELATION COEFFICIENT DATA See Tables 23 and 24
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
