![Page 1: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/1.jpg)
Information security incident investigation: The drivers, methods and outcomes
Matthew Trump
![Page 2: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/2.jpg)
1 2 3 4Overview
IS picture
Parallels with OHS
Resilience Engineering
![Page 3: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/3.jpg)
NB
![Page 4: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/4.jpg)
Research Questions
• To establish the primary reported cause of Information Security incidents and in particular to understand why human error is often utilised as the default explanation.
• To investigate parallels between contemporary research in Occupational Health and Safety and Information Security in order to see whether the standard of information security incident investigation can be improved.
• To produce model guidelines for security incident investigation.
![Page 5: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/5.jpg)
Research Methods
• Review Information Security incident reports from both the public and private sector. – Freedom of Information Act / ISACA
• Survey investigation leaders– Based on HSE report
• Conduct interviews with investigators
![Page 6: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/6.jpg)
So what?
![Page 7: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/7.jpg)
Pragmatism
An opportunity to “improve the rigour and relevance of IS research” Goles (2000)
“The societal value of IS research lies within its possibilities to improve IS practices” Goldkuhl (2004)
… this puts “the research question above such considerations as methodology or the underlying world view.”
![Page 8: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/8.jpg)
HROsOHSIS
Conceptual model
![Page 9: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/9.jpg)
Academic literature review
Very little
![Page 10: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/10.jpg)
Academic literature review
Very little
![Page 11: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/11.jpg)
Comptia (2010)
“IT professionals attribute slightly more of the blame for security breaches to human error or shortcomings than technology shortcomings (59% vs. 41%).”
•Additionally, the data suggests the human error factor is on the rise as a cause of security breaches.
8th Annual Global Information Security Trends
![Page 12: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/12.jpg)
“Additionally, the data suggests the human error factor is on the rise as a cause of security breaches.”
![Page 13: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/13.jpg)
The data was encrypted but the password was attached
![Page 14: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/14.jpg)
![Page 15: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/15.jpg)
![Page 16: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/16.jpg)
“human error is an attribution.... not an objective fact that can be found by anybody with the right method.”
Woods et al. (2010)
![Page 17: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/17.jpg)
Parallels between OHS and IS
• Statement, policy, procedures
• Risk analysis• OHSMS• Plan -> Do -> Check -> Act • Driven by Europe• Maturity in waves -
Borys et al (2009)
• Policies, procedures, guidelines
• Risk analysis• ISMS• Plan -> Do -> Check -> Act • Driven by EuropeMaturity in waves – von Solms (2000, 2006)
![Page 18: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/18.jpg)
Parallels between OHS and IS
• Limitations of OHSMS
• Limits of safety culture
• Increasing complexity
• More rules
• Limitations of ISMS
• Limits of security culture
• Increasing complexity
• More rules
![Page 19: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/19.jpg)
Limits of parallels between OHS and IS
• 200 years experience• Social pressure• Powerful regulator• Serious sanctions• Severe outcome
• 30? Years experience• Do people care?• ICO…• Laughable sanctions• Less severe outcome
![Page 20: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/20.jpg)
![Page 21: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/21.jpg)
Accident causation models
• Sequential view
• Latent pathogens
• Systemic view
![Page 22: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/22.jpg)
Resilience Engineering
“Resilience Engineering looks for ways to enhance the ability of organisations to create processes that are robust yet flexible, to monitor and revise risk models, and to use resources proactively in the face of disruptions or ongoing production and economic pressures.”
![Page 23: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/23.jpg)
Erik Hollnagel (1983)
Why "Human Error" is a meaningless concept
![Page 24: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/24.jpg)
Organisational utility
• Defence against entanglement (simplicity)• The illusion of control • A means for distancing • A marker for failed investigations
Cook, R. I. & Nemeth, C. P. (2010)
![Page 25: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/25.jpg)
Human error
• Old view– complex systems fine vs erratic behaviour of
people– human errors cause accidents– failure comes as an unpleasant surprise
• Old response– more procedures– more technology– remove bad apples
![Page 26: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/26.jpg)
Human error
• New view– Human error as symptom of deeper trouble– Not random: connected to tools, tasks and
environment– Not and end point for investigations
• New response– Humans not perfect– Find out why their actions made sense to them
![Page 27: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/27.jpg)
Moving beyond human error
• Human error is an just an attribution• Pursue second stories• Escape hindsight bias• Understand work at the sharp end• Search for systemic vulnerabilities
Woods et al (2010)
![Page 28: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/28.jpg)
Accountability and learning
• Take a systems perspective• Move beyond blame• Create a just culture
![Page 29: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/29.jpg)
How to answer research questions
Reports Survey
Investigations
![Page 30: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/30.jpg)
Research Questions
• To establish the primary reported cause of Information Security incidents and in particular to understand why human error is often utilised as the default explanation.
• To investigate parallels between contemporary research in Occupational Health and Safety and Information Security in order to see whether the standard of information security incident investigation can be improved.
• To produce model guidelines for security incident investigation.
![Page 31: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/31.jpg)
Research Questions
• To establish the primary reported cause of Information Security incidents and in particular to understand why human error is often utilised as the default explanation.
• To investigate parallels between contemporary research in Occupational Health and Safety and Information Security in order to see whether the standard of information security incident investigation can be improved.
• To produce model guidelines for security incident investigation.
![Page 32: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/32.jpg)
Research Questions
• To establish the primary reported cause of Information Security incidents and in particular to understand why human error is often utilised as the default explanation.
• To investigate parallels between contemporary research in Occupational Health and Safety and Information Security in order to see whether the standard of information security incident investigation can be improved.
• To produce model guidelines for security incident investigation.
![Page 33: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/33.jpg)
Research Questions
• To establish the primary reported cause of Information Security incidents and in particular to understand why human error is often utilised as the default explanation.
• To investigate parallels between contemporary research in Occupational Health and Safety and Information Security in order to see whether the standard of information security incident investigation can be improved.
• To produce model guidelines for security incident investigation.
![Page 34: Information security incident investigation: The drivers, methods and outcomes](https://reader036.vdocuments.site/reader036/viewer/2022062411/568166e5550346895ddb2153/html5/thumbnails/34.jpg)
Your help
Reports Survey
Interviews
Investigations
Expert evaluation
Model guidelines