1 / 33

Information security incident investigations: The drivers , methods, and outcomes

Information security incident investigations: The drivers , methods, and outcomes. Matthew Trump. Parallels with OHS. Overview. 1. 2. 3. 4. IS picture. Resilience Engineering. NB. Research Questions.

aulii
Download Presentation

Information security incident investigations: The drivers , methods, and outcomes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information security incident investigations: The drivers, methods, and outcomes Matthew Trump

  2. Parallels with OHS Overview 1 2 3 4 IS picture Resilience Engineering

  3. NB

  4. Research Questions • To establish the primary reported cause of Information Security incidents and in particular to understand why human error is often utilised as the default explanation. • To investigate parallels between contemporary research in Occupational Health and Safety and Information Security in order to see whether the standard of information security incident investigation can be improved. • To produce model guidelines for security incident investigation.

  5. Research Methods • Review Information Security incident reports from both the public and private sector. • Freedom of Information Act / ISACA • Survey investigation leaders • Based on HSE report • Conduct interviews with investigators

  6. Pragmatism An opportunity to “improve the rigour and relevance of IS research” Goles (2000) “The societal value of IS research lies within its possibilities to improve IS practices” Goldkuhl (2004) … this puts “the research question above such considerations as methodology or the underlying world view.”

  7. So what?

  8. Conceptual model IS OHS HROs

  9. Academic literature review Very little

  10. Academic literature review Very little

  11. CompTIA (2010) “IT professionals attribute slightly more of the blame for security breaches to human error or shortcomings than technology shortcomings (59% vs. 41%).” • Additionally, the data suggests the human error factor is on the rise as a cause of security breaches. 8th Annual Global Information Security Trends

  12. “Additionally, the data suggests the human error factor is on the rise as a cause of security breaches.”

  13. CompTIA (2013) “Human error accounts for the majority of root cause in security breaches; and 51% of companies say human error has become more of a factor over the past two years.” • Additionally, the data suggests the human error factor is on the rise as a cause of security breaches. 8th Annual Global Information Security Trends

  14. CompTIA (2003) “In more than 63% of security breaches identified by the survey's respondents, human error was the major cause.”

  15. The data was encrypted but the password was attached

  16. “human error is an attribution.... not an objective fact that can be found by anybody with the right method.” Woods et al. (2010)

  17. Parallels between OHS and IS Policies, procedures, guidelines Risk analysis ISMS Plan -> Do -> Check -> Act Driven by Europe Maturity in waves – von Solms (2000, 2006) • Statement, policy, procedures • Risk analysis • OHSMS • Plan -> Do -> Check -> Act • Driven by Europe • Maturity in waves - Borys et al (2009)

  18. Parallels between OHS and IS Limitations of ISMS Limits of security culture Increasing complexity More rules • Limitations of OHSMS • Limits of safety culture • Increasing complexity • More rules

  19. Limits of parallels between OHS and IS 30? Years experience Do people care? ICO… Laughable sanctions Less severe outcome • 200 years experience • Social pressure • Powerful regulator • Serious sanctions • Severe outcome

  20. Resilience Engineering “Resilience Engineering looks for ways to enhance the ability of organisations to create processes that are robust yet flexible, to monitor and revise risk models, and to use resources proactively in the face of disruptions or ongoing production and economic pressures.”

  21. Accident causation models • Sequential view • Latent pathogens • Systemic view

  22. Erik Hollnagel (1983) Why "Human Error" is a meaningless concept

  23. Organisational utility • Defence against entanglement (simplicity) • The illusion of control • A means for distancing • A marker for failed investigations Cook, R. I. & Nemeth, C. P. (2010)

  24. Human error • Old view • complex systems fine vs erratic behaviour of people • human errors cause accidents • failure comes as an unpleasant surprise • Old response • more procedures • more technology • remove bad apples

  25. Human error • New view • Human error as symptom of deeper trouble • Not random: connected to tools, tasks and environment • Not and end point for investigations • New response • Humans not perfect • Find out why their actions made sense to them

  26. Moving beyond human error • Human error is an just an attribution • Pursue second stories • Escape hindsight bias • Understand work at the sharp end • Search for systemic vulnerabilities Woods et al (2010)

  27. Accountability and learning • Take a systems perspective • Move beyond blame • Create a just culture

  28. How to answer research questions Reports Survey Investigations

  29. Research Questions • To establish the primary reported cause of Information Security incidents and in particular to understand why human error is often utilised as the default explanation. • To investigate parallels between contemporary research in Occupational Health and Safety and Information Security in order to see whether the standard of information security incident investigation can be improved. • To produce model guidelines for security incident investigation.

More Related