Identifying the critical success factors to improve information security incident reporting

There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a resu...

Full description

Bibliographic Details
Main Author: Humphrey, Mike
Other Authors: Massie, Ruth
Published: Cranfield University 2017
Subjects:
Online Access:https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.738627
id ndltd-bl.uk-oai-ethos.bl.uk-738627
record_format oai_dc
spelling ndltd-bl.uk-oai-ethos.bl.uk-7386272019-01-08T03:26:30ZIdentifying the critical success factors to improve information security incident reportingHumphrey, MikeMassie, Ruth2017There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a result, there is a real possibility that decisions related to resourcing and expenditure may be focussed only on what is believed to be occurring based on those incidents that are reported. There is also an apparent shortage of research into the subject of information security incident reporting. This research examines whether this assumption is valid and the potential reasons for such under reporting. It also examines the viability of re-using research into incident reporting conducted elsewhere, for example in the healthcare sector. Following a review of what security related incident reporting research existed together with incident reporting in general a scoping study, using a group of information security professionals from a range of business sectors, was undertaken. This identified a strong belief that security incidents were significantly under-reported and that research from other sectors did have the potential to be applied across sectors. A concept framework was developed upon which a proposal that incident reporting could be improved through the identification of Critical Success Factors (CSF’s). A Delphi study was conducted across two rounds to seek consensus from information security professionals on those CSF’s. The thesis confirms the concerns that there is under reporting and identifies through a Delphi study of information security professionals a set of CSF’s required to improve security incident reporting. An Incident Reporting Maturity Model was subsequently designed as a method for assisting organisations in judging their position against these factors and tested using the same Delphi participants as well as a control group. The thesis demonstrates a contribution to research through the rigorous testing of the applicability of incident reporting research from other sectors to support the identification of solutions to improve reporting in the information security sector. It also provides a practical novel approach to make use of a combination of CSF’s and an IRMM that allows organisations to judge where their level of maturity is set against each of the four CSF’s and make changes to strategy and process accordingly.Cyber securityCranfield Universityhttps://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.738627http://dspace.lib.cranfield.ac.uk/handle/1826/12739Electronic Thesis or Dissertation
collection NDLTD
sources NDLTD
topic Cyber security
spellingShingle Cyber security
Humphrey, Mike
Identifying the critical success factors to improve information security incident reporting
description There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a result, there is a real possibility that decisions related to resourcing and expenditure may be focussed only on what is believed to be occurring based on those incidents that are reported. There is also an apparent shortage of research into the subject of information security incident reporting. This research examines whether this assumption is valid and the potential reasons for such under reporting. It also examines the viability of re-using research into incident reporting conducted elsewhere, for example in the healthcare sector. Following a review of what security related incident reporting research existed together with incident reporting in general a scoping study, using a group of information security professionals from a range of business sectors, was undertaken. This identified a strong belief that security incidents were significantly under-reported and that research from other sectors did have the potential to be applied across sectors. A concept framework was developed upon which a proposal that incident reporting could be improved through the identification of Critical Success Factors (CSF’s). A Delphi study was conducted across two rounds to seek consensus from information security professionals on those CSF’s. The thesis confirms the concerns that there is under reporting and identifies through a Delphi study of information security professionals a set of CSF’s required to improve security incident reporting. An Incident Reporting Maturity Model was subsequently designed as a method for assisting organisations in judging their position against these factors and tested using the same Delphi participants as well as a control group. The thesis demonstrates a contribution to research through the rigorous testing of the applicability of incident reporting research from other sectors to support the identification of solutions to improve reporting in the information security sector. It also provides a practical novel approach to make use of a combination of CSF’s and an IRMM that allows organisations to judge where their level of maturity is set against each of the four CSF’s and make changes to strategy and process accordingly.
author2 Massie, Ruth
author_facet Massie, Ruth
Humphrey, Mike
author Humphrey, Mike
author_sort Humphrey, Mike
title Identifying the critical success factors to improve information security incident reporting
title_short Identifying the critical success factors to improve information security incident reporting
title_full Identifying the critical success factors to improve information security incident reporting
title_fullStr Identifying the critical success factors to improve information security incident reporting
title_full_unstemmed Identifying the critical success factors to improve information security incident reporting
title_sort identifying the critical success factors to improve information security incident reporting
publisher Cranfield University
publishDate 2017
url https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.738627
work_keys_str_mv AT humphreymike identifyingthecriticalsuccessfactorstoimproveinformationsecurityincidentreporting
_version_ 1718807568917200896