Identifying the critical success factors to improve information security incident reporting

Date published

2017

Free to read from

Supervisor/s

Journal Title

Journal ISSN

Volume Title

Publisher

Department

Type

Thesis

ISSN

Format

Citation

Abstract

There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a result, there is a real possibility that decisions related to resourcing and expenditure may be focussed only on what is believed to be occurring based on those incidents that are reported. There is also an apparent shortage of research into the subject of information security incident reporting. This research examines whether this assumption is valid and the potential reasons for such under reporting. It also examines the viability of re-using research into incident reporting conducted elsewhere, for example in the healthcare sector. Following a review of what security related incident reporting research existed together with incident reporting in general a scoping study, using a group of information security professionals from a range of business sectors, was undertaken. This identified a strong belief that security incidents were significantly under-reported and that research from other sectors did have the potential to be applied across sectors. A concept framework was developed upon which a proposal that incident reporting could be improved through the identification of Critical Success Factors (CSF’s). A Delphi study was conducted across two rounds to seek consensus from information security professionals on those CSF’s. The thesis confirms the concerns that there is under reporting and identifies through a Delphi study of information security professionals a set of CSF’s required to improve security incident reporting. An Incident Reporting Maturity Model was subsequently designed as a method for assisting organisations in judging their position against these factors and tested using the same Delphi participants as well as a control group. The thesis demonstrates a contribution to research through the rigorous testing of the applicability of incident reporting research from other sectors to support the identification of solutions to improve reporting in the information security sector. It also provides a practical novel approach to make use of a combination of CSF’s and an IRMM that allows organisations to judge where their level of maturity is set against each of the four CSF’s and make changes to strategy and process accordingly.

Description

Software Description

Software Language

Github

Keywords

Cyber security

DOI

Rights

© Cranfield University, 2015. All rights reserved. No part of this publication may be reproduced without the written permission of the copyright holder.

Relationships

Relationships

Resources

Funder/s