Information security incident investigations: The drivers, methods, and outcomes Matthew Trump

Information security incident investigations:
The drivers, methods, and outcomes
Matthew Trump
Parallels
with OHS
Overview
1
2
IS picture
3
4
Resilience
Engineering
Research Questions
• To establish the primary reported cause of
Information Security incidents and in particular to
understand why human error is often utilised as
the default explanation.
• To investigate parallels between contemporary
research in Occupational Health and Safety and
Information Security in order to see whether the
standard of information security incident
investigation can be improved.
• To produce model guidelines for security incident
investigation.
Research Methods
• Review Information Security incident reports
from both the public and private sector.
– Freedom of Information Act / ISACA
• Survey investigation leaders
– Based on HSE report
• Conduct interviews with investigators
Pragmatism
An opportunity to “improve the rigour and
relevance of IS research” Goles (2000)
“The societal value of IS research lies within its
possibilities to improve IS practices” Goldkuhl
(2004)
… this puts “the research question above such
considerations as methodology or the
underlying world view.”
So what?
Conceptual model
IS
OHS
HROs
Academic literature review
Very little
Academic literature review
Very little
CompTIA (2010)
“IT professionals attribute
slightly more of the blame for
security breaches to human
error or shortcomings than
technology shortcomings (59%
vs. 41%).”
“Additionally, the data suggests
the human error factor is on the
rise as a cause of security
breaches.”
CompTIA (2013)
“Human error accounts for the
majority of root cause in security
breaches; and 51% of companies
say human error has become
more of a factor over the past
two years.”
CompTIA (2003)
“In more than 63% of security
breaches identified by the
survey's respondents, human
error was the major cause.”
The data was encrypted but
the password was attached
“human error is an attribution.... not an
objective fact that can be found by
anybody with the right method.”
Woods et al. (2010)
Parallels between OHS and IS
• Statement, policy,
procedures
• Risk analysis
• OHSMS
• Plan -> Do -> Check
-> Act
• Driven by Europe
• Maturity in waves Borys et al (2009)
• Policies, procedures,
guidelines
• Risk analysis
• ISMS
• Plan -> Do -> Check
-> Act
• Driven by Europe
Maturity in waves – von
Solms (2000, 2006)
Parallels between OHS and IS
• Limitations of
OHSMS
• Limits of safety
culture
• Increasing
complexity
• More rules
• Limitations of
ISMS
• Limits of security
culture
• Increasing
complexity
• More rules
Limits of parallels between OHS and IS
•
•
•
•
•
200 years experience
Social pressure
Powerful regulator
Serious sanctions
Severe outcome
•
•
•
•
•
30? Years experience
Do people care?
ICO…
Laughable sanctions
Less severe outcome
Resilience Engineering
“Resilience Engineering looks for ways to
enhance the ability of organisations to
create processes that are robust yet
flexible, to monitor and revise risk models,
and to use resources proactively in the face
of disruptions or ongoing production and
economic pressures.”
Accident causation models
• Sequential view
• Latent pathogens
• Systemic view
Erik Hollnagel (1983)
Why "Human Error" is a
meaningless concept
Organisational utility
•
•
•
•
Defence against entanglement (simplicity)
The illusion of control
A means for distancing
A marker for failed investigations
Cook, R. I. & Nemeth, C. P. (2010)
Human error
• Old view
– complex systems fine vs erratic behaviour of
people
– human errors cause accidents
– failure comes as an unpleasant surprise
• Old response
– more procedures
– more technology
– remove bad apples
Human error
• New view
– Human error as symptom of deeper trouble
– Not random: connected to tools, tasks and
environment
– Not and end point for investigations
• New response
– Humans not perfect
– Find out why their actions made sense to them
Moving beyond human error
•
•
•
•
•
Human error is an just an attribution
Pursue second stories
Escape hindsight bias
Understand work at the sharp end
Search for systemic vulnerabilities
Woods et al (2010)
Accountability and learning
• Take a systems perspective
• Move beyond blame
• Create a just culture
How to answer research questions
Reports
Survey
Investigations
Research Questions
• To establish the primary reported cause of
Information Security incidents and in particular to
understand why human error is often utilised as
the default explanation.
• To investigate parallels between contemporary
research in Occupational Health and Safety and
Information Security in order to see whether the
standard of information security incident
investigation can be improved.
• To produce model guidelines for security incident
investigation.