Published incidents and their proportions of human error

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Purpose - The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. Methodology - This paper analyses recent published incidents and breaches to establish the proportions of human error, and where possible subsequently utilises the HEART human reliability analysis technique, which is established within the safety field. Findings - This analysis provides an understanding of the proportions of incidents and breaches that relate to human error as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field. Originality - This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches in order to understand the proportions that relate to human erro

Analysis of published public sector information security incidents and breaches to establish the proportions of human error

The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. This paper analyses recent published incidents and breaches to establish the proportions of human error, and where possible subsequently utilises the HEART human reliability analysis technique, which is established within the safety field. This analysis provides an understanding of the proportions of incidents and breaches that relate to human error as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field

Real-time information security incident management : a case study using the IS-CHEC technique

Information security recognised the human as the weakest link. Despite numerous international or sector-specific standards and frameworks, the information security community has not yet adopted formal mechanisms to manage human errors that cause information security breaches. Such techniques have been however established within the safety field where human reliability analysis (HRA) techniques are widely applied. In previous work we developed Information Security Core Human Error Causes (IS-CHEC) to fill this gap. This case study presents empirical research that uses IS-CHEC over a 12 month period within two participating public and private sector organisations in order to observe and understand how the implementation of the IS-CHEC information security HRA technique affected the respective organisations. The application of the IS-CHEC technique enabled the proportions of human error related information security incidents to be understood as well as the underlying causes of these incidents. The study captured the details of the incidents in terms of the most common underlying causes, selection of remedial and preventative measures, volumes of reported information security incidents, proportions of human error, common tasks undertaken at the time the incident occurred, as well as the perceptions of key individuals within the participating organisations through semi-structured interviews. The study confirmed in both cases that the vast majority of reported information security incidents relate to human error, and although the volumes of human error related incidents pertaining to both participating organisations fluctuated over the 12 month period, the proportions of human error remained consistently as the majority root cause

Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form

The objective of the research was to establish data relating to underlying causes of human error which are the most common cause of information security incidents within a private sector healthcare organization. A survey questionnaire was designed to proactively apply the IS-CHEC information security human reliability analysis (HRA) technique. The IS-CHEC technique questionnaire identified the most likely core human error causes that could result in incidents, their likelihood, the most likely tasks that could be affected, suggested remedial and preventative measures, systems or processes that would be likely to be affected by human error and established the levels of risk exposure. The survey was operational from 15th November 2018 to 15th December 2018. It achieved a response rate of 65% which equated to 485 of 749 people targeted by the research. The research found that, in the case of this particular participating organization, the application of the IS-CHEC technique through a questionnaire added beneficial value as an enhancement to a standard approach of holistic risk assessment. The research confirmed that the IS-CHEC in questionnaire form can be successfully applied within a private sector healthcare organization and also that a distributed approach for information security human error assessment can be successfully undertaken in order to add beneficial value. The results of this paper indicate, from the questionnaire responses supplied by employees, that organizational focus on its people and their working environment can improve information security posture and reduce the likelihood of associated information security incidents through a reduction in human error

Risk Assessment Framework for Evaluation of Cybersecurity Threats and Vulnerabilities in Medical Devices

Medical devices are vulnerable to cybersecurity exploitation and, while they can provide improvements to clinical care, they can put healthcare organizations and their patients at risk of adverse impacts. Evidence has shown that the proliferation of devices on medical networks present cybersecurity challenges for healthcare organizations due to their lack of built-in cybersecurity controls and the inability for organizations to implement security controls on them. The negative impacts of cybersecurity exploitation in healthcare can include the loss of patient confidentiality, risk to patient safety, negative financial consequences for the organization, and loss of business reputation. Assessing the risk of vulnerabilities and threats to medical devices can inform healthcare organizations toward prioritization of resources to reduce risk most effectively. In this research, we build upon a database-driven approach to risk assessment that is based on the elements of threat, vulnerability, asset, and control (TVA-C). We contribute a novel framework for the cybersecurity risk assessment of medical devices. Using a series of papers, we answer questions related to the risk assessment of networked medical devices. We first conducted a case study empirical analysis that determined the scope of security vulnerabilities in a typical computerized medical environment. We then created a cybersecurity risk framework to identify threats and vulnerabilities to medical devices and produce a quantified risk assessment. These results supported actionable decision making at managerial and operational levels of a typical healthcare organization. Finally, we applied the framework using a data set of medical devices received from a partnering healthcare organization. We compare the assessment results of our framework to a commercial risk assessment vulnerability management system used to analyze the same assets. The study also compares our framework results to the NIST Common Vulnerability Scoring System (CVSS) scores related to identified vulnerabilities reported through the Common Vulnerability and Exposure (CVE) program. As a result of these studies, we recognize several contributions to the area of healthcare cybersecurity. To begin with, we provide the first comprehensive vulnerability assessment of a robotic surgical environment, using a da Vinci surgical robot along with its supporting computing assets. This assessment supports the assertion that networked computer environments are at risk of being compromised in healthcare facilities. Next, our framework, known as MedDevRisk, provides a novel method for risk quantification. In addition, our assessment approach uniquely considers the assets that are of value to a medical organization, going beyond the medical device itself. Finally, our incorporation of risk scenarios into the framework represents a novel approach to medical device risk assessment, which was synthesized from other well-known standards. To our knowledge, our research is the first to apply a quantified assessment framework to the problem area of healthcare cybersecurity and medical networked devices. We would conclude that a reduction in the uncertainty about the riskiness of the cybersecurity status of medical devices can be achieved using this framework

Analyzing the Effectiveness of Legal Regulations and Social Consequences for Securing Data

There is a wide range of concerns and challenges related to stored data security – which range from privacy and management to operations readiness, These challenges span from financial to personal and public impact. With an abundance of regulations for the enforcement of data security and emerging requirements proposed every year, organizations cannot avoid the legal or social implications of inadequate data protection. Today, public spotlight and awareness are challenging organizations to enhance how data is protected more than at any other time. For this reason, organizations have made significant efforts to improve security. When looking at precautions or changes, the factors considered are costs associated with such action, a potential consequence of not acting, impact on users, the effort required, and the scope. For this reason, leaders need to make the hard decisions of which risks they can live with and which need to be reduced because it is unrealistic to think that data security can be guaranteed. However, it is essential to have physical, administrative, and technical controls to mitigate data risks. Data protection regulations define requirements, create procedures to identify the associated risks, determine the extent of the impact, and identify what precautions should be taken. This dissertation defined seven areas for consideration related to stored data security. The research facilitated developing a measurement tool to gather and analyze the knowledge and opinions of working professionals within the United States. The study was performed from July to October 2020, which resulted in a quantitative data sample used to analyze the effectiveness of legal regulations and social consequences for securing data

Data breaches and effective crisis communication: a comparative analysis of corporate reputational crises

Online data breaches are recurrent and damaging cyber incidents for organizations worldwide. This study examines how organizations can effectively mitigate reputational damages in the aftermath of data breaches by hacking through situational crisis communication strategies. Comparable data breach crises do not have an equally negative impact on organizational reputation. Providing comprehensive and exhaustive guidelines, and detailed explanations about the incident to consumers helped to reduce the damage. Organizations that primarily relied on one single strategy, performed better than those that inconsistently blended strategies. Particularly denial was ultimately detrimental to organizational reputation. Self-disclosure allowed companies to positively influence media reporting. Social media communication did not play an important role in the response of the organizations involved. The consistent and timely adoption of compensation, apology and rectification strategies, combined with reinforcing strategies such as ingratiation and bolstering, positively influenced  reputational recovery from the crisis.Security and Global Affair

A survey on the cyber security of Small-to-Medium businesses: Challenges, research focus and recommendations

Small-to-medium sized businesses (SMBs) constitute a large fraction of many countries’ economies but according to the literature SMBs are not adequately implementing cyber security which leaves them susceptible to cyber-attacks. Furthermore, research in cyber security is rarely focused on SMBs, despite them representing a large proportion of businesses. In this paper we review recent research on the cyber security of SMBs, with a focus on the alignment of this research to the popular NIST Cyber Security Framework (CSF). From the literature we also summarise the key challenges SMBs face in implementing good cyber security and conclude with key recommendations on how to implement good cyber security. We find that research in SMB cyber security is mainly qualitative analysis and narrowly focused on the Identify and Protect functions of the NIST CSF with very little work on the other existing functions. SMBs should have the ability to detect, respond and recover from cyber-attacks, and if research lacks in those areas, then SMBs may have little guidance on how to act. Future research in SMB cyber security should be more balanced and researchers should adopt well-established powerful quantitative research approaches to refine and test research whilst governments and academia are urged to invest in incentivising researchers to expand their research focus

Alumni Perceptions of Cybersecurity Employment Preparation Using the NICE Framework

The cybersecurity workforce suffers from an ongoing talent shortage and a lack of information correlating cybersecurity education programs to alumni employment outcomes. This cross-sectional study evaluated the post-graduation employment outcomes of alumni who attended two-year colleges designated by the National Security Agency (NSA) as Centers of Academic Excellence in Cyber Defense (CAE-CD). Stakeholders of this project were identified as government agencies, the NSA, employers, faculty, students, and organizations that rely on cybersecurity talent to keep their systems secure from cyberattacks. This study used the explanatory sequential mixed methods approach to compare perceptions of the intended Program of Study work roles to alumni employment outcomes using the NICE Framework work roles. This multi-phased, nested sample study included CAE-CD designated Points of Contact (POCs) at two-year colleges and their alumni. The first phase included a call for participation requesting POCs to provide academic program information via online survey and to contact their cybersecurity program alumni with a link to an online survey. The second phase of the study included an online survey requesting that the alumni provide data about their work experience, academic program information, industry-recognized certification achieved, and any co/extra-curricular participation. Overall, the demographics of the alumni sample were more diverse than those of the U.S. cybersecurity workforce and the alumni noted that their two-year academic programs were important to the preparation for their current job. Of the alumni who reported they were currently employed, approximately 80% held technology-related positions. Recommendations are made for the use of the resulting knowledge by cybersecurity stakeholders to better understand the employment outcomes of two-year college alumni from CAE-CD cybersecurity programs