Understanding human performance in sociotechnical systems – Steps towards a generic framework

Luo

et al. 2019

IEEE Access

The objective of the research was to establish data relating to underlying causes of human error which are the most common cause of information security incidents within a private sector healthcare organization. A survey questionnaire was designed to proactively apply the IS-CHEC information security human reliability analysis (HRA) technique. The IS-CHEC technique questionnaire identified the most likely core human error causes that could result in incidents, their likelihood, the most likely tasks that could be affected, suggested remedial and preventative measures, systems or processes that would be likely to be affected by human error and established the levels of risk exposure. The survey was operational from 15th November 2018 to 15th December 2018. It achieved a response rate of 65% which equated to 485 of 749 people targeted by the research. The research found that, in the case of this particular participating organization, the application of the IS-CHEC technique through a questionnaire added beneficial value as an enhancement to a standard approach of holistic risk assessment. The research confirmed that the IS-CHEC in questionnaire form can be successfully applied within a private sector healthcare organization and also that a distributed approach for information security human error assessment can be successfully undertaken in order to add beneficial value. The results of this paper indicate, from the questionnaire responses supplied by employees, that organizational focus on its people and their working environment can improve information security posture and reduce the likelihood of associated information security incidents through a reduction in human error. INDEX TERMSHuman error assessment and reduction technique (HEART), human error related information security incidents, human reliability analysis (HRA), information security, IS-CHEC.

Section: Related Workmentioning

confidence: 99%

Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form

Luo

et al. 2019

IEEE Access

“…Information security management remains relatively weak in conducting root cause analysis of minor incidents [37]. HRA can be used to both support retrospective and predictive analysis, but when applied to new fields this will have to be empirically derived [38].…”

Section: Related Workmentioning

confidence: 99%

Real-Time Information Security Incident Management: A Case Study Using the IS-CHEC Technique

Luo

et al. 2019

IEEE Access

Information security recognised the human as the weakest link. Despite numerous international or sector-specific standards and frameworks, the information security community has not yet adopted formal mechanisms to manage human errors that cause information security breaches. Such techniques have been however established within the safety field where human reliability analysis (HRA) techniques are widely applied. In previous work we developed Information Security Core Human Error Causes (IS-CHEC) to fill this gap. This case study presents empirical research that uses IS-CHEC over a 12 month period within two participating public and private sector organisations in order to observe and understand how the implementation of the IS-CHEC information security HRA technique affected the respective organisations. The application of the IS-CHEC technique enabled the proportions of human error related information security incidents to be understood as well as the underlying causes of these incidents. The study captured the details of the incidents in terms of the most common underlying causes, selection of remedial and preventative measures, volumes of reported information security incidents, proportions of human error, common tasks undertaken at the time the incident occurred, as well as the perceptions of key individuals within the participating organisations through semi-structured interviews. The study confirmed in both cases that the vast majority of reported information security incidents relate to human error, and although the volumes of human error related incidents pertaining to both participating organisations fluctuated over the 12 month period, the proportions of human error remained consistently as the majority root cause.INDEX TERMS Human error assessment and reduction technique (HEART), human error related information security incidents, human reliability analysis (HRA), information security, information security core human error causes (IS-CHEC).

“…It is widely accepted that security incidents related to human perpetrators from internal sources are the most difficult to prevent (Hwang et al, 2017) and not an easy task (McLeod and Dolezel, 2018). A fundamental challenge in complex sociotechnical systems is that of relying upon humans to achieve reliable operations (Kyriakidis et al, 2018) and it is difficult to integrate the human factor in to a plan-do-check-act cycle of an effective Information Security Management System (ISMS) (Frangopoulos, Eloff and Venter, 2014). Addressing these difficulties requires new interventions to change human awareness, attitudes and behaviour (Lacey, 2010).…”

Section: Related Workmentioning

confidence: 99%

Published incidents and their proportions of human error

Yevseyeva

et al. 2019

ICS

Purpose This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time, the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. Design/methodology/approach This paper analyses recent published incidents and breaches to establish the proportions of human error and where possible subsequently uses the HEART (human error assessment and reduction technique) human reliability analysis technique, which is established within the safety field. Findings This analysis provides an understanding of the proportions of incidents and breaches that relate to human error, as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field. Originality/value This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches to understand the proportions that relate to human error.