Systematic collection of safety incident / accident data has been common in many industries for decades. An equivalent effort has not been made in the area of information security, exclusive perhaps of highly specialized organizations with such needs.
The systematic collection of incident data allows scientific research and investigation into their causes, ultimately leading organizations to introduce more effective safeguards. Several authors have suggested that incident reporting systems should be used to collect information security incident data.
We propose this project to develop a system dynamics model of an information security incident reporting system, based on a generic model previously developed by other researchers. The model will then be compared to how an existing organization collects incident data. The thesis will analyze to which extent the organizations existing procedures are adequate, and suggest improvements to these based on the developed system dynamics model.
The model is though developed both as a qualitative model, but also a quantitative simulation model. The latter can be used for testing scenarios, predicting system behaviour in given situations (for drills), or tuning / improving the original model or incident reporting system.
The purpose of the developed model(s) is to help organizations in developing or improving incident reporting systems for information security, being an aid in evaluating their (planned or existing) procedures and tools. Whilst this might have had relevance to only a limited group of organizations in the past, when fewer worked with information security, we see today that any organization that works with information systems must also deal with information security in some degree. An organization does not need to grow very large before no individual can easily keep oversight of all its workings. Thus a need for structured management arises, just as much in information security as in other business processes.
The project will accordingly need some metric to evaluate the usefulness of the model. This metric could be found in the candidate origanization, which might have certain infosec metrics in place, or it might have to be developed in the project.
Answers to the following research questions will be explored, to support or refute the hypothesis that an organization's information security can benefit from an incident reporting system:
