Industries such as chemical processing, aviation, railway, shipping and nuclear have for many years systematically collected safety incident / accident data. Systematic collection allows scientific research and investigation into causes of incidents / accidents, ultimately allowing organizations to introduce more effective safeguards. Several authors, including Schneier and Gonzalez, have suggested that similar incident reporting systems should be used to collect information security incident data. In other words, an information security reporting system.
A recent paper by Rich, Sveen and Jager, “Identifying Organizational Challenges to Secure Knowledge Management”, presents a system dynamics model, of a (safety) incident reporting system. The paper suggests that an incident reporting system is subject to many forces that govern whether the system is going to be successful. This includes factors that either dissuade or encourage reporting of incidents. Preliminary studies show that many of the same factors will affect a security incident reporting system
System dynamics is a powerful methodology and computer simulation modelling technique for framing, understanding, and discussing complex issues and problems. Originally developed as a decision making tool corporate managers, it soon became apparent that it had uses beyond the corporate board rooms.
The thesis will investigate the incident reporting system implemented by Hydro. Since Integrated Operations (IO) depends on high levels of information security, the IO pilot projects Brage and Oseberg are well suited as objects of enquiry. The aim of the project is to determine the state of information security incident reporting at either Brage or Oseberg, and find policies that can lead to improvement.The main focus of the data gathering effort will be on:
The information gathered from the three points above will be compared with the model by Rich et al. and incident reporting literature to determine the quality of the implemented reporting system and guidelines. For a satisfactory comparison with the model of Rich et al. to take place it is necessary to construct a System Dynamics model of the information security incident reporting systems at the chosen sites. The model of Rich et al. serves as a useful starting point. The modelling work will involve first the development of a qualitative model, followed by a formal simulation model.
