Incident Reporting Systems
Abstract
Systematic collection of safety incident / accident data has been common in many industries
for decades. An equivalent effort has not been made in the area of information
security, exclusive perhaps of highly specialized organizations with such needs.
The systematic collection of incident data allows scientific research and investigation
into their causes, ultimately leading organizations to introduce more effective safeguards.
Several authors have suggested that incident reporting systems should be used
to collect information security incident data.
This project explores a System Dynamics model of a general incident reporting system,
previously developed by other researchers, and discusse hpw it can be usefuk in
information security. The model is also compared to how an existing organization collects
incident data, to find out if the assumptions of the model mathces a real world
example, in this case a health care institution.
The purpose of the developed model(s) is to help organizations in developing or
improving incident reporting systems for information security, being an aid in evaluating
their (planned or existing) procedures and tools. Whilst this might have had relevance to
only a limited group of organizations in the past, when fewer worked with information
security, we see today that any organization that works with information systems must
also deal with information security in some degree. An organization does not need to
grow very large before no individual can easily keep oversight of all its workings. Thus a
need for structured management arises, just as much in information security as in other
business processes.