Incident Reporting Systems

2007

Systematic collection of safety incident / accident data has been common in many industries

for decades. An equivalent effort has not been made in the area of information

security, exclusive perhaps of highly specialized organizations with such needs.

The systematic collection of incident data allows scientific research and investigation

into their causes, ultimately leading organizations to introduce more effective safeguards.

Several authors have suggested that incident reporting systems should be used

to collect information security incident data.

This project explores a System Dynamics model of a general incident reporting system,

previously developed by other researchers, and discusse hpw it can be usefuk in

information security. The model is also compared to how an existing organization collects

incident data, to find out if the assumptions of the model mathces a real world

example, in this case a health care institution.

The purpose of the developed model(s) is to help organizations in developing or

improving incident reporting systems for information security, being an aid in evaluating

their (planned or existing) procedures and tools. Whilst this might have had relevance to

only a limited group of organizations in the past, when fewer worked with information

security, we see today that any organization that works with information systems must

also deal with information security in some degree. An organization does not need to

grow very large before no individual can easily keep oversight of all its workings. Thus a

need for structured management arises, just as much in information security as in other

business processes.