Incident Reporting Systems

Abstract

Systematic collection of safety incident / accident data has been common in many industries for decades. An equivalent effort has not been made in the area of information security, exclusive perhaps of highly specialized organizations with such needs. The systematic collection of incident data allows scientific research and investigation into their causes, ultimately leading organizations to introduce more effective safeguards. Several authors have suggested that incident reporting systems should be used to collect information security incident data. This project explores a System Dynamics model of a general incident reporting system, previously developed by other researchers, and discusse hpw it can be usefuk in information security. The model is also compared to how an existing organization collects incident data, to find out if the assumptions of the model mathces a real world example, in this case a health care institution. The purpose of the developed model(s) is to help organizations in developing or improving incident reporting systems for information security, being an aid in evaluating their (planned or existing) procedures and tools. Whilst this might have had relevance to only a limited group of organizations in the past, when fewer worked with information security, we see today that any organization that works with information systems must also deal with information security in some degree. An organization does not need to grow very large before no individual can easily keep oversight of all its workings. Thus a need for structured management arises, just as much in information security as in other business processes.