Vis enkel innførsel

dc.contributor.authorHellesen, Niclas
dc.contributor.authorTorres, Henrik
dc.contributor.authorWangen, Gaute
dc.date.accessioned2019-01-25T11:59:53Z
dc.date.available2019-01-25T11:59:53Z
dc.date.created2018-07-28T19:43:57Z
dc.date.issued2018
dc.identifier.citationInternational journal on advances in security. 2018, 11 (1&2), 60-79.nb_NO
dc.identifier.issn1942-2636
dc.identifier.urihttp://hdl.handle.net/11250/2582361
dc.description.abstractRoot cause analysis is a methodology that comes from the quality assurance and improvement fields. Root-cause analysis is a seven-step methodology that proposes multiple tools per step, which are designed to identify and eliminate the root cause of a reoccurring problem. Lately, the method has been adapted into the information security field, yet there is little empirical data regarding the efficiency of the Root cause analysis approach for solving information security management problems. This paper presents three empirical case studies of root cause analysis conducted under different premises to address this problem. Each case study is qualitatively evaluated with cost-benefit analysis. The primary case study is a comparison of information security risk assessment and root cause analysis results from an analysis of a complex issue regarding access control violations. The study finds that in comparison to the risk assessment, the benefits of the Root cause analysis tools are a better understanding of the social aspects of the risk, especially with regards to social and administrative causes for the problem. Furthermore, we found that the risk assessment and root cause analysis could complement each other in administrative and technical issues. The second case study tests root cause analysis as a tabletop tool by modeling an information security incident primarily through available technical documentation. The findings show that root cause analysis works with tabletop exercises for practice and learning, but we did not succeed in extracting any new knowledge under the restrictions of a tabletop exercise. In the third case study, the root cause analysis methodology was applied in a resource constrained setting to determine the root causes of a denial of service incident at small security awareness organization. In this case, the process revealed multiple previously undetected causes and had utility, especially for revealing socio-technical problems. As future work, we propose to develop a leaner version of the root cause analysis scoped for information security problems. Additionally, root cause analysis emphasizes the use of incident data and we suggest a novel research direction into conducting root cause analysis on cyber security incident data, define some of the obstacles, research paths, and utility of the direction. Our findings show that a problem needs to be costly to justify the cost-benefit of starting a full-scale root cause analysis project. Additionally, when strictly managed, root cause analysis performed well under time and resource constraints for a less complex problem. Thus, the full-scale Root cause analysis is a viable option when dealing with both complex and costly information security problems. For minor issues, a root cause analysis may be excessive or should at least be strictly time managed. Based on our findings we conclude that Root cause analysis should be a part of the information security management toolbox.nb_NO
dc.language.isoengnb_NO
dc.publisherIARA Journalsnb_NO
dc.titleEmpirical Case Studies of the Root Cause Analysis Method in Information Securitynb_NO
dc.title.alternativeEmpirical Case Studies of the Root Cause Analysis Method in Information Securitynb_NO
dc.typeJournal articlenb_NO
dc.typePeer reviewednb_NO
dc.description.versionacceptedVersionnb_NO
dc.source.pagenumber60-79nb_NO
dc.source.volume11nb_NO
dc.source.journalInternational journal on advances in securitynb_NO
dc.source.issue1&2nb_NO
dc.identifier.cristin1598875
dc.description.localcodeThis article will not be available due to copyright restrictions (c) 2018 by IARA Journalsnb_NO
cristin.unitcode194,63,30,0
cristin.unitcode194,16,0,0
cristin.unitnameInstitutt for informasjonssikkerhet og kommunikasjonsteknologi
cristin.unitnameOrganisasjonsdirektør
cristin.ispublishedtrue
cristin.fulltextpostprint
cristin.qualitycode1


Tilhørende fil(er)

Thumbnail

Denne innførselen finnes i følgende samling(er)

Vis enkel innførsel