Abstract
Taxonomies of information security threats usually distinguish between accidental and intentional sources of system risk. Security reports have paid a great deal of attention in recent years to the growing problem of hacking and intentional abuse. The prevalence of these reports suggests that hacking has become a more severe problem in relation to other security threats, such as human error. In this paper, we report on research that addresses this question: "How have changes over time in the frequency of hacking and other intentional forms of security threats affected the validity of information systems risk management taxonomies?" We replicate a simple study of the proportions of categories of security threats that was originally completed in 1993. Comparing the results from the replicated study with the results from the original study, we find that the proportions of threat categories have, in contradiction with the popular perception, remained relatively stable over the past decade. These results indicate that human error remains a significant and poorly recognized issue for information systems security. We propose and validate an elaborated taxonomy of information security threats that provides additional insight into human error as a significant source of security risk.
- Amoroso, E. G. (1994). Fundamentals of Computer Security Technology, Upper Saddle River, NJ: Prentice-Hall PTR.]] Google ScholarDigital Library
- Argyris, C. (1986). "Skilled Incompetence," Harvard Business Review, Vol.64, No.5, pp. 74--79.]]Google Scholar
- Argyris, C. and Schon, D. A. (1978). Organizational Learning: A Theory of Action Perspective, Reading, MA: Addison-Wesley.]]Google Scholar
- AusCERT (2003). Australian Computer Crime and Security Survey: Australian Federal Police.]]Google Scholar
- Baskerville, R. (1996). "A Taxonomy for Analyzing Hazards to Information Systems," in Katsikas, S. and Gritzalis, D. (Eds.), Information Systems Security: Facing the Information Society, London: Chapman & Hall, pp. 167--176.]] Google ScholarDigital Library
- Berkowitz, B. (2003). The New Face of War: How War Will Be Fought in the 21st Century, New York: The Free Press.]] Google ScholarDigital Library
- Brown, A. B. and Patterson, D. A. (2001). "To Err is Human," First Workshop on Evaluating and Architecting System Dependability (EASY '01), Goteborg, Sweden.]]Google Scholar
- Cohen, F. (1997). "Information System Attacks: A Preliminary Classification Scheme," Computers & Security, Vol.16, No.1, pp. 29--46.]]Google ScholarDigital Library
- Couger, J. D. (1995). Creative Problem Solving and Opportunity Finding, Danvers, MA: Boyd and Fraser.]]Google Scholar
- Courtney, R. (1977). Security risk assessment in electronic data processing. AFIPS Conference NCC, Arlington, VA, pp. 97--104.]]Google ScholarDigital Library
- Dhillon, G. (1999). "Managing and controlling computer misuse," Information Management & Computer Security, Vol.7, No.4, pp. 171--175.]]Google ScholarCross Ref
- Dhillon, G. (2001a). "Challenges in Managing Information Security in the New Millennium," in Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Hershey, PA: Idea Group Publishing, pp. 1--8.]]Google Scholar
- Dhillon, G. (2001b). "Principles for Managing Information Security in the New Millennium," in Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Hershey, PA: Idea Group Publishing, pp. 173--177.]]Google Scholar
- Dhillon, G. and Backhouse, J. (2000). "Information system security management in the new millennium," Communications of the ACM, Vol.43, No.7, pp. 125--128.]] Google ScholarDigital Library
- Dhillon, G. and Backhouse, J. (2001). "Current directions in IS security research: towards socio-organizational perspectives.," Information Systems Journal, Vol.11, No.2, pp. 127--153.]]Google ScholarCross Ref
- Forcht, K. A. (1994). Computer Security Management, Danvers, MA: Boyd & Fraser.]] Google ScholarDigital Library
- Gates, W. (2002). Microsoft email on January 15, www.wired.com (accessed in May 2003).]]Google Scholar
- Gray, J. (1999). "What Next? A dozen remaining IT problems," Turing Award Lecture.]]Google Scholar
- Hennessy, J. (1999). "The Future of Systems Research," Computer, Vol.32, No.8, pp. 27--33.]] Google ScholarDigital Library
- Howard, J. D. (1997). An Analysis of Security Incidents on The Internet 1989 - 1995 unpublished doctoral dissertation, Carnegie Mellon University, Pittsburgh, PA.]] Google ScholarDigital Library
- Internet Systems Consortium, Inc. (2004). ISC Internet Domain Survey, http://www.isc.org/ds/ (accessed August 2004).]]Google Scholar
- Levine, H. G. and Rossmoore, D. (1993). "Diagnosing the human threats to information technology implementation: A missing factor in systems analysis illustrated in a case study," Journal of Management Information Systems, Vol.10, No.2, p. 55.]] Google ScholarDigital Library
- Loch, K. D., Carr, H. H., and Warkentin, M. E. (1992). "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly, Vol.16, No.2, p. 173.]]Google ScholarCross Ref
- Mckelvey, B. (1982). Organizational Systematics: Taxonomy, Evolution, Classification, Berkeley, CA.: University of California Press.]]Google Scholar
- Neumann, P. (1992~1993). "Risks to the Public," Software Engineering Notes, Vol.17, No.1 - Vol.18, No.4.]] Google ScholarDigital Library
- Neumann, P. (2001~2003). "Risks to the Public," Software Engineering Notes, Vol.26, No.2 - Vol.28, No.2.]] Google ScholarDigital Library
- Neumann, P. G. (1995). Computer-related Risks, New York: ACM Press.]] Google ScholarDigital Library
- Nielsen, J. (1994). Usability Engineering, San Diego, CA: Academic Press.]] Google ScholarDigital Library
- Norman, D. (1983). "Design rules based on analysis of human error," Communications of The ACM, Vol.26, No.4, pp. 254--258.]] Google ScholarDigital Library
- Norman, D. (1988). The Psychology of Everyday Things, New York: Basic Books.]]Google Scholar
- Parker, D. (1981). Computer Security Management, Reston, VA: Reston Publishing.]]Google Scholar
- Parnas, D. L. (1985). "Software Aspects of Strategic Defense Systems," Communications of the ACM, Vol.28, No.12, pp. 1326--1335.]] Google ScholarDigital Library
- Patterson, D. A., Brown, A. B., Broadwell, P., Candea, G., Chen, M., Cutler, J., Enriquez, P., Fox, A., Kiciman, E., Merzbacher, M., Oppenheimer, D., Sastry, N., Tetzlaff, W., Traupman, J., and Treuhaft, N. (2002). Recovery-Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies: UC Berkeley Technical Report UCB/CSD-02-1175.]] Google ScholarDigital Library
- Pethia, R. D. (2003). "Viruses and Worms: What Can We Do About Them?", Congressional testimony Before the House Committee on Government Reform: CERT Coordination Center.]]Google Scholar
- Rasmussen, J. (1986). Information Processing and Human-Machine Interaction, Amsterdam: North-Holland.]] Google ScholarDigital Library
- Reason, J. (1990). Human Error, Cambridge: Cambridge University Press.]]Google Scholar
- Richardson, R. (2003). CSI/FBI Computer crime and security survey: Computer Security Institution, http://www.gocsi.com (accessed August 2004).]]Google Scholar
- Salter, J. H. and Schroeder, M. D. (1975). "The protection of information in computer systems," Proceedings of the IEEE, Vol.63, No.9, pp. 1278--1308.]]Google ScholarCross Ref
- Schenk, K. D., Vitalari, N. P., and Davis, K. S. (1998). "Differences between novice and expert systems analysts: What do we know and what do we do?," Journal of Management Information Systems, Vol.15, No.1, pp. 9--50.]] Google ScholarDigital Library
- Shimeall, T. and Williams, P. (2002). "Models of Information Security Trend Analysis," SPIE Aerosense Conference, Orlando, FL.]]Google Scholar
- Straub, D. W. and Welke, R. J. (1998). "Coping with systems risk: Security planning models for management decision making," Mis Quarterly, Vol.22, No.4, pp. 441--469.]] Google ScholarDigital Library
- Walker, S. T. (1985). "Network Security Overview," IEEE Symposium on Security and Privacy, Oakland, CA.]]Google Scholar
- Warren, M. and Hutchinson, W. (2001). "Cyber Terrorism and the Contemporary Corporation," in Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Hershey, PA: Idea Group Publishing, pp. 53--64.]]Google Scholar
- Whitman, M. E. (2004). "In defense of the realm: understanding the threats to information security," International Journal of Information Management, Vol.24, No.1, pp. 43--57.]]Google ScholarDigital Library
- Woodward, D. (2000). "Smart Security," The British Journal of Administrative Management, Vol.18, pp. 22--23.]]Google Scholar
- Zurko, M. E. and Simon, R. T. (1996). "User-centered security," ACM New Security Paradigms Workshop, Lake Arrowhead, CA.]] Google ScholarDigital Library
Index Terms
- A longitudinal study of information system threat categories: the enduring problem of human error
Recommendations
From information security to cyber security
The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. ...
Innocipher: A Novel Innocent-Cipher-Based Cryptography Paradigm—High Level of Security for Fooling the Enemy
The recent advances in cryptanalysis techniques are the major threat to cryptography. A leakage of information about the cryptosystem used by either a fatal shortcoming or an insider enemy can easily defeat the cryptographic goal. An adversary may ...
Detecting Insider Theft of Trade Secrets
Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Comments