Toward viable information security reporting systems

Information Management and Computer Security

Volumn 15, Issue 5, 2007, Pages 408-419

  Sveen, Finn Olav ^a   Sarriegi, Jose M ^a   Rich, Eliot ^b   Gonzalez, Jose J ^c,d  

^a UNIVERSITY OF NAVARRA   (Spain)

^b STATE UNIVERSITY OF NEW YORK   (United States)

^c UNIVERSITY OF AGDER   (Norway)

^d NORWEGIAN UNIVERSITY OF SCIENCE AND TECHNOLOGY   (Norway)

Author keywords

Data security; Human failure; Information; Online reporting

Indexed keywords

COMPUTER SIMULATION; ONLINE SYSTEMS; SECURITY OF DATA;

INCIDENT-REPORTING SYSTEMS; INFORMATION SECURITY REPORTING SYSTEMS; ONLINE REPORTING;

INFORMATION SYSTEMS;

EID: 34948812617     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/09685220710831143     Document Type: Article

References (28)

1. Anderson, D.J. and Webster, C.S. (2001), "A system approach to the reduction of medication error on the hospital ward", Journal of Advanced Nursing, Vol. 35, pp. 34-41.
2. Barlas, Y. (1989), "Multiple tests for validation of system dynamics type of simulation models", European Journal of Operations Research, Vol. 42, pp. 59-87.
3. Barlas, Y. (1996), "Formal aspects of model validity and validation in system dynamics", System Dynamics Review, Vol. 12, pp. 183-210.
4. Calder, A. and Watkins, S. (2005), IT Governance, Kogan Page, London.
5. Cooke, D.L. and Rohleder, T.R. (2006), "Learning from incidents: from normal accidents to high reliability", System Dynamics Review, Vol. 22.
6. Ernst & Young (2004), Global Information Security Survey, EYGM, Bangalore.
7. Forrester, J.W. and Senge, P.M. (1980), "Tests for building confidence in system dynamics models", TIMS Studies in the Management Sciences, Vol. 14, pp. 209-28.
8. Gonzalez, J.J. (2005), Towards a Cyber Security Reporting System - A Quality Improvement Process, Springer, Berlin Heidelberg.
9. Gonzalez, J.J., Qian, Y., Sveen, F.O. and Rich, E. (2005), "Helping prevent information security risks in the transition to integrated operations", Telektronikk, Vol. 101, pp. 29-37.
10. ISO (2007), Information Technology - Security Techniques - Code of Practice for Information Security Management, International Organization for Standardization, Geneva.
11. Johnson, C. (2003), Failure in Safety Critical Systems: A Handbook of Incident and Accident Reporting, Glasgow University Press, Glasgow.
12. Kjellén, U. (2000), Prevention of Accidents through Experience Feedback, Taylor & Francis, London.
13. Lee, P.I. and Weitzel, T.R. (2005), "Air carrier safety and culture: An investigation of Taiwan's adaptation to western incident reporting programs", Journal of Air Transportation, Vol. 10.
14. Martinez-Moyano, I.J., Rich, E., Conrad, S., Andersen, D.F. and Stewart, T.R. (2007), "A behavioral theory of insider-threat risks: A system dynamics approach", ACM Transactions on Modeling and Computer Simulation, pp. 1-36.
15. Nyssen, A.S., Aunac, S., Faymonville, M.E. and Lutte, I. (2004), "Reporting systems in healthcare from a case-by-case experience to a general framework: An example in anaesthesia", European Journal of Anaesthesiology, pp. 757-65.
16. OLF (2006) OLF Guideline No. 104, OLF Information Security Baseline Requirements for Process Control, Safety and Support ICT Systems, Norwegian Oil Industry Association, Stavanger.
17. Phimister, J.R., Oktem, U., Kleindorfer, P.R. and Kunreuther, H. (2003), "Near-miss incident management in the chemical process industry", Risk Analysis, Vol. 23, pp. 445-59.
18. Repenning, N.P. and Sterman, J.D. (2002), "Capability traps and self-confirming attribution errors in the dynamics of process improvement", Administrative Science Quarterly, Vol. 47, pp. 265-95.
19. Rich, E., Sveen, F.O. and Jager, M. (2006), "Overcoming organizational challenges to secure knowledge management", paper presented at 2nd Secure Knowledge Management Workshop, New York, NY.
20. Schneier, B. (2000), Secrets and Lies, Wiley, New York, NY.
21. Sterman, J.D. (2000), Business Dynamics, Irwin McGraw-Hill, Boston, MA.
22. Stoneburner, G. (2006), "Toward a unified security/safety model", IEEE Computer, Vol. 39 No. 8, pp. 96-7.
23. Wiant, T.L. (2005), "Information security policy's impact on reporting security incidents", Computers & Security, Vol. 24, pp. 448-59.
24. Wiik, J. (2007), "Dynamics of incident response effectiveness - a SD approach", unpublished PhD thesis, University of Bergen, Bergen.
25. Wiik, J., Gonzalez, J.J. and Kossakowski, K.-P. (2004), "Limits to effectiveness in computer security incident response teams", paper presented at 23rd International Conference of the System Dynamics Society, Oxford.
26. Wiik, J., Gonzalez, J.J. and Kossakowski, K.-P. (2005), "Limits to effectiveness of computer security incident response teams (CSIRTs)", paper presented at Twenty Third International Conference of the System Dynamics Society, The System Dynamics Society, Boston, MA.
27. Winkler I. (2005), Spies Among Us, Wiley, New York, NY.
28. Zangwill, W.I. and Kantor, P.B. (19980, "Towards a theory of continuous improvement and the learning curve", Management Science, Vol. 44, pp. 910-20.