A longitudinal study of information system threat categories: the enduring problem of human error

Taxonomies of information security threats usually distinguish between accidental and intentional sources of system risk. Security reports have paid a great deal of attention in recent years to the growing problem of hacking and intentional abuse. The prevalence of these reports suggests that hacking has become a more severe problem in relation to other security threats, such as human error. In this paper, we report on research that addresses this question: "How have changes over time in the frequency of hacking and other intentional forms of security threats affected the validity of information systems risk management taxonomies?" We replicate a simple study of the proportions of categories of security threats that was originally completed in 1993. Comparing the results from the replicated study with the results from the original study, we find that the proportions of threat categories have, in contradiction with the popular perception, remained relatively stable over the past decade. These results indicate that human error remains a significant and poorly recognized issue for information systems security. We propose and validate an elaborated taxonomy of information security threats that provides additional insight into human error as a significant source of security risk.

[1]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[2]  Robert H. Courtney,et al.  Security risk assessment in electronic data processing systems , 1977, AFIPS '77.

[3]  Donald A. Schön,et al.  Organizational Learning: A Theory Of Action Perspective , 1978 .

[4]  D. Parker Computer Security Management , 1981 .

[5]  B. McKelvey Organizational Systematics-Taxonomy, Evolution, Classification , 1982 .

[6]  Donald A. Norman,et al.  Design rules based on analyses of human error , 1983, CACM.

[7]  B. McKelvey,et al.  Organizational Systematics: Taxonomy, Evolution, Classification , 1983 .

[8]  Stephen T. Walker Network Security Overview , 1985, 1985 IEEE Symposium on Security and Privacy.

[9]  David Lorge Parnas Software aspects of strategic defense systems , 1985, SOEN.

[10]  Jens Rasmussen,et al.  Information Processing and Human-Machine Interaction , 1986 .

[11]  Jens Rasmussen,et al.  Information Processing and Human-Machine Interaction: An Approach to Cognitive Engineering , 1986 .

[12]  D. Norman The psychology of everyday things , 1990 .

[13]  James Reason,et al.  Human Error , 1990 .

[14]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[15]  Harold G. Levine,et al.  Diagnosing the Human Threats to Information Technology Implementation: A Missing Factor in Systems Analysis Illustrated in a Case Study , 1993, J. Manag. Inf. Syst..

[16]  Karen A. Forcht,et al.  Computer Security Management , 1993 .

[17]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[18]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[19]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[20]  J. Couger Creative problem solving and opportunity finding , 1995 .

[21]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[22]  Richard Baskerville,et al.  A taxonomy for analyzing hazards to information systems , 1996, SEC.

[23]  Fred Cohen,et al.  Information system attacks: A preliminary classification scheme , 1997, Comput. Secur..

[24]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[25]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[26]  Nicholas P. Vitalari,et al.  Differences Between Novice and Expert Systems Analysts: What Do We Know and What Do We Do? , 1998, J. Manag. Inf. Syst..

[27]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[28]  John L. Hennessy,et al.  The Future of Systems Research , 1999, Computer.

[29]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[30]  Jim Gray What Next? A Few Remaining Problems in Information Technlogy, SIGMOD Conference 1999, ACM Turing Award Lecture, Video , 2000, ACM SIGMOD Digit. Symp. Collect..

[31]  M. Warren,et al.  Cyber Terrorism and the Contemporary Corporation , 2001 .

[32]  R. Power CSI/FBI computer crime and security survey , 2001 .

[33]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[34]  G. Dhillon Challenges in Managing Information Security in the New Millennium , 2001 .

[35]  G. Dhillon Principles for Managing Information Security in the New Millennium , 2001 .

[36]  Phil Williams,et al.  Models of information security trend analysis , 2002, SPIE Defense + Commercial Sensing.

[37]  Noah Treuhaft,et al.  Recovery Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies , 2002 .

[38]  Bruce D. Berkowitz,et al.  The New Face of War: How War Will Be Fought in the 21st Century , 2003 .

[39]  Richard D. Pethia Viruses and Worms: What Can We Do About Them? , 2003 .

[40]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[41]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[42]  Peter G. Neumann Risks to the public in computers and related systems , 2004, SOEN.

[43]  Peter G. Neumann Risks to the public , 2006, SOEN.

[44]  M. Alexander To Err is Human. , 2006, Journal of infusion nursing : the official publication of the Infusion Nurses Society.