Home // SECURWARE 2017, The Eleventh International Conference on Emerging Security Information, Systems and Technologies // View article

An Empirical Study of Root-Cause Analysis in Information Security Management

Authors:
Gaute Wangen
Niclas Hellesen
Henrik Torres
Erlend Brækken

Keywords: Information Security; Root cause analysis; Risk Management; Case study.

Abstract:
This paper studies the application of Root-cause analysis (RCA) methodology to a complex socio-technical information security (InfoSec) management problem. InfoSec risk assessment (ISRA) is the common approach for dealing with problems is InfoSec, where the main purpose is to manage risk and maintain an acceptable risk level. In comparison, the RCA tools are designed to identify and eliminate the root-cause of a reoccurring problem. Our case study is a complex issue regarding multiple breaches of the security policy primarily through access control violations. By running a full-scale RCA, this study finds that the benefits of the RCA tools are a better understanding of the social aspects of the risk; RCA highlighted previously unknown social and administrative causes for the problem which in turn provided an improved decision-basis. The problem treatments recommended by the ISRA and the RCA differed in that the ISRA results recommended technical controls, while the RCA suggested more administrative treatments. Furthermore, we found that the ISRA and RCA can complement each other in administrative and technical issues. The main drawback was that our cost-benefit analysis regarding hours spent on RCA was on the borderline of being justifiable. As future work, we propose to develop a leaner version of the RCA scoped for information security problems.

Pages: 26 to 33

Copyright: Copyright (c) IARIA, 2017

Publication date: September 10, 2017

Published in: conference

ISSN: 2162-2116

ISBN: 978-1-61208-582-1

Location: Rome, Italy

Dates: from September 10, 2017 to September 14, 2017