Skip to main content

Research Repository

Advanced Search

HEART-IS: A novel technique for evaluating human error-related information security incidents

Evans, Mark; He, Ying; Maglaras, Leandros; Janicke, Helge

Authors

Mark Evans

Ying He

Helge Janicke



Abstract

Organisations continue to suffer information security incidents and breaches as a result of human error even though humans are recognised as the weakest link with regard to information security. Despite this level of understanding organisations continue to focus their attention on technical security controls rather than the human factor and have not incorporated methods such as Human Reliability Analysis (HRA) which are used within high reliability sectors such as rail, aviation and energy. The objectives of our research are to define a human error related information security incident and create the novel HEART of Information Security (HEART-IS) technique which is an adaptation of the Human Error Assessment and Reduction Technique (HEART). We conducted a case study within a private sector organisation using HEART-IS to establish if HRA is applicable to information security. The novel HEART-IS technique comprises of a mapping component and an analysis component. In the case study, we applied HEART-IS to map HEART Error Producing Conditions (EPC) to twelve months of reported information security incidents and analysed the volumes of human error and underlying causes. We found that HEART-IS is applicable to the information security field with some minor amendments to the terminology. The mapping of information security incident causes to the HEART Error Producing Conditions (EPC) was successful but the in-built HEART human error probability calculations did not match the actual volumes of reported human error related incidents.

Journal Article Type Article
Acceptance Date Sep 14, 2018
Online Publication Date Sep 25, 2018
Publication Date 2019-01
Deposit Date Jan 6, 2023
Journal Computers & Security
Print ISSN 0167-4048
Publisher Elsevier
Peer Reviewed Peer Reviewed
Volume 80
Pages 74-89
DOI https://doi.org/10.1016/j.cose.2018.09.002
Keywords Information security, Human error assessment and reduction technique, Heart-is, Human error related information security incidents, Human Reliability Analysis (HRA)
Public URL http://researchrepository.napier.ac.uk/Output/2969335