Toward viable information security reporting systems

This research paper aims to examine how incident‐reporting systems function and particularly how the steady growth of high‐priority incidents and the semi‐exponential growth of low‐priority incidents affect reporting effectiveness. Social pressures that can affect low‐ and high‐priority incident‐reporting rates are also examined.

The authors reviewed the incident‐reporting system literature. As there are few studies of information security reporting systems, they also considered safety‐reporting systems. These have been in use for many years and much is known about them. Safety is used to “fill in the gaps”. The authors then constructed a system dynamics computer simulation model. The model is used to test how an incident‐reporting system reacts under different conditions.

Incident reporters face incentives and disincentives based on effects on through‐put but have limited knowledge of what is important to the organization's security. Even if a successful incident‐reporting policy is developed, the organization may become the victim of its own success, as a growing volume of reports put higher pressure on incident‐handling resources. Continuously hiring personnel is unsustainable. Continuously improving automated tools for incident response promises more leverage.

The challenges in safety may not be the same as those in information security. However, the model does provide a starting‐point for further enquiries into information security reporting systems.

An examination of basic factors that affect information security reporting systems is provided. Four different policies are presented and examined through simulation scenarios.