Development and application of the Information Security Core Human Error Causes (IS-CHEC) technique

It is reported in the literature that the human being is the weakest link with regard to information security assurance. However, there is no agreed understanding of the proportion of information security incidents that relate to unintentional human errors. Humans will always make mistakes and it is recognised that human error is the consequence, not the cause, of organisational failings. Despite this, blame cultures are still present within organisations, with there being no established information security approach to dealing with the common problem of human errors. Human errors can lead to information security incidents and breaches, which can affect organisations as well as their customers, employees, service users and the general public. This chapter presents research aimed at understanding holistic themes, proportions and causes underlying information security weaknesses and information security incidents within participating organisations. The research objective was to establish whether implementation of the Information Security Core Human Error Causes (IS-CHEC) technique, which is an adaptation of the Human Error Assessment and Reduction Technique (HEART) human reliability analysis (HRA) technique within an information security application, doesn’t work can have positive benefits for both public and private sector organisations as an enhancement to existing information security assurance approaches. The IS-CHEC technique has been developed to be applied within the information security field in both a retrospective manner related to incident management, and a proactive manner in terms of probabilistic risk assessment.