Abstract for: The Role of Incident Reporting in Reducing Information Security Risks

This paper examines the role of information security incident reporting systems in the wider context of an information security management system. This work is based on four group model building workshops with participants from mnemonic AS, a Norwegian Managed Security Services Provider. We found that incident reporting is a crucial component in creating information security awareness among information system users. Our research indicates that increasing incident reporting rates does not necessarily mean poor security, but rather that the organisation is becoming more security aware, and, arguably, less exposed to information security risks. However, in an organisation with poor awareness, it is possible that incident reporting rates and risk increases simultaneously. Analogous results are known about industrial safety reporting systems and risk of organisational accidents.