University of Portsmouth Institute of Criminal Justice ... · that organisations tend to analyse security failure in a subjective way, either proactively or retrospectively; that

Matthieu Petrigh

University of Portsmouth

Institute of Criminal Justice Studies

May 2016

Dissertation submitted in partial fulfilment for the

requirement of the BSc (Hons) Security and Risk

Management degree

BSc Security and Risk Management - Dissertation

Institute of Criminal Justice StudiesBSc (Hons) Security and Risk Management Degree

Dissertation submitted as partial requirement for the award of BSc (Hons) Security and Risk Management Degree.

Title: Examining the case for the compulsory reporting of security failure in UK.Submitted by: Matthieu Petrigh

Declaration:I confirm that, except where indicated through the proper use of citations and references, this is my own original work. I confirm that, subject to final approval by the Board of Examiners of the Institute of Criminal Justice Studies, a copy of this Dissertation may be placed upon the shelves of the library of the University of Portsmouth and may be circulated as required.

Signed:

Date: 12 March 2016

May 2016 �ii


Acknowledgements

This dissertation has been one year in the making. Over time, I have been helped along the way by many and I would like to take this opportunity to mention a few of them. First, I would like to thank Professor Mark Button who has been a constant source of support, advice and inspiration and who has provided me with extensive and invaluable comments on drafts of this dissertation. I am also grateful for our course leader, Doctor Alison Wakefield, who has been an immutable source of encouragement, motivation and who has stimulated the core ideas behind this dissertation. Thirdly, I would like to thank all those who participated to my research study; without their contributions, this dissertation would not have been possible. The staff of the Institute of Criminal Justice Studies have been formidable and I also wanted to thank them all. Finally, I would like to thank my wife Jurgita for her unconditional love and support; our daughter Kotryna for having been a source of motivation; our parents for their constant encouragement; and our Father, for His mercifulness.

May 2016 �iii


Abstract

Security is an important issue. It is a matter of potential organisational collapse, a road either to perpetuity or to ruin. However and despite such assertions, force is to acknowledge that security all too often fails. This dissertation focuses on improving the understanding of the concept and causes of security failures and on assessing the opinions of various security managers towards a hypothetical strategic means of minimising such incidences: the compulsory reporting of security failures in UK. A mixed-methods approach has been chosen for this study. Surveys have been distributed to 2344 research subjects, semi-structured interviews conducted on twelve selected individuals and an in-depth review of the existing literature on the topics of security failure, safety failure, human error, security management and risk management carried out. This research produced a number of key findings: there is no agreed definition of the term ‘security failure’; that organisations tend to analyse security failure in a subjective way, either proactively or retrospectively; that the structuring of security failure can be patterned and articulated around three common features, namely causal factors, shaping processes and consequentiality; that organisations do not necessarily follow the latest academic developments in terms of failure prevention; that the way organisations are learning from security failures is rather active and mostly experiential and cognitive; that organisations seem supporting the idea that the reporting of security failures in UK should be compulsory. The main conclusions drawn from this research were that current approaches to tackle the problem of security failures are deficient because they fail to embrace a holistic approach to failure prevention, instead opting for an outdated and narrow view of failure prevention, and that further research should be conducted in order to examine in-depth the potential of making the reporting of security failures in UK a compulsory activity. The research argues for a holistic model of doing security adapted from the work of Button (2008) to reduce the incidences of security failures. One that takes into account human errors, technology malfunction, failure analysis, benefactors reliability and proactive learning. It also argues that more research should be conducted in order to ascertain of the need for and utility of the compulsory reporting of security failures in UK.Keywords: security failure, analysis, learning, prevention, concept.

May 2016 �iv


Table of Contents

Acknowledgements…………………………………………………………. ……….iii

Abstract………………………………………………………………………. ……….iv

Table of Contents……………………………………………………………. ………..v

List of Appendices…………………………………………………………… ………vii

List of Tables…………………………………………………………………. .……..viii

List of Figures……………………………………………………………….. ……….ix

Chapter 1: Introduction…………………………………………………….. ……….1

Background………………………………………………………………… …….…1

Research focus……………………………………………………………. ……….2

Research overall aim and individual research objectives…………….. ……….3

Value of this research…………………………………………………….. …….…3

Outline of chapters……………………………………………………….. ….……4

Chapter 2: Literature Review……………………………………………… …….…5

Introduction………………………………………………………………… ….……5

Search strategy…………………………………………………………… …….…5

Defining security failure………………………………………………….. ….……6

Analysing security failure…………………………………………………. …….…8

Explaining and tackling security failure…………………..…………….. ……..12

Learning from security failure……………………..…………………….. …..…16

Literature review conclusions……………………………………………. ……..18

Chapter 3: Research Methods…………………………………………….. …..…19

Introduction………………………………………………………………… …..…19

Research strategy………………………………………………………… ……..19

Survey strategy and data collection.……………………………………. …..…20

Survey design………….………………………………………………….. …..…24

Interview strategy and data collection………………………………….. ……..25

Research methods caveats and areas for improvement…………….. …..…28

May 2016 �v


Table of Contents

Chapter 4: Findings and Discussions…………………………………….. …..…29

How organisations are understanding the term security failure?..….. …..…29

How organisations are analysing security failures?…………….…….. …..…30

How organisations are tackling security failures?…………..………… …..…35

How organisations are learning from security failures?……..……….. …..…38

What organisations are thinking about the compulsory reporting of security failures in UK?……………………………….………………….. ……..41

Chapter 5: Conclusions……………………………………………………. …..…46

Research objectives: summary of findings, conclusions, recommendations…………………………………………………………. …..…46

Self-reflection……………………………………………………………… …..…50

References………………………………………………………………….. …..…51

May 2016 �vi


Table of Contents

Appendices…………………………………………………………………. ……..60

Appendix 1: Literature review search method…………………………. ……..60

Search topics……………………………………………………………. …..…60

Key authors……………………………………………………………… …..…60

Key words and search terms………………………………………….. ……..61

Bibliographic databases……………………………………………….. ……..62

Academic journals………………………………………………………. ……..62

Websites and organisations…………………………………………… …..…62

Appendix 2: Invitations to participate to the research study………….. …..…63

Appendix 3: Research survey questions……..………………………… …..…67

Appendix 4: Research survey sample population…..…………………. …..…75

Appendix 5: Interviews questions……………..………………………… …..…77

Appendix 6: Interviews sample population…………………………….. …..…80

Appendix 7: Transcript analysis template………………………………. ……..81

Appendix 8: Quality controls…………………………………………….. …..…82

Appendix 9: Expanded version of Table 1………….………………….. …..…83

Appendix 10: Outline of research methods and timescales………….. …..…87

Appendix 11: Framework for data analysis…………………………….. ……..88

Appendix 12: Centre for Security Failures Studies……………………. …..…89

May 2016 �vii


List of Tables

Table 1: Means for analysing security failure…………………………….. …..…10

Table 2: How security fails………………………………………………….. …..…13

Table 3: Justification for expanding Button’s model…………………….. .……..15

Table 4: Learning from security failures………………………………….. ….…..17

Table 5: LinkedIn members………………………………………………… …..…21

Table 6: Survey questions………………………………………………….. …..…25

Table 7: Selection criteria for the interviews of unknown individuals….. …..…26

Table 8: Interviews given…………………………………………………… …..…27

Table 9: Question 1………………..………………………………………… …..…29

Table 10: Question 2………………………………………………………… …..…30

Table 11: Question 3………………………………………………………… …..…31

Table 12: Question 4……………………………………………..…………. …..…33

Table 13: Question 5………………………………………………………… …..…35

Table 14: Question 6…………………………………………………….….. …..…38

Table 15: Question 7…………………………………………………….….. …..…39

Table 16: Question 8………………………..………………………………. …..…41

Table 17: Question 9………………………………………………………… …..…41

In Appendices

Table 18: Survey population by industry sectors………………………… ……..75

Table 19: Survey population by years of experience……………………. …..…76

Table 20: Survey population by seniority level…………………………… …..…76

Table 21: Survey population by company size…………………………… ……..76

Table 22: Interview population by industry sectors………………………. …..…80

Table 23: Interview population by seniority level………………………… …..…80

Table 24: Interview population by company size………………………… …..…80

Table 25: Research study timescales……..………………………………. …..…87

May 2016 �viii


List of Figures

Figure 1: Strategic approach to security failure prevention…………….. …..…14

Figure 2: Pros……………………………………………………………….. …..…42

Figure 3: Cons……………………………………………………………….. ……..43

In Appendices

Figure 4: Data analysis process…………………………………………… …..…88

May 2016 �ix


Chapter 1: Introduction

Background

Security is an important issue (Button, 2008). It is a matter of potential organisational collapse (Borodzicz, 2005), a road either to perpetuity or to ruin. Hence, it is a subject of enquiry which can on no account be neglected (Gill, 2006; 2014; Talbot and Jakeman, 2009). However and despite such assertions, force is to acknowledge that security all too often fails (Speight, 2012, PKF, 2015; PWC, 2015). Relevant to this could perhaps be the consideration of the second Highgrove security breach, where two people have successfully penetrated the grounds of a house owned by Prince Charles (BBC, 2007) and the cyber-security breach having affected TalkTalk Telecom Group Plc, during which the personal and banking details of up to four million customers are thought to have been accessed (BBC, 2015). And it is as such for a plethora of reasons indeed. Among the latter could perhaps be distinguished direct causes from indirect ones.Direct causes would recognise security failure as being the direct resultant of human errors, could they be mistakes or skill-based slips (Reason, 1991; 1997); process and design flaws, such as inadequate security policies (Button, 2008, p52), non-implementation of a converged security within organisations (Aleem, Wakefield and Button, 2013) or unstructured security governance (Zedner, 2009); or technical product failure such as when a CCTV fails to operate due to a technical problem. On the other hand, indirect causes would recognise security failure as being the indirect consequence of broad socio-political processes. Among them could perhaps be identified the weakness of the security industry regulation (George and Button, 2000; Button, 2002); lack of professionalism among security practitioners (Wakefield, 2014b); organisational complexity (LaPorte, 1995; Dekker, 2011; Wakefield, 2014a), the influence of pressure toward cost-effectiveness (Rasmussen and Svedung, 2000, p14) or as argued by Clark (2004), technology advancement. Influencing both direct and indirect causes of security failure would perhaps be uncertainty and unpredictability (Taleb, 2007), both having a rather long history in shaping human destiny indeed (Bernstein, 1996). Arguably perhaps, uncertainty and unpredictability are the essence of risk.

�1


And it is to reflect this prevailing shift of security management towards security risk management that academics and researchers have indeed developed new models aiming to further reduce both likelihood and impact of security failures. Among them could perhaps be identified the Enterprise Risk Management Integrated Framework (COSO, 2004), BSI/ISO 31000 (BSI, 2010) and the model developed by Button (2008, p224). It is justifiably on the latter that the focus of this research will be placed because, contrary to the previous ones, the very idea of ‘learning from failures’ is omnipresent and because it is believed that learning from security failure represents indeed, the foundation of security.

Research focus

On that basis of understanding, it is here argued that an organisation being able to learn from security failures (whether its own or otherwise), would improve both its security effectiveness and continuity. This view is indeed reflected in the works of LaPorte (1991), Toft and Reynolds (2005) and Borodzicz (2005), but on the topics of disaster and crisis management, rather than security. Crudely speaking, there is but a scarce body of literature relating to the topic of ‘learning from security failure’. The works of Button (2008) and Speight (2012) are perhaps the only exceptions. Conversely, much more research has been made in the Health and Safety sector. One example of this could be the consideration of the RIDDOR 2013 or Reporting of Injuries, Diseases and Dangerous Occurrences Regulations. In essence, by regulating the statutory obligation for organisations to report deaths, injuries, diseases and "dangerous occurrences", including near misses taking place at work or in connection with work, the RIDDOR allows organisations to learn from their safety failures and thereafter reduce their risk exposure. It is not evident that organisations have thought about implementing such a thing to learn from security failures, nor that they are actually willing and able to learn from their own security failures and the ones of others effectively indeed.

�2


Research overall aim and individual research objectives

The overall aim of this study is to both improve the understanding of the concept and causes of security failure, and assess the opinions of various third parties with regards to a hypothetical strategic means of minimising such incidences: the compulsory reporting of security failures. However, in order to better comprehend the concept of security failure, it is felt necessary to gain an insight into how organisations are factually learning from security failures and to explore some of the means allowing their analysis and prevention. The following objectives have been identified of paramount importance in helping to achieve the aforementioned aim:

• Clarification of what is meant by the term security failure.• Exploration of the means allowing security failures analysis.• Explanation of both security failures and the ways to tackle them.• Critical assessment of the ways organisations learn from security failures.

In turn, two main research vehicles will be exploited to facilitate this study: an in-depth review of relevant literature and the collection and analysis of empirical data.

Value of this research

This research study is important for a number of reasons. Firstly, the literature review provides a coherent perspective on a subject area that is receiving scant attention from academics and produces a deeper intellectual understanding of the topic. It also casts some light on a possible strategic means which could support organisations to better address their security problems and on various means which could probably allow certain organisations to critically review the ways they are doing security.Secondly, the importance of this empirical research in the field of security failure becomes self-evident when the point made by Button (2008, p225) is taken into consideration: ‘security failures are under-researched’.

�3


Outline of chapters

The core of this research study is grounded on Chapter 2, which represents an in-depth review of the existing literature on the subjects of security and safety failure in general terms, but most specifically around the themes of failure analysis; organisational learning; and the means currently deployed by organisations in order to reduce both likelihood and impact of security failure. It critically assesses the knowledge available in order to both direct the empirical research and achieve the four individual research objectives having shaped this study.

Chapter 3 outlines the various research methods used during this exercise altogether with their respective strategy and explains why a mixed-methods approach has been chosen and how the research has been shaped. It also discusses about the caveats having been discovered during this research, seeking areas for improvements to perhaps do better in subsequent research studies.

Chapter 4 presents, analyses and describes the findings of this empirical research study. It also diligently compares those results against the actual state of knowledge found during the literature review.

Chapter 5 summarises the findings of this research study and outlines five high-level recommendations.

�4


Chapter 2: Literature Review

Introduction

This literature review will examine and critically assess the state of knowledge relative to the conceptual understanding of security failure. Most importantly, it will, in turn, address the four objectives of this research study. First, the term security failure will be defined. Next, the exploration of various means allowing the analysis of security failures will form the basis of the second section. Then, the abstract structuring of security failure will be explained, altogether with the preventative means associated to it. Finally, the ways organisations are learning from security failure will be assessed.

Search strategy

Due to the scarcity of the literature focusing on the topic of security failure, it has been decided to review the one relative to it. A macro level understanding of the field under consideration then dictated the review of the following fields of study: security, safety, disaster, human factors, risk, psychology, criminology and complex systems. In order to ascertain of the relevance of the selected literature, two sorts of searches were carried out, namely (i) generalist and concept focus and (ii) technical focus. In turn, searches were articulated around the four themes of this study, namely (iii) defining security failure, (iv) analysing it, (v) tackling it and (vi) learning from it. Initially, few textbooks written by prominent scholars would be selected in each field, read and the references contained herein scrutinised. Should the latter be relevant, they would be added to the literature review incrementally. This process would then repeat itself with each new resource selected until a good understanding of the topic under consideration is achieved. This is a traditional literature review, albeit approached systematically. The literature search method is outlined in the Appendix 1.

�5


Defining security failures

To begin with and in order to better grasp with the term security failure, it is important to comprehend what is actually meant by security and then to consider its lack of success or dysfunction as being what might be termed a security failure. It is also important to note that the term security failure and likewise the one of security will be defined differently from place to place, person to person and will also vary both in scope and definition, depending upon specific viewpoints, conceptualisations and experiences. An example of this could be the consideration of the definition of security presented by Zedner (2003), which appears to be rather broad in itself and the one given by Manunta and Manunta (2006), which antagonistically appears rather narrow.

According to Zedner (2003, p55), security is a dual concept. It encompasses both a state of being (ie: something is secure) and a means to that end (ie: things are done to secure something). In turn, she argued (ibid), something would be ‘security’ if and only if (a) threat is not, (b) it is protected from threat and (c) it avoids threat. With that in mind, a security failure would be if and only if (d) threat is, (e) it is unprotected from threat and (f) it is not avoiding threat. Zedner also recognised security as being subjective (ibid). To that end, something would be ‘security’ if and only if (g) it is felt as being as such and (h) it is not insecure in essence. In that respect, a security failure would be if and only if (i) it is felt as being as such and (j) it is insecure in essence.

Although being relevant to comprehend what is meant by security, such an abstract and broad definition of the term seems perhaps to be problematic, at least for the security practitioner, as for it omits the consideration of few variables inherent to the functional understanding of security. This has been partly addressed by Manunta and Manunta (2006, p641), whereas they recognised security (S) as being the function (f) of the presence and interaction of a threat (T), a given asset (A), a protector (P) and other structuring variables, what they call, a situation (Si). In turn, they argued (ibid), security could perhaps be understood as follow:

S = f (A, P, T) Si

�6


This definition is interesting because it encapsulates the concept of security system, whose function is primarily about protecting assets against intelligent actors (as opposed to a safety system concerned with protecting against non-intelligent agents such as fire, water, wind, bacterias, viruses). To that end, a security system unable to protect an asset would be understood as being a security failure, principally because of its dysfunction and lack of success towards achieving its main purpose. Arguably then, it could be extrapolated that:

Sf = f (A, T) Si

Where Sf is security failure; f the function of; A an asset; T a threat; and Si any given situation.

However original, such a definition of the term security appears to be problematic too, mainly because it fails to address the causality and consequentiality relative to security failure. In turn, this has been justifiably addressed by Button (2008, p29), whereas he recognised that ‘Security failure enables an act that breaches what the security system is designed to prevent’ (emphasis added). Consequently, such a view encapsulates the idea that security failures are but consequences or indeed, the resultants of complex chains of events (Reason, 1997) which are in fact converging towards failure. For example, because of multiple factors, a security guard was sleeping while on duty in a factory and because the back door of the building was left open, a thief came in and stole an asset. Arguably, it could be hypothesised that if and only if N1, N2, … ,Nn, then Sf whereas:

Sf ↔ ∑ N1, N2, Nn

Where N1, N2 and Nn are the events converging to the security failure Sf; ↔ the

biconditional logical connective if and only if; ∑ the sum of; and T the pseudo constant time.

This definition is interesting because it evidences the rationale behind security failure analysis, theme that the next section will indeed explore, and also subtracts the perceptual variable threat, putting rather the focus upon factual events, thereby causality and consequentiality. In that respect, security failure could be prevented if and only if specific events are prevented to occur.

�7

T


Nevertheless and as the above has demonstrated, the definition of security failure is subject to much debate and controversy. Central to this assertion is perhaps the idea that security, in essence, is neither objective nor quantifiable (Wood and Shearing, 2007, cited in Button, 2008, p3) and that indeed it fails all the time (Button, 2008, p29). Indeed, the term security failure appears to be all too often misinterpreted. For instance, some authors would understand it as being security breach, therefore emphasising upon the act which is breaching the security system whereas others would understand it as being a security incident, therefore emphasising upon the consequence of the act which breached the security system. This practice creates confusion and misunderstanding as to what the issue actually is and which form of response shall address it. To that end, security and security failure should not necessarily be dissociated, because after all, they are but one concept. Security is a risk in itself, being subject to uncertainty (security is or is not), likelihood (when it is and when it is not) and consequence (what are the resultants from either state).

Analysing security failures

By exploring the literature surrounding the topic of security failure, notably the works of Lam (2003), Borodzicz (2005), Toft and Reynolds (2005), Briggs and Edwards (2006), Graham and Kaye (2006), Gill (2006; 2014), Pettinger (2007), Talbot and Jackeman (2009), Carrel (2010), Hopkin (2010), Boyle (2012) and Speight (2012), two broad categories of analysis became apparent, namely (a) proactive analysis and (b) retrospective analysis. Recognising that security will fail at some point in time, the former aims to assess the likelihood and consequences related to security failure in order to better control the future behaviour of a security enabled environment. To that end, when a proactive analysis is made, security is and indeed, is calculated to remain as such. This sort of analysis is prevalent in the field of risk management and is now applied in most business practices. On the other hand, retrospective analysis examines security failure once this has manifested and thereby investigates the past. In that respect, when a retrospective analysis is made, security could be but was not. In turn, this sort of analysis prevails in both fields of security management and disaster, recovery and accident management.

�8


Either kind of analysis can be of two types indeed, namely (c) objective analysis and (d) subjective analysis. Objective analysis is formal, scientific and quantitative in approach. Antagonistically, subjective analysis tends to involve value judgement and heuristics and is therefore pseudo-scientific and qualitative in approach. Both types of analysis have advantages and inconveniences. They will serve different security objectives and will allow the analysis of different security problems. Nonetheless, force is to acknowledge that they are but complementary.

Further reviewing the literature, notably the works of Garcia (2006, 2006b, 2008) will reveal that either kind of analysis can be shaped by three sort of logical reasoning, namely (e) inductive reasoning, (f) deductive reasoning and (g) abductive reasoning. In inductive reasoning, the truth of the conclusions relative to the failure analysis is but merely a probability based upon the evidences given (Copi, Cohen and Flage, 2007). It uses a bottom-up approach in which risks are identified at the beginning of the analysis (Garcia, 2006, p518). For example, given the preposition that ‘if a security failure is true then X, Y and Z are true’, then inductive reasoning would suggest that given that X, Y and Z are observed to be true, then security failure should be true too. On the other hand, deductive reasoning links premises with conclusions in order to ascertain that the latter are true (Eysenck and Keane, 2015, p595). To that end, risks are identified as a result of a systematic deductive top-down approach. Considering the previous preposition, a deductive reasoning would suggest that because security failure is true, therefore X, Y and Z are true too. Lastly, abductive reasoning is a process of deriving logical conclusions from premises known or assumed to be true (often via theorisation), ideally seeking to find the simplest and most likely explanation(s) to security failure (Tavory and Timmersmans, 2014). To that end, abductive reasoning is a heuristic that eases the cognitive load of making a decision. Examples of such a reasoning could include using a rule of thumb, an educated guess or an intuitive judgment based upon an observation of patterns.

In order to perhaps make sense of the above information, Table 1 will outline some of the means identified as being relative to security failure analysis. This list is non-exhaustive and further references can be found in the Appendix 9.

�9

Tabl

e 1:

Mea

ns fo

r ana

lysi

ng s

ecur

ity fa

ilure

Mea

ns N

ame

Des

crip

tion

Type

Reas

onin

gTh

emat

icRe

fere

nce

Adve

rsar

y se

quen

ce

diag

ram

and

pat

h an

alys

is

Anal

ysin

g th

e po

tent

ial a

dver

sary

pat

h to

an

asse

tPr

oact

ive

Qua

litat

ive

Qua

ntit

ativ

e

Ded

ucti

veSe

curi

tyG

arci

a (2

006,

p52

1;

2006

b, p

p259

-73;

200

8,

p264

)

Scen

ario

ana

lysi

sAn

alys

ing

vuln

erab

iliti

es in

a s

ecur

ity

syst

emPr

oact

ive

Qua

litat

ive

Indu

ctiv

eSe

curi

tyG

arci

a (2

006,

p52

1;

2006

b, p

p274

-8)

Neu

tral

isat

ion

anal

ysis

Anal

ysin

g th

e pr

obab

le e

ffec

tive

ness

of

a re

spon

se a

gain

st d

iffe

rent

att

ack

scen

ario

sPr

oact

ive

Qua

litat

ive

Qua

ntit

ativ

e

Indu

ctiv

eSe

curi

tyG

arci

a (2

006b

, p2

65)

Resp

onse

sto

ry b

oard

Anal

ysin

g th

e ti

me

it w

ill t

ake

a re

spon

se

forc

e to

ful

ly e

ngag

e w

ith

an a

dver

sary

and

w

hat

tact

ics

are

appr

opri

ate

at t

he d

iffe

rent

st

ages

of

the

atta

ck a

nd r

espo

nse

Proa

ctiv

e Q

ualit

ativ

eIn

duct

ive

Abdu

ctiv

eSe

curi

tyG

arci

a (2

006b

, p2

66)

Secu

rity

ris

k an

alys

isAn

alys

ing

vuln

erab

iliti

es in

a s

ecur

ity

syst

em,

thre

ats

and

asse

ts c

riti

calit

yPr

oact

ive

Qua

litat

ive

Qua

ntit

ativ

e

Indu

ctiv

e Ab

duct

ive

Secu

rity

Ri

skN

orm

an (

2010

); T

albo

t an

d Ja

ckem

an,

2009

, pp

141-

7);

Spei

ght

(201

2,

pp62

-71)

Risk

bow

-tie

Anal

ysin

g po

tent

ial c

ause

s, c

ontr

ol m

easu

res,

re

cove

ry m

easu

res

and

pote

ntia

l co

nseq

uenc

es

Proa

ctiv

e Q

ualit

ativ

e Q

uant

itat

ive

Indu

ctiv

e Ab

duct

ive

Secu

rity

Ri

skTa

lbot

and

jac

kem

an

(200

9, p

p158

-66)

Thre

at a

nd

vuln

erab

ility

as

sess

men

t

Anal

ysin

g th

reat

s ag

ains

t as

sets

vul

nera

bilit

ies

Proa

ctiv

e Q

ualit

ativ

eIn

duct

ive

Abdu

ctiv

eSe

curi

ty

Risk

Talb

ot a

nd J

acke

man

(2

009,

pp2

86-8

8)

Conj

unct

ion

of

crim

inal

opp

ortu

niti

esAn

alys

ing

the

imm

edia

te c

ause

s of

cri

min

al

even

tsPr

oact

ive

Qua

litat

ive

Indu

ctiv

e Ab

duct

ive

Crim

inol

ogy

Elkb

lom

(20

14,

pp50

3-6)

10

Tabl

e 1:

Mea

ns fo

r ana

lysi

ng s

ecur

ity fa

ilure

(continued)

Mea

ns N

ame

Des

crip

tion

Type

Reas

onin

gTh

emat

icSo

urce

for

Ref

eren

ce

Casc

adin

g de

cisi

on

tree

Anal

ysin

g em

ploy

ees’

sec

urit

y de

cisi

on-

mak

ing

proc

ess

Proa

ctiv

e Q

ualit

ativ

eD

educ

tive

Secu

rity

Kirs

chen

baum

(20

14,

p557

)

Failu

re m

ode

and

effe

ct a

naly

sis

(FM

EA)

Anal

ysin

g th

e va

riou

s w

ays

a pr

oces

s m

ay f

ail

and

dete

rmin

e th

e ef

fect

of

diff

eren

t fa

ilure

m

odes

Proa

ctiv

e Q

ualit

ativ

e Q

uant

itat

ive

Ded

ucti

veD

isas

ter

Stam

atis

(19

95)

Relia

bilit

y bl

ock

diag

ram

s (R

BD)

Anal

ysin

g ho

w c

ompo

nent

rel

iabi

lity

cont

ribu

tes

to t

he s

ucce

ss o

r fa

ilure

of

a co

mpl

ex s

yste

m

Proa

ctiv

e Q

uant

itat

ive

Ded

ucti

veD

isas

ter

Labi

b (2

014,

p2

0,69

,79,

90,1

02,1

32)

Sche

mat

ic r

epor

t an

alys

is d

iagr

amAn

alys

ing

the

dif

fere

nt c

hain

s of

eve

nts

built

up

duri

ng a

n in

cide

nt’s

incu

bati

on

peri

od

Retr

ospe

ctiv

e Q

ualit

ativ

eD

educ

tive

Dis

aste

rTo

ft a

nd R

eyno

lds

(200

5,

pp52

-63)

Caus

e an

d ef

fect

di

agra

mAn

alys

ing

the

poss

ible

cau

ses

rela

ted

to

spec

ific

sym

ptom

s of

poo

r se

curi

ty

perf

orm

ance

Retr

ospe

ctiv

e Q

ualit

ativ

eIn

duct

ive

Secu

rity

Beck

, Bi

lby,

Cha

pman

(2

005,

p20

6-7)

Five

why

sAn

alys

ing

the

unde

rlyi

ng c

ause

s of

sec

urit

y pr

oble

ms

Retr

ospe

ctiv

e Q

ualit

ativ

eD

educ

tive

Secu

rity

Beck

, Bi

lby,

Cha

pman

(2

005,

p20

7-8)

Faul

t tr

ee a

naly

sis

(FTA

)An

alys

ing

the

rel

atio

nshi

p be

twee

n a

syst

em

and

the

failu

re o

f th

e co

mpo

nent

s of

tha

t sy

stem

Retr

ospe

ctiv

e Q

ualit

ativ

e Q

uant

itat

ive

Ded

ucti

veSe

curi

ty,

Dis

aste

r,

Butt

on (

2008

, p1

30);

La

bib

(201

4,

p20,

69,7

9,90

,102

,132

)

Swis

s ch

eese

ana

lysi

sAn

alys

ing

secu

rity

bar

rier

s fa

ilure

and

ca

usal

ity

Retr

ospe

ctiv

e Q

ualit

ativ

eIn

duct

ive

Abdu

ctiv

eSe

curi

ty,

Hum

an

fact

ors

Reas

on (

1990

; 19

97,

pp9-

20);

Tal

bot

and

Jack

eman

(20

09,

157-

9)

11


As this section has now demonstrated, few means relative to security failure analysis exist. Each of them has advantages and inconveniences.

Explaining and tackling security failures

Having defined the term security failure and explored the ways allowing its analysis, this section of the literature review will firstly explain the structuring of security failure, thereby the consequentiality and causality related to it and then various strategic means allowing security failure prevention. In that respect, two questions will be answered, namely (a) how security fails? and (b) how to prevent security to fail?

How security fails

A security failure, like a criminal act or any other event, does not occur randomly, spontaneously or uniformly in both time and space. Its construction follows a set of distinctive patterns (aka failure script or chain of correlated events) and its substance is conditioned by various converging but distinct causal factors (ie: individual, organisational, technological and socio-political – See Borodzicz, 2005; Button, 2008) over a certain period of time (ie: incubation phase, precipitation, event – See Toft and Reynolds, 2005). For example, security can fail because a security guard is sleeping while on duty (script element one, individual factor, incubation phase element one), thus allowing a malefactor to break-in (precipitation, script element two) through a door left open due to staff complacency towards security (script element three, organisational factor, incubation phase element two) and steal an asset (script element four, event phase). It can also fails because a CCTV is faulty (technological factor), thus preventing the cameras operator to detect a crime in progress or because of the weakness of the security industry regulation (socio-political factor - see George and Button, 2000; Button, 2002, 2007), which could, for example, allow criminals to run a security company and infiltrate legitimate businesses in order to carry out their activities.

Furthermore, it will be noted that any security failure script element can be shaped by the consequences emerging from four sorts of process, namely (c) intentional acts, (d) unintentional acts, (e) inaction and (f) malfunction. By intentional acts are to be understood acts which are purposefully serving a given security or security

�12


failure objective, for example when a security guard decides to follow, or not to do so, a security procedure. These kinds of acts can be either legitimate or criminal indeed. This will depend upon what the frame of reference and objective of the act are. For instance, a security guard deciding not to follow a security procedure in order to steal an asset would be considered an intentional criminal act whereas an employee purposefully bypassing a security protocol in order to become more efficient and productive at work would be an intentional legitimate act. On the other hand, unintentional acts are, as their name suggests, acts which are not done on purpose and committed either by inadvertence or error. Such erroneous acts can be either due to mistakes or skill-based slips and lapses indeed (Reason, 1997, p72; 2008). In that sense, a security guard who forgets to close the backdoor of a warehouse, thus allowing a thief to come in and steal an asset would be considered an unintentional act caused by lapse of memory, for example due to stress, tiredness or lack of focus. Thirdly, the inaction of an employee or security personnel can also lead to security failure (BBC, 2013). This is what could be termed being complacent vis-à-vis security. For example, when a security manager feeling satisfied by the relative performance of the security system s/he manages does ‘nothing’ or not much to improve the former could be considered as a case of security complacency. Finally, by malfunction is to be understood the failure of a piece of security equipment to function normally. As the above has demonstrated, security can fail in many ways. Indeed, sometimes it fails without such an incidence being noticed. As demonstrated earlier, security failures can either be anticipated (proactive analysis) or remembered (retrospective analysis). Table 2 summarises the findings of the literature review.

Table 2: How security fails

Temporal QualitiesSecurity Failure Script Components

Causal Factors Shaping Process Consequentiality

Incubation Phase Individual Intentional Acts Noticed

Precipitating Event Organisational Unintentional Acts Unnoticed

Security Failure Technological Inaction Anticipated

Recovery / Learning Socio-Political Malfunction Remembered

�13


How to prevent security to fail

There are many ways of preventing security failures (Gill, 2006, 2014; Button, 2008; Talbot and Jakeman, 2009), and indeed theories abound (Zimring and Hawkins, 1973; Cornish and Clarke, 1986; Wortley and Mazerolle, 2008; Hopkins Burke, 2009; Tilley, 2009). However and because of its relevance to this research study (holistic in approach and includes learning from failure in its design), it has been felt important to focus upon the model developed by Button (2008, p224) and thereafter to adapt it so as to include elements addressing the three broad security failure script components. Adapted from Button’s model and grounded on the findings of this literature review, Figure 1 outlines a strategic approach to security failure prevention.

�14

Monitor problem and effectiveness of system

• Regular assessment of metrics• Active and proactive learning• Tweaking the problem and

system• Minimising security

complacency

Define the problem• What needs to be protected?• What are the risks, their status

and consequences?• Quantify and prioritise risks• Understand malefactors’ likely

tactics• Understand benefactors’ likely

errors• Understand technical security

components’ likely malfunctions

Developing a system tailored to the problem• Apply metrics• Analyse security failures• Develop a converging security system• Align system to broader strategy• Apply ROI where appropriate• Monitoring and evaluating implementation

Strategy should be designed with three dimensions in mindThird dimension

• Changing malefactors’ behaviour• Refocussing the behaviour of malefactors• Improving benefactors’ reliability

Second and First dimensions• Making the security system effective• Enhancing the human element

Figure 1: Strategic approach to security failure prevention


As the above figure reveals, seven elements have been added to the model developed by Button, namely (g) understand benefactors’ likely errors; (h) understand technical security components’ likely malfunctions; (i) analyse security failures; (j) develop a converging security system, (k) minimising security complacency; (l) proactive learning; and (m) improving benefactors’ reliability. In turn, Table 3 explains why these elements should be included in the model.

Table 3: Justification for expanding Button’s Model

Element Justification References

Understand benefactors’ likely errors

Insider threat is not only about a benefactor who became malefactor or a malefactor pretending to be a benefactor. It is also about a benefactor erring in terms of security/safety

Hollnagel (1993)Wise, Hopkin and Stager (1993)Wiplert and Qvale (1993)Reason (1997; 2008)

Understand technical security components’ likely malfunctions

Equipment malfunction can contribute to security system failure

Price (1999)Garcia (2006; 2008)Norman (2010)

Analyse security failures This is the foundation of learning from security failures

Toft and Reynolds (2005)Stamatis (2014)Labib (2014)

Develop a converging security system

Silo thinking is not compatible with security

Aleem, Wakefield and Button (2013)

Minimising security complacency

Security complacency is a recurring problem and much efforts should be done to minimise its contribution to security failure

BBC (2013)Bunn and Sagan (2014)

Proactive learning This is the foundation of learning improvement

Flavell (1979)

Improving benefactors’ reliability

Should be part of any security strategy so as to mitigate the risk of human error, likewise system failure

Hollnagel (1993)Wise, Hopkin and Stager (1993)Wiplert and Qvale (1993)Reason (1997; 2008)

�15


This section has explained the causality, shaping processes and consequentiality relative to the structuring of security failures. It has also explained how to perhaps better prevent such incidences to manifest. This has been done by complementing the model developed by Button (2008) with relevant safety related features and by increasing the focus upon security failure analysis and learning, the latter being the theme of the next section indeed.

Learning from security failures

Learning is a process seeking to improve organisational behaviour (Argyris and Schon, 1998; Reavans, 1980; Wenger, 1998) via deliberate efforts of adaptation in the face of uncertainty (Rousseau, 1991, originally 1762). To this end, it could be argued that learning is about self-preservation. Consequently and according to Toft and Reynolds (2005), Borodzicz (2005) and Button (2008), learning from security failure appears of vital importance to the organisation. And it is as such because it represents indeed the foundation of security. There are but four broad ways of learning from security failures in general terms, namely (a) cognitive learning (see Riding and Rayner, 1998; Myers-Briggs and McCaulley, 1985), (b) behaviourist learning (see Pavlo, 1927), (c) experiential learning (see Kolb, 1984) and (d) meta-cognition (see Flavell, 1979). Cognitive learning is concerned with the development of problem-solving abilities and conscious thoughts. For example, an organisation is learning from security failures because it has decided to do so. According to Button (2008, p138), such a learning process can be done either by (e) cross-organisational isomorphism, where similar organisations are learning from one another experience, (f) common mode isomorphisms, where organisations belonging to different sectors are learning from one another failures because they share common techniques, materials and procedures or (g) self-isomorphism, where an organisation is learning from security failure via its constituents. Cognitive learning is an active and thereby planned learning process. Behaviourism is concerned with the development of new behaviours in response to external stimuli. An example of this would be an organisation adapting its security behaviour temporarily following a security failure without analysing the failure itself and according to specific conditions based upon feelings. This is an unplanned and passive learning process to the extent that it only reacts to environmental conditions. Experiential learning, on the other hand, is a process whereby knowledge is created through the transformation of experience. An

�16


example of this would be an organisation learning how to better prevent security failure through its own experience, rather than by merely hearing or reading about others’ experiences. This is what Button terms event isomorphism (2008, p137). Experiential learning is an active process which can be either planned or otherwise. Lastly, meta-cognition is concerned with cognition about cognition, for example when an organisation decides to develop knowledge about when, where and how to use specific learning strategies to better prevent security failures. To this end, it presupposes that an organisation is factually conscious of having learning difficulties with regards to security failure and then decides to engineer a learning process to tackle its own learning deficiencies. To that end, it is about learning to learn. Meta-cognition is proactive and planned. Table 4 summarises the findings of the literature review.

Table 4: Learning from security failures

This section has assessed how organisations are learning from security failure in general terms. As mentioned earlier, a precondition to effective learning from failures remains analysing.

Type of learning Nature Condition Example

Cognitive Active Planned Cross-organisational, self and common-mode isomorphisms

Behaviourism Passive Unplanned Reactions according to stimuli and environmental conditions

Experiential Active Planned & Unplanned Event isomorphism

Meta-Cognition Proactive Planned Knowing that having learning difficulties and developing learning strategies to effectively learn from security failures

�17


Literature review conclusions

The literature review began with the clarification of the term security failure. The fact that much controversy surrounds the latter has been discussed and the reasons for this explained. Next, various means for security failure analysis have been explored. Then, the structuring of security failure has been explained and various strategic means allowing security failure prevention have then been explained. Finally, four broad security failure learning processes have been discovered and assessed. The next part of this study will outline the research methods employed during the empirical research.

�18


Chapter 3: Research Methods

Introduction

This empirical research will address the four individual research study objectives and will assess the opinions of various third parties with regards to a hypothetical strategic means of minimising security failure. In turn, this will be done either via online surveys or interviews, also known as the research methods (Bell and Waters, 2014). The extent to which this will be done will vary according to the depth of the answers received from the research participants (Crano, Brewer and Lac, 2014, p280). It will also be noted that the essence of this empirical research lies in the fact that not much other empirical research exist and that therefore, there is but almost no secondary data available on the topic. To begin with, three strategic aspects related to this empirical research altogether with the data collection processes attached to it will be examined. How these data will be analysed will then be presented. Next, the caveats and limitations attached to the methods having been used during this research study will be outlined. Finally, few areas for possible improvement will be explored.

Research strategy

Researching security failures is a complicated task, mainly because there is scarce information available on the topic and due to the embarrassment security failures could cause to organisations (Button, 2008, p27). On that basis of understanding, a mixed-methods approach seeking both qualitative and quantitative data has been chosen so as to increase the likelihood of research success (Teddlie and Tashakkori, 2003, p14). This reasoning is perhaps contradictory to the position held by Guba (1987, p31), who asserted that a mixed-methods approach is doomed to failure because of the inherent philosophical differences underlying each methods used, but it was thought, as argued by Semmens (2011, p60), that such an approach will provide better grounds for data triangulation and research validity. In turn, two fundamental aspects of the research will be noted, namely that (a) the purpose of the surveys was to generalise answers with a certain degree of accuracy and that (b) the aim of the interviews was to obtain an in-depth understanding of any given topic researched. Serving two different purposes, these two distinct research methods are indeed

�19


complementary (Tashakkori and Teddlie, 2003). For the purpose of research reliability, it has been decided to follow a systematic method to survey sampling and to reduce bias during interviews (Denscombe, 2003, p267; De Vaus, 2014, p69).

Survey strategy and data collection

Because different perspectives wanted to be analysed in order to reduce accidental bias (Davies and Francis, 2011, pp102-3), it has been decided to target indiscriminately and randomly 22371 potential research subjects spread across 73 different UK cities. All subjects were security managers working in 22 different industry sectors and their professional experiences were ranging from less than one year to more than ten years (see Appendix 4 for details). The rationale behind this choice was that such a broad and random selection would better reflect the overall research topic and reduce bias.

For convenience purpose, all subjects have been identified and selected on the professional network online platform LinkedIn using the keyword search ‘security manager’ altogether with the name of a preselected UK city, such as London, Portsmouth or Leeds. Furthermore, cities were selected according to their relative population (the larger the better).

Firstly, the total amount of potential subjects has been calculated by summing the LinkedIn members of the 73 preselected cities and inviting them to connect and participate, as outlined in Table 5.

�20


Table 5: LinkedIn members

Cat Cities, Towns, Districts Potential Invited Connection Ratio

1 London 2000 540 27.00%

2 Birmingham 732 118 16.12%

3 Leeds 424 49 11.56%

4 Glasgow 487 66 13.55%

5 Sheffield 386 59 15.28%

6 Bradford 152 10 6.58%

7 Liverpool 304 42 13.82%

8 Edinburgh 743 90 12.11%

9 Manchester 744 83 11.16%

10 Bristol 572 26 4.55%

11 Wakefield 142 17 11.97%

12 Cardiff 338 46 13.61%

13 Dudley 88 12 13.64%

14 Wigan 99 7 7.07%

15 Coventry 396 31 7.83%

16 Belfast 362 44 12.15%

17 Leicester 285 20 7.02%

18 Sunderland 45 7 15.56%

19 Doncater 177 25 14.12%

20 Stockport 251 38 15.14%

21 Nottingham 449 42 9.35%

22 Newcastle-upon-Tyne 330 9 2.73%

23 Kingston-upon-Hull 433 2 0,46%

24 Bolton 113 8 7.08%

24 Walsall 92 3 3.26%

26 Plymouth 183 14 7.65%

27 Stoke-on-Trent 225 19 8.44%

�21


Table 5 continued: LinkedIn members

Cat Cities Potential Invited Connection Ratio

28 Wolverhampton 96 11 11.46%

29 Gloucester 366 36 9.84%

30 Derby 249 20 8.03%

31 Swansea 182 13 7.14%

32 Oldham 106 13 12.26%

33 Aberdeen 189 4 2.12%

34 Southampton 365 16 4.38%

35 Milton Keynes 453 33 7.28%

36 Northampton 370 45 12.16%

37 Portsmouth 480 75 15.63%

38 Warrington 321 32 9.97%

39 Luton 205 22 10.73%

40 York 815 15 1.84%

41 Southend-on-Sea 224 26 11.61%

42 Bath 50 6 12.00%

43 Bornemouth 279 35 12.54%

44 Peterborough 331 25 7.55%

45 Lincoln 7 1 14.29%

46 Chelmsford 357 11 3.08%

47 Brighton 372 2 0,54%

48 Colchester 171 17 9.94%

49 Blackpool 109 10 9.17%

50 Dundee 73 8 10.96%

51 Harrogate 76 9 11.84%

52 Dumfries 12 3 25.00%

53 Rochester 38 38 100.00%

54 Falkirk 99 17 17.17%

�22


Table 5 continued continued: LinkedIn members

Then, the sample size required to have a 95% confidence level and a confidence interval of 6% has been calculated using the factorised sample population of 2344 (LinkedIn connections). In that respect, it has been concluded that the required research survey sample size would be 240 subjects (calculated via www.surveysystem.com/sscalc.htm). In order to reduce selection bias and because the forecasted response rate was of 10% (pilot), every single connected

Cat Cities Potential Invited Connection Ratio

55 Reading 1342 61 4.55%

56 Blackburn 3 3 100.00%

57 Oxford 400 36 9.00%

58 Lancaster 75 10 13.33%

59 Newport 134 17 12.69%

60 Canterbury 189 19 10.05%

61 Preston 169 22 13.02%

62 Perth 15 1 6.67%

63 St Alban 180 21 11.67%

64 Cambridge 293 6 2.05%

65 Norwich 206 30 14.56%

66 Guildford 812 76 9.36%

67 Newcatle-under-Lyme 330 9 2.73%

68 Chester 265 17 6.42%

69 Crewe 13 3 23.08%

70 Ipwich 233 3 1.29%

71 Salisbury 174 4 2.30%

72 Slough 423 4 0,95%

73 Exeter 168 32 19.05%

Total 22,371 2,344 12.46%

�23


LinkedIn member would be systematically invited to participate to the survey. Each selected member would then be contacted by the researcher using LinkedIn instant message system. In that respect, they would receive a pre-formatted message (invitation to take part in the research study) containing both a brief about the research and a link to the research survey. The invitation process would then stop as soon as the target number of 240 completed surveys would be achieved.

Survey design

In order to allow an easy comparison between the literature review findings and those of the survey, the latter has been designed around the five major themes of the former:

• Clarifying the term security failure

• Analysing security failure

• Tackling security failure

• Learning from security failure

• Perspectives on the idea of regulating the reporting of security failure

Because the research was targeting extremely busy professionals, it has been decided to restrict the amount of questions to ten and to design the survey for it to be completed in 5 minutes. On that basis of understanding, nine questions were ‘closed-ended’, allowing a rather quick answer and one was ‘open-ended’. Table 6 reflects the survey design.

�24


Table 6: Survey questions

As Table 6 reveals, a qualitative answer was preferred to the last question, mainly because of the relevance the latter had towards the understanding of the main barriers related to the idea of regulating the reporting of security failure. As advised by Button (2015, personal communication) survey questions were then designed to be simple to understand and where necessary, backed-up by a definition or explanation of key terms, so as to both reduce the likelihood of survey failure and avoid confusion leading to biased answers.

Interview strategy and data collection

Face-to-face interviews are certainly the gold standard by which other modes of data collection can be compared (De Leeuw and Hox, 2015, p22). However, because of the sensitivity and nature of the topic studied, it has been decided that formal and semi-structured interviews should be given in a flexible and convenient way, such as via Skype video call, phone or email, to approachable individuals so as to maximise the likelihood of participation. On that basis of understanding, six persons known to the researcher would be initially solicited to participate to the empirical research and then six others would be contacted via LinkedIn’s message system according to the selection criteria listed in Table 7, which reflects the convenience sampling process.

Q Theme Type

1 Analysing security failure Closed




5 Tackling security failure Closed

6 Learning from security failure Closed

7 Learning from security failure Closed

8 Perspectives on the topic Closed

9 Perspectives on the topic Closed

10 Perspectives on the topic Open

�25


Table 7: Selection criteria for the interviews of unknown individuals

Against the first criterion, it was thought that former students of the University of Portsmouth would be easier to approach than others. This reasoning follows the principles of familiarity and group cohesiveness as outlined by Forsyth (2010, pp118-22), both reducing the risk of distrust indeed. The same reasoning was applied to the second criterion, as for the researcher is an active member of the Security Institute. Finally, against the criterion three, it was thought that the wisdom acquired during the course of any doctorate should suffice to increase the relevance and quality of the answers received during the interviews.

For convenience purpose, video calls via Skype (www.skype.com/en/) would firstly be proposed to the participant. Should this be objected to, a more traditional approach would be taken by the researcher, such as by proposing a face-to-face interview, interview over the phone or via emails, or any combination of the above. Because of the interview semi-structured design, the researcher would use a pre-formatted questionnaire template comporting 42 questions (ten directly extracted from the survey and another 32) and would try to direct the interview in order to have all questions answered. According to the discussion flow, extra questions would be asked to the interviewee and answers written down in a specific section of the questionnaire template (see Appendix 7). During the interview process, both closed-ended and open-ended questions would be asked so as to manage time effectively and obtain rich information where and when necessary.

Cri Selection criteria by order of priority

1 Should be a former student of the University of Portsmouth

2 Should be member of an association for security professionals

3 Should have a Doctorate in security or risk management

4 Should be senior security manager and working for a large organisation

5 Should be senior risk manager and working for a large organisation

6 Should be senior security consultant and working for a large org.

7 Should be senior IT security manager and working for a large org.

8 Should be senior facilities manager and working for a large org.

�26


A typical face-to-face or phone call interview would last approximately 45 minutes (± 20%), whereas one conducted via Skype would generally last 30 minutes (± 20%). During online (via LinkedIn) and email interviews, questions would be sent electronically to participants and answers would then be collected over a few days period of time and according to the participant’s availability and willingness to respond. Table 8 summarises the actual sample of interviewees altogether with the methods used.

Table 8: Interviews given

Int Nature Description of the Interviewee Interview

1 Known Security manager / large organisation Face to face

2 Known Senior security manager / large organisation Face to face

3 Known Senior security manager / large organisation Face to face

4 Known Senior security and peace advisor / large org. Online / Email

5 Known Senior strategic security advisor / SME Skype

6 Known Senior risk management consultant / SME Skype

7 Unknown Senior global risk manager / large organisation Phone call

8 Unknown Director of security operations / SME Online / Email

9 Unknown Senior physical security consultant / SME Online / Email

10 Unknown Senior security advisor / SME Skype / Email

11 Unknown Senior security manager / large organisation Online / Email

12 Unknown Senior security and risk consultant / large org. Online / Email

�27


Research methods caveats and areas for improvement

During the planning phase of this empirical research, great efforts were made by the researcher so as to identify potential caveats which could undermine both reliability and validity of the former. Common problems such as those related to the research methods selection, survey sampling definition, survey design, selection bias and lack of documentation have been thought about, assessed and control mechanisms were implemented (see Appendix 8). Nonetheless, during the execution phase of this empirical research, two strategic gaps have been identified, namely (a) pilot project too short and (b) invalid sampling method for interviews.

Pilot project too shortPilot projects are recommended strategic means if research reliability and validity are desired (Bell and Waters, 2014, p167). To that end, they allow a researcher to adjust the empirical study planning and structure the operational means related to it. For example and in the context of this small scale research, a pilot project of two months (June/July 2015) appears to be insufficient. It is firmly believed that the duration of the pilot project should have been longer.

Invalid sampling method for interviewsThis is perhaps the major flaw in this empirical research as for it cancels one of the two cornerstones of the scientific principles applied to research, namely validity. To that end, a convenience sampling of subjects was not the best option for the interviews. In retrospect, a systematic sampling of subjects based on clearly defined selection criteria should have been chosen for this research and quality controls implemented, perhaps by seeking the advice of Professor Button.

�28


Chapter 4: Findings and DiscussionsThe present chapter synthesises, analyses and describes the findings relative to the 255 research surveys completed (response rate of 10.88%) and those of the twelve interviews given. In terms of survey, the researcher is sure at 95% that the answers received from the participants represent the views of the initial sample population of 2344 security managers (± 6% of error margin). In terms of interviews, their semi-structured format has delivered a substantial quantity of comparable data, allowing the extraction of patterns, relationships and trends. How organisations are understanding the term security failure?Survey findings

Table 9: Question 1- How would you understand the term ‘security failure’?

The findings relative to the Question 1 are consistent with those of the literature review and therefore corroborate the idea that the definition of security failure is subject to much debate and controversy, oscillating between a lack of success or dysfunction (63%), a breach (55%), the consequences of a breach (26%), or any combination of the previous (multiple answers could be given to the question). This lack of definitional homogeneity creates confusion and misunderstanding as to what the issue actually is and which form of response shall address it.

A Description of the answer Resp. Perc. Conf.

1 A security failure is characterised by the lack of success or dysfunction of a security process, system and/or function

161 63.14% 5.59%

2 A security failure is characterised by the breach of a security process, system and/or function

140 54.90% 5.77%

3 A security failure is characterised by the consequences of a security breach

67 26.27% 5.10%

4 None of the above 2 0,78% N/A

5 I am not sure 1 0,39% N/A

6 Prefer not to say 0 0.00% N/A

�29


Interviews findingsOf the twelve interviewees, three-quarters answered that a security failure seemed to be concerned with the lack of success or dysfunction of a security process, system and/or function, whereas the other quarter mentioned that it could either be related to a dysfunction, a breach or the consequences of a breach. Such a confusion is exemplified by the answer given by the Interviewee #4: “Who determines what is a security failure and will the definition be open to interpretation?”. Overall then, force is to constate that the interviews findings are similar to those of the literature review.

How organisations are analysing security failures?Survey findings

Table 10: Question 2 - Within the organisation you are working for, how are security failures analysed?

The above findings suggest that the way organisations analyse security failures is rather proactive (67%) than retrospective (41%), suggesting that the majority of


1 We assess both likelihood and consequence of security failures using scientific means and quantitative tools before it happens

72 28.24% 5.22%

2 We assess both likelihood and consequence of security failures using non scientific means and qualitative tools before it happens

99 38.82% 5.65%

3 We examine security failures using scientific means and quantitative tools once this manifested

38 14.90% 4.13%

4 We examine security failures using non scientific means and qualitative tools once this manifested

69 27.06% 5.15%

5 We analyse security failures systematically 85 33.33% 5.46%

6 We analyse security failures time to time 24 9.41% 3.38%

7 We do not analyse security failures 10 3.92% 2.25%

8 I am not sure 6 2.35% 1.76%

9 Prefer not to say 7 2.75% 1.90%

�30


the organisations surveyed have adopted a risk management philosophy whilst managing their security. It will also be noted that a slight preference towards qualitative analysis (66%), as opposed to quantitative one (43%), exists. In turn, this corroborates the literature review findings to the extent that most analytical means found during the review under the thematic of ‘security’ were proactive and qualitative in approach (see pp10-1). However, it will be noted that qualitative approaches to analysis have clear limitations, notably in terms of validity and consistency. Furthermore, only one third of the surveyed appears analysing security failures systematically, perhaps demonstrating a lack of constancy and quality towards security failure analysis and certainly revealing gaps within the methodologies and security risk management processes being used.

Table 11: Question 3 - Within the organisation you are working for, are human ‘security related errors’ systematically recorded when they occur and analysed?

Looking at the above findings will reveal that two-thirds of the respondents systematically record and analyse security related errors, thereby emphasising the


1 Yes, security related errors are both systematically recorded when they occur and analysed

163 64.17% 5.56%

2 No, security related errors are only systematically recorded when they occur

22 8.66% 3.26%

3 No, security related errors are only systematically analysed when they occur

14 5.51% 2.64%

4 No, security related errors are time to time recorded when they occur and analysed

15 5.91% 2.73%

5 No, security related errors are time to time recorded when they occur

6 2.36% 1.76%

6 No, security related errors are time to time analysed when they occur

8 3.15% 2.02%

7 No 11 4.33% 2.36%

8 I am not sure 7 2.76% 1.90%


�31


analysis on the human factors aspects of security. This also suggests that the management of security is related to the one of safety and ergonomics to the extent that the former can not be achieved without the consideration of the latter.

Interestingly, the literature review demonstrated that such an idea is all too often omitted in the specialist literature on the topic of security management. The work of Talbot and Jakeman (2009) is perhaps the unique exception. Furthermore and when compared to the previous findings, evidence shows that organisations are more methodological while analysing human errors than security failures. This could indicate that analysing human errors in a systematic way is easier than analysing security failure in a similar one, or that more methods for error analysis have been developed while methods for security failures analysis lack. To some extent, it could be suggested, with reserve and according to the above findings, that human security related error are not necessarily considered by organisations while analysing security failures.

�32


Table 12: Question 4 - Within the organisation you are working for, are near-miss security incidents systematically recorded when they occur and analysed?

Looking at Table 12 reveals that approximately half of the respondents (56%) systematically record and analyse near-miss security incidents while 10% do not. Similarly to error analysis, it appears that organisations are perhaps more inclined to analyse near-misses systematically than they are as such while analysing security failures. In turn, this is also stressing the idea that near-misses are not necessarily considered while analysing security failures. It is also important to note that around 17% of the respondents record and/or analyse near-misses sporadically, which could indicate that their approach to analysis is lacking of consistency or that near-miss analysis is subject to specific and predetermined criteria and/or priorities.


1 Yes, near-miss security incidents are systematically recorded when they occur and analysed

140 55.56% 5.76%

2 No, near-miss security incidents are only systematically recorded when they occur

15 5.95% 2.74%

3 No, near-miss security incidents are only systematically analysed when they occur

18 7.14% 2.98%

4 No, near-miss security incidents are time to time recorded when they occur and analysed

20 7.94% 3.13%

5 No, near-miss security incidents are time to time recorded when they occur

10 3.97% 2.26%

6 No, near-miss security incidents are time to time analysed when they occur

14 5.56% 2.66%

7 No 24 9.52% 3.40%

8 I am not sure 7 2.78% 1.90%


�33


Interviews findingsOf the twelve interviewees, half admitted analysing security failures systematically whereas the other half acknowledged not analysing them at all. Furthermore, analysis could be performed either (a) mentally or (b) by using a security incident report (form to complete following a security incident and answering few basic questions such as: what happened, when it did so, how and what has been done to avoid any potential repeat - a brief narrative of the incident resulting from an investigation). This is exemplified by the answer given by Interviewee #3 when asked if he was scientifically analysing security failures in order to find their root cause(s)? “Yes, I look at it in a logical format: the time of the incident, location, people involved, who done what, for which reasons and so on […] the incident report forms the basis of the analysis.”

Of particular relevance perhaps was the answer received from Interviewee #7 who stated that he was, because of the present shortcomings in failure analysis and in the context of his ongoing doctorate degree, developing an advanced model for security incident analysis based on business processes analysis. However, when asked if near-misses and human errors were analysed, 83% of the interviewees admitted that they were not. Those analysing them reported doing it mentally and/or by taking notes time to time. Consequently, it appears that the findings of the literature review are not necessarily corroborated to the extent that the analytical means used by the interviewees are rather “administrative” (succinct description of the event or incident without conducting an in-depth analysis) and subjective in approach.

�34


How organisations are tackling security failures?Survey findings

Table 13: Question 5 - Within the organisation you are working for, which of the following principles are adhered to?


1 Learning from security failures is part of our organisation’s security strategy

188 74.02% 5.08%

2 The reporting of security failures is promoted across our organisation

145 57.09% 5.74%

3 A ‘just’ culture is promoted across our organisation

95 37.40% 5.61%

4 Information exchange about security failure is promoted across our organisation

107 42.13% 5.72%

5 We exchange data and/or information related to our own security failures with other organisations

54 21.26% 4.74%

6 We know what our security risks are, their status and consequences

122 48.03% 5.79%

7 We quantify and prioritise our security risks 137 53.94% 5.78%

8 We understand malefactors likely tactics 78 30.71% 5.35%

9 We understand employees likely errors 137 53.94% 5.78%

10 We understand technology likely malfunction 126 49.61% 5.79%

11 We apply security metrics where possible 93 36.61% 5.58%

12 Our security system is balanced 54 21.26% 4.74%

13 We apply ROI 61 24.02% 4.95%

14 We regularly assess our security system 130 51.18% 5.79%

15 We use a scientific approach or method to analyse security failures

47 18.50% 4.50%

16 We minimise complacency towards security 101 39.76% 5.67%

17 We follow a converged security approach 44 17.32% 4.39%

�35


Table 13 (continued): Question 5 - Within the organisation you are working for, which of he following principles are adhered to?

The findings presented in Table 13 are consistent with the expanded version of Button’s model depicted earlier (see p14), and thereby with the findings of the literature review, to the extent that organisations seem supporting its design in 43% of the cases, whereas this could be done consciously or otherwise indeed. It is also important to note that while 74% of the respondents seem committed at strategical level to learn from security failures, only 2% consider the COSO as a model when doing security. This latter figure perhaps contradicts what Dr Wakefield (2014a) would tend to recommend indeed.

A deeper analysis of the findings vs the model will reveal that organisations tend to be more engaged in problem monitoring (55% in average, A1, A14 and A16), than problem definition (47% in average, A6, A7, A8, A9 and A10), than in solution structuring (29% in average, A2, A3, A4, A5, A11, A12, A13, A15, A17 and A18). In turn, this does not mean that organisations are more effective in one domain or another, but rather that perhaps more commitment towards problem definition and solution structuring should be initiated. An example of this would be the consideration of the fact that only 31% of the respondents admit understanding malefactors likely tactics.


18 We consider ergonomics whenever possible 29 11.42% 3.69%

19 We consider the COSO as model when doing security

6 2.36% 1.76%

20 We consider the ISO/BSI 31000 as model when doing security

39 15.35% 4.18%

21 None of the above 9 3.54% 2.14%

22 I am not sure 4 1.57% 1.44%

23 Prefer not to say 2 0,79% N/A

�36


Interviews findingsOf the twelve interviewees, all admitted following risk management principles while tackling security risks. However, approaches to security risk management were varied and not necessarily following the expanded version of Button’s model. They would rather be adapted from H&S standards or developed in-house. In most cases (60%), risk analyses were not carried out directly by the security managers but rather in collaboration with a specialist or senior executive employed by either the security company providing the security personnel (such as a consultant or a contracts manager) or by the corporation contracting out its security service (such as a senior facility manager).

Furthermore, surprise penetration testings were organised regularly by 30% of the interviewees so as to reduce guard force’s complacency and find gaps within the security system. Should a vulnerability be found, recommendations will be given to the security buyer for consideration and security policies eventually adapted. Such an assertion is exemplified by the answer given by the Interviewee #1 “When a security failure happens, it is systematically reported to our client’s facility manager and to the security contract manager. Both security manager and contract manager then act as advisors, explaining to our client what went wrong, why it happened, what has been done and so on. We then wait for our client’s approval in terms of implementing a new security procedure or adapting an existing security policy. We propose solutions and they decide.”

�37


How organisations are learning from security failures?Survey findings

Table 14: Question 6 - How is the organisation you are working for learning from security failures?

The findings outlined in Table 14 reveal that organisations, while learning from security failures, tend to prefer experiential learning (74%), than cognitive learning (49%), than behaviourist learning (15%), than meta-cognition (10%). These also suggest that organisations are mostly engaged in active learning than in passive or proactive ones. These figures are consistent with the literature review findings to the extent that the specialist literature on the topic of security risk management


1 When a security failure happens in our organisation, we analyse it, review what went wrong and adapt our security processes and/or procedures according to our findings

188 74.31% 5.06%

2 When a security failure happens in an organisation which is similar to us, we analyse it, review what went wrong and look at what the other organisation is doing to respond to the security failure

78 30.83% 5.35%

3 When a security failure happens in any other organisation, we analyse it, review what went wrong and look at what the other organisation is doing to respond to the security failure

47 18.58% 4.51%

4 When a security failure happens in our organisation, we immediately react to it without necessarily taking the time to analyse it or adapt our security processes and/or procedures

38 15.02% 4.14%

5 We are conscious that we are having some learning difficulties with regards to security failure and we are trying to develop new ways of learning from them

25 9.88% 3.46%

6 We listen to the advice of security experts 93 36.76% 5.59%

7 We do not learn from security failures 13 5.14% 2.56%

8 I am not sure 7 2.77% 1.90%


�38


remains focussed on active learning. Example of this could be the consideration of the works of Toft and Reynolds (2005), Borodzicz (2005) or Button (2008). Here, it will be argued that much more results, thereby security failure prevention, could be achieved by organisations if and only if they were more conscious that they have learning deficiencies (meta-cognition) and dedicate more resources to proactive learning. Such an assertion has serious implications which will be understood by looking at the next Tables and indeed also requires a shift in mentalities.

Table 15: Question 7 - Is the organisation you are working for sharing data or information about its own security failures with others?

The above findings reveal that the majority of the organisations surveyed (51%) admit sharing their information and/or data about security failures with third parties while 44% admit not sharing them. This is indeed consistent with the literature review findings to the extent that academics and researchers tend to recommend organisations to share their data associated to security breach and incidents with others. Furthermore, it will be noted that data sharing can be either systematic (12%) or sporadic (11%) and that one-fifth of the organisations surveyed tend to prefer sharing data only with their partners. There is strong evidence to suggest


1 Yes, we systematically share data or information about our own security failures with other organisations

31 12.30% 3.81%

2 Yes, we share time to time data and information about our own security failures with other organisations

28 11.11% 3.64%

3 Yes, we share data and information about our own security failures, but only with our partners

48 19.05% 4.55%

4 Yes, we share data and information about our own security failures, but only when we have to by legal order

22 8.73% 3.27%

5 No 111 44.05% 5.75%

6 I am not sure 23 9.13% 3.34%


�39


that information sharing, when executed intelligently, is a catalyst to organisational learning, security and resilience.

Interviews findingsOf the twelve interviewees, seven stated that the organisations they were working for were learning from their own security failures, whereas three mentioned they were learning from the security failures committed by others. In most cases learning tended to be both experiential and cognitive. It was cognitive to the extent that monthly meetings were organised for the very purpose of learning from the experiences of others (problems and solutions were exchanged during those meetings) whereas it was experiential to the extent that organisations were primarily learning from their own failures and mistakes. In turn, this is best exemplified by the input received from the Interviewee #3, “We are always looking to do the things better. This learning is part of a broader policy which has been developed with our clients. Our clients know that we are organising monthly meetings, sharing intelligence and learning from each other mistakes when these happen.”

When asked if the sharing of information related to security failures with other organisations could facilitate mutual learning and improve security effectiveness, all interviewees were, to some extent, agreeing with it, whereas in fact only one Interviewee admitted doing it. This curious reasoning is exemplified by the input received from the Interviewee #1: “Yes I agree with this statement, but sharing must be internal. This kind of information is sensitive. Sharing information, threat intelligence and so on is something good because we can better learn. However, I am reluctant to share this kind of information with other organisations.”

�40


What organisations are thinking about the compulsory reporting of security failures in UK?Survey findings

Table 16: Question 8 - ‘Because the RIDDOR allows both organisations and government to learn from health and safety failures, it is something good’. Do you agree with this statement?

The findings outlined in Table 16 reveal that 83% of the organisations surveyed tend to recognise that the RIDDOR is good thing to the extent that it allows both organisations and government to learn from health and safety failures. In turn, this is valuing the idea that the compulsory reporting of security failures could also be a good thing. This assumption will be tested in the next question.

Table 17: Question 9 - Do you think that something similar to the RIDDOR or to the security breach notification laws should exist to regulate the statutory obligation to report security failures in UK?


1 I strongly agree with this statement 105 41.34% 5.71%

2 I agree with this statement 107 42.13% 5.72%

3 I neither agree nor disagree with this statement 27 10.63% 3.57%

4 I disagree with this statement 4 1.57% 1.44%

5 I strongly disagree with this statement 2 0,79% N/A



1 Yes, I think that something similar to the RIDDOR should exist to regulate the statutory obligation to report security failures in UK

156 61.66% 5.64%

2 No, I do not think that something similar to the RIDDOR should exist to regulate the statutory obligation to report security failures in UK

52 20.55% 4.68%

3 I am not sure 37 14.62% 4.09%


�41


The findings outlined in Table 17 reveal that 62% of the organisations surveyed support the idea that the compulsory reporting of security failures in UK should exist while 21% disagree with it. Such findings are rather interesting because they corroborate the study’s rational and validate its initial assumption. Based on the interpretation of the answers given to the last question of the survey, the pros and cons attached to very idea of making the reporting of security failures compulsory in UK will in turn be explored.

Figure 2 reveals that 30% of the security managers having responded to the last question (N=187) tend to think that the compulsory reporting of security failures in UK (CRSFUK) could increase organisational learning in general terms. This is about the principle of leveraging organisational learning through information and/or data exchange. Secondly, 26% of the respondents seem to support the view that the CRSFUK could indeed facilitate security failure analysis. For instance, it “could be used to identify and/or improve best practice and provide a constant method for assessing risk” (Respondent #230) or “National and strategic reporting would allow organisations the ability to plan risk management strategies based around understanding of reported events” (Respondent #224). According to 24% of the respondents, the CRSFUK could also help the United Kingdom and organisations to strengthen their respective security. Example of this could be consideration of

�42

Figure 2: Pros


the answer given by Respondent #255 while thinking about the opportunities that the CRSFUK could bring: “To strengthen & develop existing policies, procedures and protocols”. For 13% of the respondents, the CRSFUK could also facilitate the benchmarking between similar players, collaboration between organisations in terms of intelligence sharing, and standardisation within the security industry in terms of threat and vulnerabilities analytics. For example, Respondent #164 recognised that “Collaboration and analytics of common issues would allow us to better identify key issues”. Lastly, 6% of the respondents seem thinking that the CRSFUK could improve their reputation and public trust, whereas 1% that it could facilitate research: “Providing the reporting is conducted professionally, ethically and adeptly, the possibility to have a reliable, robust metric for national security failures cannot be underestimated. There are many opportunities, not least for those involved in the production of mechanisms & tools for the collection of failure data, but also for those who could use this data to design and develop next generation solutions to security problems. Of course the reporting data will also be a significant resource for academic research.” (Respondent #156).

Nonetheless, survey respondents also identified possible caveats which should be considered. Figures 3 reveals the findings.

�43

Figure 3: Cons


Accordingly, 29% of the respondents seem thinking that the lack of compliance (misreporting and/or non-reporting of events), an unadapted organisational culture and/or bad quality assurance mechanisms could undermine the success of the CRSFUK. This is reflected partially in the answers given by Respondents #156, “It depends very much on the quality and quantity of data that is mandated. A poor or incomplete system will produce unusable data” ; #229 “Honest organisations would be at disadvantage to those who are dishonest not less strict in reporting”; and #190 “Undercutting security firms paying peanuts will be reluctant to be involved as their systems (& staff) are not fit for purpose”.

Furthermore, 25% of the respondents seem advocating the idea that poor data control and data security could undermine the CRSFUK by allowing criminals, competitors and malefactors to access critical data and carry out targeted attacks against organisations. This is reflected in the answers given by Respondents #252 “Alerts potential attackers to be aware of our previous security failures, allowing tactical knowledge”; #215 “Advertises easy targets”; or #177 “Wrong people could access the information and it could be used in a negative way towards the company”. According to 20% of the respondents, the poor governance of the organisation who will hypothetically be responsible of the CRSFUK and/or a poor enforcement of the initiative could undermine the viability of the whole scheme. Examples of this could be the answers given by Respondents #148 “Lack of technical capability from regulator such as the ICO to enforce and assess compliance with proposal” and #96 “No way of policing the adherence to the reporting policy”.

Finally, approximatively 10% of the respondents seem advocating the ideas that the effectiveness of the CRSFUK would likely be compromised due to the extra workload it would put upon the companies being subject to it and/or because of the reputational damage that could result from a security breach or public scrutiny. Examples of this could be consideration of the answers given by Respondents #167 “This could create an enormous amount of bureaucracy for already busy security professionals” or #15 “Bad for company reputation and client perception of an organisation's Infallibility”.

�44


Interviews findingsOf the twelve interviewees, nine were asked if whether or not the RIDDOR was something they would consider as being beneficial for both their organisation and the public. Answers were unanimous and all agreed with the concept. However, when asked if something similar to the RIDDOR should exist to regulate the compulsory reporting of security failures in UK, answers were rather negative (78%) and arguments varied. For example, Interviewee #2 explained: “This is a good idea but because companies are already following ISO 9000 series on quality management and other industry standards such as Investor in People for example, that is not necessary to make the reporting of security failures compulsory. These standards are already allowing organisations to reduce their risk of security failures and to improve their operations. A compulsory reporting of security failures would also be a time consuming exercise for us the security managers and clearly we are already very busy without it. We have to be careful with this.” Central to his point of view was therefore that such an exercise would penalise organisations because of the extra workload it could engender and that alternative means already exist to help organisations reducing their risks.

�45


Chapter 5: Conclusions

Research objectives: summary of findings, conclusions, recommendationsThe overall aim of this research was to both improve the understanding of the concept and causes of security failure, and assess the opinions of various third parties with regards to a hypothetical strategic means of minimising such incidences: the compulsory reporting of security failures. The specific objectives were, in the context of higher education, to:

• Clarify what is meant by the term security failure.• Explore the means allowing security failures analysis.• Explain both security failures and the ways to tackle them.• Critically assess the ways organisations learn from security failures.

This section will revisit the research objectives above, summarise the findings of this research work and offer conclusions and recommendations based on the findings.

Objective 1: Clarification of what is meant by the term security failureThe literature review identified the term security failure as being controversial to the extent that some authors would understand it as being a security breach, therefore emphasising upon the act which is breaching the security system whereas others would understand it as being a security incident, therefore emphasising upon the consequences of the act which breached the security system. The findings relative to the survey and interviews corroborated the findings of the literature review: there is no consensus as to what the term represents. It was found that such a practice created confusion and misunderstanding as to what the issue actually was and which form of response shall address it.

On this basis of understanding, the key recommendation to be made is that organisations should define the term security failure properly, such as security risk for example. This recommendation should allow organisations to better understand what the problem truly is and articulate the responses to it.

�46


Objective 2: Exploration of the means allowing security failures analysisThe literature review identified two broad types of analysis when considering security failure, namely proactive analysis and retrospective analysis. Proactive analysis tended to be used in security risk management, whereas retrospective analysis in disaster, accident and security management. It was then found that analysis could be objective or subjective, and following three sorts of reasonings, namely inductive, deductive and abductive. Finally, findings suggested that human errors could be factorised into the analysis. The findings of the survey revealed that the ways organisations analysed security failures were rather proactive (67%) than retrospective (41%) and evidenced that organisations preferred using subjective analysis (66%) than objective analysis (43%). Findings also demonstrated that organisations tended to analyse human errors and near-misses systematically and thereby corroborated, to some extent, the literature review findings. The findings of the interviews revealed that organisations tended to use retrospective and subjective means for security failure analysis, such as ‘incident reports’. Contrarily to the survey findings, 83% of the interviewees admitted not analysing human error and/or near-misses, therefore contradicting the literature review findings.

Consequently, the key recommendation to be made is that organisations should use objective, thus scientific, means for failure analysis both retrospectively and proactively. Then that organisations should factorise both human errors and near-misses in their analysis and do it in a systematic way. This recommendation should allow organisations to base their reasonings upon facts, not perceptions. It should also allow them to better understand the failure script and its structuring.

Objective 3: Explanation of security failures and the ways to tackle themThe literature review identified security failures as being structured by a set of distinctive patterns (aka failure script or chain of correlated events) whereas their components were found as being: temporal qualities, causal factors, shaping process and consequentiality. Furthermore, it was found that organisations should ground their security upon an expanded version of the model developed by Button if they wanted to better tackle security failures. The survey findings revealed that organisations tended to follow the design of the expanded version of Button’s

�47


model in 43% of the cases (thus corroborating the literature review findings) and also demonstrated that organisations tended to be more engaged in problem monitoring (55% in average), than problem definition (47% in average), than in solution structuring (29% in average). On the other hand, interview findings evidenced that organisations were not necessarily following the principles outlined in the expanded version of Button’s model and therefore contradicted the literature review findings.

On this basis of understanding, the key recommendation to be made is that organisations should follow all the principles outlined in the expanded version of Button’s model and put more focus on problem definition and solution structuring. This recommendation should allow organisations to think holistically while dealing with their security problems and subsequently reduce their risk of security failure.

Objective 4: Critical assessment of the ways organisations are learning from security failuresThe literature review identified four broad ways organisations could learn from security failures, namely cognitive learning, behaviourism, experiential learning and meta-cognition. It also found that such ways of learning could be of passive, active or proactive natures whereas their conditions could be either planned or unplanned. The findings of the survey demonstrated that organisations, while learning from security failures, tended to prefer experiential learning (74%), than cognitive learning (49%), than behaviourist learning (15%), than meta-cognition (10%). These figures were found consistent with the literature review findings to the extent that the specialist literature on the topic of security risk management remained focussed on active learning (experiential and cognitive). Findings also revealed that 51% of the organisations surveyed admitted sharing data/information related to their security failures with third parties and thereby also supported the literature review findings. The findings of the interviews revealed that organisations tended to practice experiential and cognitive learnings. They also revealed that, although recognising the value of data /information sharing, organisations were not (92%) sharing their data/information with third parties. In turn, findings contradicted those of the literature review.

�48


Consequently, the key recommendation to be made is that organisations should absolutely reconsider the ways they are learning from security failures, starting by admitting that they have learning deficiencies, thus putting more focus on meta-cognition and then engage more in cognitive learning. This recommendation will stimulate organisations positively and greatly improve their organisational learning capability, thus reducing security failures.

Case for / Case against: What organisations are thinking about the compulsory reporting of security failures in UK?The findings of the survey reveal that 62% of the organisations supported the idea that the compulsory reporting of security failures in UK should materialise while 21% disagreed with it. It could, according to the findings, increase learning (30%), facilitate analysis (26%), strengthen security and public safety (24%) and facilitate benchmarking and collaboration (13%). On the other hand, findings also revealed that 30% of the respondents were concerned with the idea that the CRSFUK could allow criminals, competitors and malefactors to access critical data and carry out targeted attacks against organisations if the security of the entity collecting and storing the data was weak. Findings also evidenced that 29% of the respondents estimated organisational culture and lack of compliance as being major barriers to such an idea. Finally, findings demonstrated that 20% of the surveyed believed that shortcomings in terms of governance and enforcement would seriously impair the functioning the whole concept. On the other hand, interviews findings revealed that 78% of the participants do not support the idea that the compulsory reporting of security failures in UK would be something good, mainly because of the extra workload this might generate and because alternative preventative means already exist, such as industry standards and best practices.

On this basis of understanding, the key recommendation to be made is that more research should be done in order to determine with certainty if the idea could be more beneficial than problematic. This recommendation should perhaps simulate further research of the topic.

�49


Self-reflection

Although this research has achieved its overall aim of improving the understanding of the concept and causes of security failure, and assessing the opinions of various third parties with regards to a hypothetical strategic means of minimising such incidences, it is important to acknowledge that the survey sample is not representative of all security managers working in UK and/or for an UK organisation. Indeed, it is not even representative of all parties which could be involved in the broad concept, such as business owners, CEOs, regulators and government officials or representatives. This is therefore a deficiency in that this work can not be generalised to be applicable.

Word count: 10979

�50


References

Aleem A. Wakefield A. and Button M. (2013). 'Addressing the weakest link: implementing converged security', Security Journal, 26, pp236-48.

Anselin L. (1995). ‘Local indicators of spatial association – LISA’, Geographical Analysis, 27:93-115.

Anselin L. Griffiths E. and Tita G. (2013). ‘Crime mapping and hot spot analysis’ in R. Wortley and L. Mazerolle (ed) Environmental criminology and crime analysis. Oxon: Routledge.

Argyris C. and Schon D.A. (1978). Organizational learning. Reading: Addison Wesley.

BBC News (2007). Second Highgrove security breach. Retrieved 24 October 2015, from http://news.bbc.co.uk/1/hi/england/gloucestershire/6521411.stm

BBC (2013). Camp Bastion report highlights security ‘complacency’. Retrieved 11 November 2014, from http://www.bbc.co.uk/news/uk-24416156

BBC News (2015). Talk Talk cyber-attack: Website hit by ‘significant’ breach. Retrieved 24 October 2015, from http://www.bbc.co.uk/news/uk-34611857

Beck A. Bilby C. and Chapman P. (2005). 'Tackling shrinkage in the fast moving consumer goods supply chain' in Gill M. (ed.) Managing security. Basingstone: Palgrave Macmillan.

Bell J. and Waters S. (2014). Doing your research project: a guide for first-time researchers. Sixth Edition. Berkshire: Open University Press.

Bernstein P. (1996). Against the gods: the remarkable story of risk. New York: John Wiley and Sons.

Biggam, J. (2015) Succeeding with Your Masters Dissertation: A Practical Step-by Step Handbook. Third Edition. Berkshire: Open University Press.

Borodzicz E. (2005). Risk, crisis and security management. Chichester: John Wiley and Sons.

Boyle T. (2012). Health and safety: risk management. Oxon: Routledge.

�51


Brantingham P.J. and Brantingham P.L (1984). Patterns in crime. New York: MacMillan.

Brantingham P.J. and Brantingham P.L. (2003). ‘Anticipating the displacement of crime using the principles of environmental criminology’. Crimes Prevention Studies, vol. 16, pp119-48

Brantingham P.J. and Brantingham P.L (2013). ‘Crime pattern theory’ in R. Wortley and L. Mazerolle (ed) Environmental criminology and crime analysis. Oxon: Routledge.

Briggs R. and Edwards C. (2006). The business of resilience: corporate security for the 21st century. London: Demos. Retrieved 27 January 2013, from www.demos.co.uk

British Standards Institution (2010). BS ISO 31000:2009, Risk management principles and guidelines. London: BSI

Bunn M. and Sagan S.D. (2014). A worst practices guide to insider threats: lessons learned from past mistakes. Massachusetts: American Academy of Art and Sciences.

Button M. (2002). Private policing. Cullompton: Wilan Publishing.

Button M. (2008). Doing security: critical reflections and an agenda for change. Basingstone: Palgrave Macmillan.

Carrel P. (2010). The handbook of risk management: implementing a postcrisis corporate culture. Chichester: John Wiley and Sons.

Clarke R.V. (1980). ‘Situational crime prevention: theory and practice’, British Journal of Criminology, 20:136-47.

Clarke R. V. (2004). 'Technology, criminology and crime science'. European Journal on Criminal Policy and Research, 10: 55-63.

Clarke R.V. (2005). ‘Seven misconceptions of situational crime prevention’, in N. Tilley (ed) Handbook of crime prevention and community safety. Cullompton: Willan Publishing.

�52


Clarke R.V. and Eck J. (2005). Crime analysis for problem solvers in 60 small steps. Washington: US Department of Justice Office of Community Oriented Policing Services.

Clarke R.V. (2013). ‘Situational crime prevention’, in R. Wortley and L. Mazerolle (ed) Environmental criminology and crime analysis. Oxon: Routledge.

COSO (2004). Enterprise risk management - integrated framework: Executive summary. New York: Committee of Sponsoring Organizations of the Treadway Commission (COSO). Retrieved 27 May 2013, from http://www.coso.org/ documents/990025P_Executive_Summary_final_may20_e.pdf

CopiI M. Cohen C. and Flage D. (2007). Essential of logic. Second Edition. New Jersey: Pearson Education.

Cornish D.B. and Clarke R.V. (1986). The reasoning criminal. New York: Springer Verlag now Springer.

Crano W.D. Brewer M.B and Lac A. (2015). Principles and methods of social research. Third Edition. Hove: Routledge.

Davies P. and Francis P. (2011). ‘Doing criminological research’ in P. Davies, P. Francis and V. Jupp (ed) Doing criminological research. Second Edition. London: Sage Publications.

Davies P. Francis P. and Jupp V. (2011) (ed). Doing criminological research. Second Edition. London: Sage Publications.

Dekker S. (2011). Drift into failure: from hunting broken components to understanding complex systems. Farnham: Ashgate Publishing.

De Leeuw E.D. and Hox J.J. (2015). ‘Survey mode and mode effects’, in U. Engel etal (ed) Improving survey methods: lessons from recent research. Hove: Routledge.

Densombe M. (2003). Good Research Guide: For Small-Scale Research Projects Second Edition. Berkshire. McGraw-Hill Professional Publishing.

De Vaus D. (2014). Surveys in social research. Sixth Edition. Oxon: Routledge.

�53


Diggle P. (2014). Statistical analysis of spatial point patterns. Third Edition. Boca Raton: CRC Press.

Duffin M. and Gill M. (2007). Staff dishonesty: a report for Procter and Gamble. Retrieved 23 November 2011, from http://www.perpetuityresearch.com/images/ Reports/2007%20Staff%20Dishonesty.pdf

Electric Power Research Institute (1992). SHARP1 – A revised systematic human action reliability procedure. Palo Alto: EPRI. Retrieved 17 September 2013, from h t t p : / / w w w. e p r i . c o m / a b s t r a c t s / P a g e s / P r o d u c t A b s t r a c t . a s p x ?ProductId=TR-101711-T2

Elkblom P. (2014). ‘Securng the knowledge’ in M. Gill (ed) The handbook of security. Second edition. Basingstoke: Palgrave Macmillan.

Engel U. et al (2015) (ed). Improving survey methods: lessons from recent research. Hove: Routledge.

Eysenck M.W. and Keane M.T. (2015). Cognitive psychology: a student’s handbook. Seventh Edition. Hove: Psychology Press.

Farrell G. (2006). ‘Progress and prospects in the prevention of repeat victimisation’, in N. Tilley (ed) Handbook of crime prevention and community safety. Cullompton: Willan Publishing.

Farrell G. and Pease K. (2013). ‘Repeat victimisation’, in R. Wortley and L. Mazerolle (ed) Environmental criminology and crime analysis. Oxon: Routledge.

Flavell J.H. (1979). 'Metacognition and cognition monitoring'. American Psychologist, 34(10):90611.

Forsyth D.R. (2010). Group Dynamics. Fifth Edition. Wadsworth: Cengage Learning.

Garcia M.L. (2006). Vulnerability assessment of physical protection systems. Burlington: Elsevier ButterworthHeinemann.

Garcia M.L. (2006b). ‘Risk management‘ in M. Gill (ed) Handbook of security. Basingstoke: Palgrave Macmillan

�54


Garcia M.L. (2008). The design and evaluation of physical protection systems. Second edition. Burlington: Elsevier ButterworthHeinemann.

George B. and Button M. (2000). Private security. Basingstoke: Palgrave.

Gill M. (2006) (ed). Handbook of security. Basingstoke: Palgrave Macmillan.

Gill M. (2014) (ed) . The handbook of security. Second edition. Basingstoke: Palgrave Macmillan.

Graham J. and Kaye D. (2006). A risk management approach to business continuity: aligning business continuity with corporate governance. Connecticut: Rothstein Associates Publisher.

Guba E.G. (1987). What have we learnt about naturalistic evaluation?, Evaluation Practices, 8:22-43

Hollnagel E. (1993). Human reliability analysis: context and control. London: Academic Press.

Hollnagel E. (2004). Barriers and accident prevention: or how to improve safety by understanding the nature of accidents rather than finding their causes. Aldershot: Ashgate Publishing.

Hopkin P. (2010). Fundamentals of risk management: understanding, evaluating and implementing effective risk management. London: Kogan Page.

Hopkins Burke R. (2009). An introduction to criminological theory. Third edition. Oxon: Routledge.

Kirschenbaum A. (2014). ‘The ethnographic approach and security: the case of airports’ in M. Gill (ed) The handbook of security. Second edition. Basingstoke: Palgrave Macmillan.

Kolb D.A. (1984). Experiential learning: experience as the source of learning and development. New Jersey: Prentice Hall.

Labib A. (2014). Learning from failures: decision analysis of major disasters. Oxford: Elsevier ButterworthHeinemann.

�55


Lam J. (2003). Enterprise risk management: from incentives to controls. New Jersey: John Wiley and Sons.

LaPorte T.R (1975) (ed). Organized social complexity: challenge to politics and policy. New Jersey: Princeton University Press.

LaPorte T.R. (1991). Social responses to large technical systems: control and anticipation. Dordrecht: Kluwer Academic Publishers.

Lund Petersen K. (2014). 'The politics of corporate security and the translation to national security' in Walby K. and Lippert K.R. (ed) Corporate security in the 21st century: theory and practice in international perspective, (pp78-94). Basingstone: Palgrave Macmillan.

Manunta G. Manunta R. (2006). 'Theorizing about security' in Gill M. (ed.) Handbook of security (pp629-57). Basingstone: Palgrave Macmillan.

Myers-Briggs I. and McCaulley M.H. (1985). Manual: a guide to the development and use of the MyersBriggs type indicator. California: Consulting Psychologists Press.

National Regulation Commission (2000). Technical basis and implementation guidelines for A Technique for Human Event Analysis (ATHEANA). Washington: US National Regulation Commission. Retrieved 17 September 2013, from http://www.barringer1.com/mil_files/NUREG-1624-cover-ch5.pdf

Norman T.L. (2010). Risk analysis and security countermeasure selection. Boca Raton: CRC Press.

Pavlov I.P. (1927). Conditional reflexes: an investigation of the psychological activity of the cerebral cortex. London: Oxford University Press.

Pettinger R. (2007). Introduction to management. Fourth edition. Basingstone: Palgrave Macmillan.

PKF (2015). The financial cost of fraud 2015: what the latest data from around the world shows. Retrieved 24 October 2015, from http://www.pkf.com/media/31640/ PKF-The-financial-cost-of-fraud-2015.pdf

�56


Prenzler T. (2012) (ed). Policing and security in practice: challenges and achievements. Basingstoke: Palgrave.

Prenzler T. and Sarre R. (2012). ‘Public-private crime prevention partnerships’ in Prenzler T. (ed). Policing and security in practice: challenges and achievements (pp 149-67). Basingstoke: Palgrave.

Price G. (1999). The interaction between fault tolerance and security. Technical report number 479. University of Cambridge Computer Laboratory.

PWC (2015). 2015 Information security breaches survey. Retrieved 24 October 2015, from http://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-bluedigital. pdf

Rasmussen J. and Svedung I. (2000). Proactive risk management in a dynamic society. Karlstad: Swedish Rescue Service Agency.

Reason J. (1991). Human error. Cambridge: Cambridge University Press.

Reason J. (1997). Managing the risk of organizational accident. Farnham: Ashgate Publishing.

Reason J. (2008). The human contribution: unsafe acts, accidents and heroic recoveries. Farnham: Ashgate Publishing.

Reavans R.W. (1980). Action learning: new techniques for management. London: Blond and Briggs.

Riding R. and Rayner S. (1998). Cognitive styles and learning strategies: understanding style differences in learning and behaviour. London: David Fulton Publishers.

Rousseau J.J. (1991, originally 1762). The Emile project. Columbia: Columbia University Press.

Semmens N. (2011). ‘Methodological approaches to criminological research’, in P. Davies, P. Francis and V. Jupp (ed) Doing criminological research. Second Edition. London: Sage Publications.

�57


Shappell S.A. and Wiegmann D.A.(2000). The human factors analysis and classification system – HFACS. Washington: Office of Aviation Medicine, Federal Aviation Administration. Retrieved 17 September 2013 from https://www.nifc.gov/fireInfo/fireInfo_documents/humanfactors_classAnly.pdf

Speight P. (2012). Why security fails: how the academic view of security risk management can be balanced with the realities of operational delivery. Osset: Protection Publications.

Stamatis D.H. (2003). Failure mode effect analysis: FMEA from theory to execution. Second Edition. Milwaukee: American Society for Quality.

Stamatis D.H. (2014). Introduction to risk and failures: tools and methodologies. Boca Raton: CRC Press.

Talbot J. and Jakeman M. (2009). Security risk management: body of knowledge. New Jersey: John Wiley and Sons.

Taleb N.N. (2007). The black swan: the impact of the highly improbable. London: Penguin Books.

Tashakkori A. and Teddlie C. (2003) (ed). Handbook of mixed methods in social and behavioural research. California: Sage Publications.

Tavory I. and Timmersmans S. (2014). Abductive analysis: therorizing qualitative research. London: The University of Chicago Press.

Tilley N. (2009). Handbook of crime prevention and community safety. Cullompton: Willan Publishing.

Toft B. and Reynolds S. (2005). Learning from disasters: a management approach. Third edition. Basingstoke: Palgrave MacMillan.

Tropina T. and Callanan C. (2015). Self- and co- regulation in cybercrime, cybersecurity and national security. London: Springer.

Wakefield A. (2014a). 'Corporate security and enterprise risk management' in Walby K. and Lippert K.R. (ed) Corporate security in the 21st century: theory and practice in international perspective, (pp235-53). Basingstone: Palgrave Macmillan.

�58


Wakefield A. (2014b). 'Where next for the professionalization of security?' in Gill M. (ed) The handbook of security, Second edition, (pp919-35). Basingstone: Palgrave Macmillan.

Wenger E. (1998). Communities of practice: learning, meaning and identify. New York: Cambridge University Press.

White A. (2010). The politics of private security: regulation, reform and relegitimation. Basingstoke: Palgrave.

Wilpert B. Qvale T. (1993) (ed). Reliability and safety in hazardous work systems: approaches to analysis and design. Hove: Lawrence Erlbaum Associates.

Wise J.A. Hopkin V.D. and Stager P. (1993) (ed). Verification and validation of complex systems: human factors issues. New York: Springer Verlag.

Wong R. (2013). Data security breaches and privacy in Europe. London: Springer.

Wood J. and Shearing C.D. (2007). Imagining security. Cullompton: Willan.

Wortley R. (2001). ‘A classification of techniques for controlling situational precipitators of crime’, Security Journal, 14(4):63-82.

Wortley R. (2013). ‘Situational precipitators of crime’, in R. Wortley and L. Mazerolle (ed) Environmental criminology and crime analysis. Oxon: Routledge.

Wortley R. and Mazerolle L. (2011) (ed). Environmental criminology and crime analysis. Oxon: Routledge.

Zedner L. (2003b). 'The concept of security: an agenda for comparative analysis'. Legal studies, 23:153-76.

Zedner L. (2009). Security. New York: Routledge.

Zimring F. and Hawkins G. (1973). Deterrence. Chicago: University of Chicago.

�59


Appendix 1 - Literature review search method

Search topics

1 / Concepts for security.

2 / Methods and tools for security failures, incidents, errors analysis.

3 / Concepts for analysis.

4 / Concepts for reasoning.

5 / Concepts and models for failure prevention and security risk management.

6 / Concepts for organisational learning.

7 / Concepts for regulations as applied to security, cyber-security and safety.

Key authors for security and risk management

Aleem; Borodzicz; Button; Gill; Talbot and Jakeman; Wakefield; Zedner.

Key authors for analysis

Brantingham and Brantingham; Clarke; Farrell and Pease; Elkblom; Garcia; Labib; Norman; Tilley; Toft and Reynolds; Stamatis; Wortley and Mazerolle.

Key authors for human error and safety

Hollnagel; Reason.

Key authors for organisational learning

Argyris and Schon ; Button; Myers-Briggs; Kolb; Pavlo; Toft and Reynolds.

�60


Key words and search terms

1 / Security failure.

2 / Security breach.

3 / Security incident.

4 / Security analysis.

5 / Failure analysis.

6 / Error analysis.

7 / Incident analysis.

8 / Crime analysis.

9 / Pattern analysis.

10 / Behaviour analysis.

11 / Failure modelling.

12 / Incident modelling.

13 / Analysis tools.

14 / Analysis techniques.

15 / Analysis methods.

16 / Human error.

17 / Security management.

18 / Risk management.

19 / Incident management.

20 / Disaster management.

21 / Risk assessment.

22 / Security assessment.

�61


Search engines used

1 / Amazon UK search engine.

2 / Google UK custom search engine.

3 / Redlink custom search engine.

Bibliographic databases

1 / Discovery from EBSCO industries.

Academic journals

1 / Security journal from Palgrave.

2 / Risk management from Palgrave.

3 / Crime prevention and community safety from Palgrave.

4 / International journal of disclosure and governance from Palgrave.

5 / Journal of information technology from Palgrave.

6 / Knowledge management research and practice from Palgrave.

Website and organisations

1 / Home office, research and analysis publications.

2 / Center for problem oriented policing.

3 / RAND

�62


Appendix 2 - Invitations to participate to the research study

Interview

Institute of Criminal Justice Studies, University of PortsmouthSt. George's Building, 141 High Street, Portsmouth PO12HYResearcher: Matthieu Petrigh, [email protected], +44(0)7778608653Research Supervisor: Professor Mark Button, [email protected], +44(0)2392843923Director of Studies: Dr Alison Wakefield, [email protected], +44(0)2392843942

Invitation to my research study

Study Title: Examining the case for the compulsory reporting of security failure

Dear Sir or Madam,

I would like to invite your Security Manager or the person in charge of the security in your organisation to take part in my research study.

My name is Matthieu Petrigh and I am a BSc student in Security and Risk Management at the University of Portsmouth. The purpose of this study is to assess the idea of regulating the reporting of security failures and errors in UK by critically examining key concepts, correlates and trends, and by analysing the opinions of security professionals towards it. Its main aims are to improve the understanding of the concept and causes of security failure, and to assess strategic means of minimising such incidences.

It is my contention than to interview participants in order to feed this research. A typical interview will last between 20 to 30 minutes and I will be the only interviewer. The University of Portsmouth and myself will cover all the direct costs related to this study. We just ask for some of your Security Manager’s time.

Participation to this research study is voluntary and withdrawal easily facilitated.

Could you please kindly forward this invitation to your Security Manager for consideration and ask him or her to contact me back directly by email if interested, that will be greatly appreciated.

My email address is: [email protected]

Alternatively, if you prefer your Security Manager or the person in charge of your security not to be interviewed, you could perhaps consider him or her completing an online survey. If this is the case, please let him or her know about my research, your opinion and that a survey is available at http://www.petrigh.me/survey/ or https://www.surveymonkey.co.uk/r/5PCXTCW. Participation to the online survey is also entirely volunteer.

Should you have any query, please do not hesitate to contact me.

Best regards,

NB: Please be fully aware of what you are agreeing to your Security Manager undertaking.

Matthieu Petrigh ASylBSc Student in Security and Risk ManagementUniversity of Portsmouth.

�63


Participant Consent Form

Study Title: Examining the case for the compulsory reporting of security failure

Name of the Researcher: Matthieu Petrigh

Please put your initials in the relevant boxes.

1. I confirm that I have read and understand the information sheet dated

18.06.2015 (version 2.0) for the above study. I have had the opportunity to consider the information, ask questions and have had these

answered satisfactorily.

2. I understand that my participation is voluntary and that I am to withdraw at any time without giving any reasons up to the point when the data is

anonymised and analysed.

3. I understand that data collected during the study might be looked at by individuals from the Institute of Criminal Justice Studies of the University

of Portsmouth or from a regulatory authority. I give permission for these individuals to have access to my data.

4. I agree to my interview being audio recorded.

�64


5. I agree to being quoted verbatim.

6. I agree to receive a digital copy of the study report three months prior to its public release scheduled end 2016.

1. My email address is: _____________________________________

7. I agree to take part in the above study.

Name of Participant: Date: Signature:

Name of Person taking consent: Date: Signature:

One copy of this consent form has been given to both the participant and

the researcher.

�65


Survey

Dear X, thank you for having accepted my network invitation, that is much appreciated. I hope you are doing well.

I am running a small scale research in order to know if whether or not the compulsory reporting of security failure in UK would be a good thing. This study is sponsored by the Centre for Security Failures Studies (CSFS), an independent UK organisation aiming to assist organisations minimising their risk of security failure and the University of Portsmouth.

Moreover, I would like you to contribute to this research by completing a short survey of 10 questions (approx 5-10 minutes). The findings of my research study will then be published on CSFS’s website by end 2016 for you to freely consult.

I understand you are a very busy security professional and I would like to thank you in advance for your participation.

The survey address is: https://www.surveymonkey.co.uk/r/5PCXTCW

Should you have any question, please contact me directly via LinkedIn or by email at [email protected]

You can also subscribe to SIDE® or Security Insights Delivered through Evidence to receive our latest research findings and relevant information: http://eepurl.com/bJunEz

Best regards,

Matt

�66

http://eepurl.com/bJunEz


Appendix 3 - Research survey questions

Please read carefully what follows before undertaking the survey.

Name of organisation responsible for data collection: Centre for Security Failures Studies, company registered in England and Wales under the number 09662004. Registered address is 71-75 Shelton Street, Covent Garden, WC2H 9JQ, London, United Kingdom. Website is www.csfssite.wordpress.com

Subjects of data collection: security managers or directors, IT security managers or directors, cyber-security managers or directors, facilities managers or directors in charge of security, security consultants, security analysts, risk managers or directors, health and safety managers or directors in charge of security, security operations managers or directors. All participants must be either working in UK or for a UK company.

Purpose of data collection: to assess how organisations are understanding the term 'security failure'; how they are analysing security failures; how they tackle security failures; and how they are learning from security failures. The data collected will also allow the researcher to examine the case for the compulsory reporting of security failures in UK. This will be done by taking the opinion of the research participant (you) according to few topics of interest.

Data collection process: data is anonymised and the data collection process is following the principles of the Data Protection Act 1998. The data collected will be kept secure during the whole duration of the research project and then securely destroyed. The Data Protection Registration number of the Centre for Security Failures Studies is ZA154636.

Access to the data collected: the only organisation having access to the data collected is the Centre for Security Failures Studies.

Data collection and survey duration: a total of 10 questions (9 close-ended + 1 open-ended) will have to be answered. It is forecasted that 5 to 10minutes will be

�67

https://csfssite.wordpress.com/


necessary for you to complete the research survey, whereas the survey will remain active until the 30th of September 2016, 22h00.

Cost: there is no cost for research participants.

Quality assurance: the whole research project is conducted in accordance with the Market Research Society's code of conduct. Further information can be found on their website www.mrs.org.uk.

Research supervision: the research study is supervised by the University of Portsmouth. The research supervisor is Professor Mark Button and he can be reached at [email protected] or +44(0)2392843923.

Question: should you have any question, please contact Matthieu Petrigh, the Director of the Centre for Security Failures Studies, by email at [email protected] or by phone on 07778608653.

-----------------------

Your participation in the research: is voluntary and you can withdraw from the research at any time.

By clicking on 'Next', you confirm having read the above information and agree to voluntarily take part in this research project.

�68

https://www.mrs.org.uk/standards/code_of_conduct/


Multiple answers are possible in questions 1, 2, 5, 6 and 7.

1. How would you understand the term 'security failure'?

1 / A security failure is characterised by the lack of success or dysfunction of a security process, system and/or function.2 / A security failure is characterised by the breach of a security process, system and/or function.3 / A security failure is characterised by the consequences of a security breach.4 / None of the above.5 / I am not sure.6 / Prefer not to say.

2. Within the organisation you are working for, how are security failures analysed?

1 / We assess both likelihood and consequence of security failures using scientific means and quantitative tools before it happens.2 / We assess both likelihood and consequence of security failures using non scientific means and qualitative tools before it happens.3 / We examine security failures using scientific means and quantitative tools once this has manifested.4 / We examine security failures using non scientific means and qualitative tools once this has manifested.5 / We analyse security failures systematically.6 / We analyse security failures time to time.7 / We do not analyse security failures.8 / I am not sure.9 / Prefer not to say

�69


3. Human ‘security related error’ can be defined as the failure of planned ‘security actions’ to achieve their desired ends, without the intervention of some unforeseeable event. Indeed, these errors are commonly termed slips, lapses, trips, fumbles or mistakes and can be either committed by a security personnel or an employee. Within the organisation you are working for, are security related errors systematically recorded when they occur and analysed?

1 / Yes, security related errors are both systematically recorded when they occur and analysed.2 / No, security related errors are only systematically recorded when they occur.3 / No, security related errors are only systematically analysed when they occur.4 / No, security related errors are time to time recorded when they occur and analysed.5 / No, security related errors are time to time recorded when they occur.6 / No, security related errors are time to time analysed when they occur.7 / No.8 / I am not sure.9 / Prefer not to say.

4. A near-miss security incident can be defined as an unplanned event which did not result in a security failure but which had the potential to do so. Near miss security incidents often precede security failures and loss producing events but are largely ignored because nothing (no crime, damage or loss) happened. Within the organisation you are working for, are near-miss security incidents systematically recorded when they occur and analysed?

1 / Yes, near-miss security incidents are both systematically recorded when they occur and analysed.2 / No, near-miss security incidents are only systematically recorded when they occur.3 / No, near-miss security incidents are only systematically analysed when they occur.4 / No, near-miss security incidents are time to time recorded when they occur and analysed.

�70


5 / No, near-miss security incidents are time to time recorded when they occur.6 / No, near-miss security incidents are time to time analysed when they occur.7 / No.8 / I am not sure.9 / Prefer not to say.

5. Within the organisation you are working for, which of the following principles are adhered to?1 / Learning from security failures is part of our organisation's security strategy.2 / The reporting of security failures is promoted across our organisation.3 / A 'just' culture is promoted across our organisation (we do not systematically blame people when security failures are reported).4 / Information exchange about security failure is promoted across our organisation.5 / We exchange data and/or information related to our own security failures with other organisations.6 / We know what our security risks are, their status and consequences.7 / We quantify and prioritise our security risks.8 / We understand malefactors likely tactics.9 / We understand employees likely errors.10 / We understand technology likely malfunction.11 / We apply security metrics where possible.12 / Our security system is balanced.13 / We apply ROI (Return On Investment) where appropriate.14 / We regularly assess our security metrics.15 / We regularly test our security system.16 / We use a scientific approach or method to analyse security failures.17 / We minimise complacency towards security.18 / We follow a converged security approach.19 / We consider ergonomics whenever possible.20 / We consider the COSO as model when doing security.21 / We consider the ISO/BSI 31000 as model when doing security.22 / None of the above.23 / I am not sure.24 / Prefer not to say.

�71


6. How is the organisation you are working for learning from security failure(s)?

1 / When a security failure happens in our organisation, we analyse it, review what went wrong and adapt our security processes and/or procedures according to our findings.2 / When a security failure happens in an organisation which is similar to us, we analyse it, review what went wrong and look at what the other organisation is doing to respond to the security failure.3 / When a security failure happens in any other organisation, we analyse it, review what went wrong and look at what the other organisation is doing to respond to the security failure.4 / When a security failure happens in our organisation, we immediately react to it without necessarily taking the time to analyse it or adapt our security processes and/or procedures.5 / We are conscious that we are having some learning difficulties with regards to security failure and we are trying to develop new ways of learning from them.6 / We listen to the advice of security experts.7 / We do not learn from security failures.8 / I am not sure.9 / Prefer not to say.

7. Is the organisation you are working for sharing data or information about its own security failures with others?

1 / Yes, we systematically share data or information about our own security failures with other organisations.2 / Yes, we share time to time data and information about our own security failures with other organisations.3 / Yes, we share data and information about our own security failures, but only with our partners.4 / Yes, we share data and information about our own security failures, but only when we have to by legal order.5 / No.6 / I am not sure.

�72


7 / Prefer not to say.

8. The RIDDOR or Reporting of Injuries, Diseases and Dangerous Occurrences Regulations is a 2013 Statutory Instrument of the Parliament of United Kingdom and regulates the statutory obligation to report deaths, injuries, diseases and dangerous occurrences, including near misses that take place at work or in connection with work. The RIDDOR and the information it generates allow the HSE (Health and Safety Executive) and local government authorities to identify where and how risks arise, and to investigate serious accidents. ‘Because the RIDDOR allows both organisations and government to learn from health and safety failures, it is something good’. Do you agree with this statement?

1 / I strongly agree with this statement.2 / I agree with this statement.3 / I neither agree nor disagree with this statement.4 / I disagree with this statement.5 / I strongly disagree with this statement.6 / Prefer not to say.

9. Do you think that something similar to the RIDDOR or to the security breach notification laws should exist to regulate the statutory obligation to report security failures in UK? In that respect, security failures, like injuries, deaths, dangerous occurrences would have to be compulsorily reported to an official agency, like the HSE in order to allow the latter to ‘learn from security failures’.

1 / Yes, I think that something similar to the RIDDOR should exist to regulate the statutory obligation to report security failures in UK.2 / No, I do not think that something similar to the RIDDOR should exist to regulate the statutory obligation to report security failures in UK.3 / I am not sure.4 / Prefer not to say.

�73


10. According to you and in few words, what could be the weaknesses, pitfalls, opportunities, strengths, issues and threats attached to very idea of making the reporting of security failures compulsory in UK?

1 / Weaknesses:2 / Pitfalls:3 / Opportunities:4 / Strengths:5 / Issues:6 / Threats:

�74


Appendix 4 - Research survey sample population

Table 18: Survey population by industry sectors

C Industry Sectors Population Perc.

1 Security and investigation 1121 47.82%

2 Information technology 433 18.47%

3 Computer and network 204 8.70%

4 Financial services 95 4.05%

5 Retail 78 3.33%

6 Airlines and aviation 62 2.65%

7 Banking 61 2.60%

8 Management consulting 52 2.22%

9 Defense and space 38 1.62%

10 Hospitality 38 1.62%

11 Health care 28 1.19%

12 Government administration 26 1.11%

13 Logistics 25 1.07%

14 Leisure and travel 22 0,94%

15 Maritime 13 0,55%

16 Research 13 0,55%

17 Higher education 12 0,51%

18 Education management 9 0,38%

19 Civil engineering 6 0,26%

20 Real estate 4 0,17%

21 Machinery 2 0,09%

22 Business supply and equipment 2 0,09%

�75


Table 19: Survey population by years of experience

Table 20: Survey population by seniority level

Table 21: Survey population by company size

C Years of experience Population Perc.

1 <1 2 0,09%

2 1 to 2 34 1.45%

3 3 to 5 87 3.71%

4 6 to 10 415 17.70%

5 > 10 1806 77.05%

C Seniority level Population Perc.

1 Manager 1283 54.74%

2 Senior manager 891 38.01%

3 Director 170 7.25%

C Company size Population Perc.

1 Self-employed 27 1.15%

2 1 to 10 84 3.58%

3 11 to 50 152 6.48%

4 51 to 200 177 7.55%

5 201 to 500 169 7.21%

6 501 to 1000 139 5.93%

7 1001 to 5000 516 22.01%

8 5001 to 10000 212 9.04%

9 more than 10000 868 37.03%

�76


Appendix 5 - Interview questions

Description

1. How would you best describe your organisation?2. In which sector your organisation is operating?3. How many employees your organisation has got?4. What is the value of your organisation annual sales in £M?5. How many employees are working in your security department?6. How would you best describe yourself?7. What is your education level?8. Are you member of a security association?

Definition

1. How would you understand the term security failure?2. How would you understand the term security breach?3. How would you understand the term security incident?

Analysis

1. Do you analyse security failures in order to find their root cause(s)? If yes, please explain how. If no, explain why.

2. Do you analyse security related errors in order to find their root cause(s)? If yes, please explain how. If no, explain why.

3. Do you analyse near-miss security incidents in order to find their root cause(s)? If yes, please explain how. If no, explain why.

4. Do you have a reporting system in place for security failures, errors, near-misses? If so, please explain them briefly. If not, please explain why.

5. Do you have a measurement system in place for security failures, errors, near-misses? If so, please explain them briefly. If not, please explain why.

6. Do you analyse security failures before they happen or/and after they manifest? Please explain how.

7. Are you analysing security failures systematically or rather time to time?8. Are you analysing security related errors systematically or rather time to time?

�77


9. Are you analysing near-miss security incidents systematically or rather time to time?

Tackling

1. Is learning from security failure part of your organisation’s security strategy? If yes, how this is translated in operations? If no, please explain why.

2. Are you following a risk management approach to prevent security failure? If yes, please describe succinctly. If no, please explain why.

3. Tell me roughly how your organisation prevents security failures from happening and if you are following some sorts of models, frameworks and/or standards.

Learning

1. Is your organisation learning from its own security failure(s)?2. Is your organisation learning from the security failure(s) of others?3. How your organisation is actually learning from the security failure(s) of

others? Please explain briefly.4. Are these organisations similar to your organisation?5. If applicable then, how do you gather the information related to the security

failure(s) having affected the other organisations?6. Are organisational learning and constant improvement parts of your security

strategy?7. Do you review your security system following a security failure in order to

understand what went wrong and to improve the former? If yes, please explain how. If not, explain why.

8. What are your main sources of information in terms of security failures?9. In your organisation, is the personnel analysing and dealing with security

failure(s) professionally qualified and/or properly trained? If yes,which qualifications do they hold?

10. Sharing information related to security failure is important, especially in terms of facilitating learning and improving security effectiveness. Do you agree with this statement? If yes, please explain why. If not, please explain why.

�78


11. Is your organisation sharing information related to the security failure(s) it has suffered? If yes, with who? If no, please explain why.

12. Do you think that your organisation should share relevant information concerning the security failure it suffered with others? Why?

Perspectives

1. The RIDDOR or Reporting of Injuries, Diseases and Dangerous Occurrences Regulations is a 2013 Statutory Instrument of the Parliament of United Kingdom and regulates the statutory obligation to report deaths, injuries, diseases and dangerous occurrences, including near misses that take place at work or in connection with work. The RIDDOR and the information it generates allow the HSE (Health and Safety Executive) and local government authorities to identify where and how risks arise, and to investigate serious accidents. Consequently, it could be argued that the RIDDOR allows both organisations and government to learn from ‘health and safety failures’. Are you familiar with the RIDDOR?

2. Are you already reporting injuries, diseases and dangerous occurrences to the HSE?

3. What do you think about the RIDDOR?4. Do you think that something like the RIDDOR should exist for the security

failures? In that respect, security failures, like injuries, deaths and dangerous occurrences would have to be systematically reported to an official agency, like the HSE, in order to allow the latter to ‘learn from security failures’.

5. Do you think that making the reporting of security failure compulsory will benefit you, others, the UK government?

6. Let’s now think about the Weaknesses, Pitfalls, Opportunities, Strength, Issues and Threats applying to the very idea of making the reporting of security failures compulsory. What could they be?

7. Any better idea than the compulsory reporting of security failures?

�79


Appendix 6 - Interview sample population

Table 22: Interview population by industry sectors

Table 23: Interview population by seniority level

Table 24: Interview population by company size

C Industry sectors Population Perc.

1 Security and investigation 4 33.33%

2 Consulting and research 6 50.00%

3 Inspection and certification 1 8.33%

4 Hospitality 1 8.33%

C Seniority level Population Perc.

1 Manager 2 16.66%

2 Senior manager 3 25.00%

3 Senior consultant 6 50.00%

4 Director 1 8.34%

C Company size Population Perc.

1 1 to 10 2 16.66%

2 51 to 200 2 16.66%

3 201 to 500 3 25.00%

4 1001 to 5000 2 16.66%

5 5001 to 10000 2 16.66%

6 more than 10000 1 8.34%

�80


Appendix 7 - Transcript analysis template

Research subject identifier:

Role:

Organisation:

Industry sector:

Face-to-face | Skype | Email | Phone | LinkedIn

Duration:

Recorded | Trackable

New question to add in subsequent interviews:

Q Core response Extra information Sounds honest

1

2

3

…

42

�81


Appendix 8 - Quality controls

The whole research project was abiding to the following guidelines:

1 / Market research society code of conduct, accessible at https://

www.mrs.org.uk/pdf/code%20of%20conduct%20(2012%20rebrand).pdf

2 / Market research society guidelines for online research, accessible at https://

www.mrs.org.uk/pdf/2014-09-01%20Online%20Research%20Guidelines.pdf

3 / Market research society guidelines for qualitative research, accessible at

https ://www.mrs .org.uk/pdf/2014-09-01%20Onl ine%20Research

%20Guidelines.pdf

4 / Market research society guidelines for questionnaire design, accessible at

https://www.mrs.org.uk/pdf/2014-09-01%20Questionnaire%20Design

%20Guidelines.pdf

5 / Market research society responsibilities for interviewers, accessible at https://

www.mrs.org.uk/pdf/MRS%20IID%20Card%20Booklet_Web%20version.pdf

6 / British society of criminology code of ethics, accessible at http://

www.britsoccrim.org/docs/CodeofEthics.pdf

7 / University of Portsmouth guiding principles undermining research ethics,

accessible at http://www.port.ac.uk/research/ethics/

8 / Information commissioner’s office data protection eight principles, accessible at

https://ico.org.uk/for-organisations/guide-to-data-protection/data-

protection-principles/

�82

Tabl

e 1:

Mea

ns fo

r ana

lysi

ng s

ecur

ity fa

ilure

Mea

ns N

ame

Des

crip

tion

Type

Reas

onin

gTh

emat

icRe

fere

nce

Adve

rsar

y se

quen

ce

diag

ram

and

pat

h an

alys

is

Anal

ysin

g th

e po

tent

ial a

dver

sary

pat

h to

an

asse

tPr

oact

ive

Qua

litat

ive

Qua

ntit

ativ

e

Ded

ucti

veSe

curi

tyG

arci

a (2

006,

p52

1;

2006

b, p

p259

-73;

200

8,

p264

)

Scen

ario

ana

lysi

sAn

alys

ing

vuln

erab

iliti

es in

a s

ecur

ity

syst

emPr

oact

ive

Qua

litat

ive

Indu

ctiv

eSe

curi

tyG

arci

a (2

006,

p52

1;

2006

b, p

p274

-8)

Neu

tral

isat

ion

anal

ysis

Anal

ysin

g th

e pr

obab

le e

ffec

tive

ness

of

a re

spon

se a

gain

st d

iffe

rent

att

ack

scen

ario

sPr

oact

ive

Qua

litat

ive

Qua

ntit

ativ

e

Indu

ctiv

eSe

curi

tyG

arci

a (2

006b

, p2

65)

Resp

onse

sto

ry b

oard

Anal

ysin

g th

e ti

me

it w

ill t

ake

a re

spon

se

forc

e to

ful

ly e

ngag

e w

ith

an a

dver

sary

and

w

hat

tact

ics

are

appr

opri

ate

at t

he d

iffe

rent

st

ages

of

the

atta

ck a

nd r

espo

nse

Proa

ctiv

e Q

ualit

ativ

eIn

duct

ive

Abdu

ctiv

eSe

curi

tyG

arci

a (2

006b

, p2

66)

Secu

rity

ris

k an

alys

isAn

alys

ing

vuln

erab

iliti

es in

a s

ecur

ity

syst

em,

thre

ats

and

asse

ts c

riti

calit

yPr

oact

ive

Qua

litat

ive

Qua

ntit

ativ

e

Indu

ctiv

e Ab

duct

ive

Secu

rity

Ri

skN

orm

an (

2010

); T

albo

t an

d Ja

ckem

an,

2009

, pp

141-

7);

Spei

ght

(201

2,

pp62

-71)

Risk

bow

-tie

Anal

ysin

g po

tent

ial c

ause

s, c

ontr

ol m

easu

res,

re

cove

ry m

easu

res

and

pote

ntia

l co

nseq

uenc

es

Proa

ctiv

e Q

ualit

ativ

e Q

uant

itat

ive

Indu

ctiv

e Ab

duct

ive

Secu

rity

Ri

skTa

lbot

and

jac

kem

an

(200

9, p

p158

-66)

Thre

at a

nd

vuln

erab

ility

as

sess

men

t

Anal

ysin

g th

reat

s ag

ains

t as

sets

vul

nera

bilit

ies

Proa

ctiv

e Q

ualit

ativ

eIn

duct

ive

Abdu

ctiv

eSe

curi

ty

Risk

Talb

ot a

nd J

acke

man

(2

009,

pp2

86-8

8)

Conj

unct

ion

of

crim

inal

opp

ortu

niti

esAn

alys

ing

the

imm

edia

te c

ause

s of

cri

min

al

even

tsPr

oact

ive

Qua

litat

ive

Indu

ctiv

e Ab

duct

ive

Crim

inol

ogy

Elkb

lom

(20

14,

pp50

3-6)

83

Appendix 9: Expanded version of Table 1

Tabl

e 1:

Mea

ns fo

r ana

lysi

ng s

ecur

ity fa

ilure

(continued)

Mea

ns N

ame

Des

crip

tion

Type

Reas

onin

gTh

emat

icSo

urce

for

Ref

eren

ce

Casc

adin

g de

cisi

on

tree

Anal

ysin

g em

ploy

ees’

sec

urit

y de

cisi

on-

mak

ing

proc

ess

Proa

ctiv

e Q

ualit

ativ

eD

educ

tive

Secu

rity

Kirs

chen

baum

(20

14,

p557

)

Failu

re m

ode

and

effe

ct a

naly

sis

(FM

EA)

Anal

ysin

g th

e va

riou

s w

ays

a pr

oces

s m

ay f

ail

and

dete

rmin

e th

e ef

fect

of

diff

eren

t fa

ilure

m

odes

Proa

ctiv

e Q

ualit

ativ

e Q

uant

itat

ive

Ded

ucti

veD

isas

ter

Stam

atis

(19

95)

Relia

bilit

y bl

ock

diag

ram

s (R

BD)

Anal

ysin

g ho

w c

ompo

nent

rel

iabi

lity

cont

ribu

tes

to t

he s

ucce

ss o

r fa

ilure

of

a co

mpl

ex s

yste

m

Proa

ctiv

e Q

uant

itat

ive

Ded

ucti

veD

isas

ter

Labi

b (2

014,

p2

0,69

,79,

90,1

02,1

32)

Sche

mat

ic r

epor

t an

alys

is d

iagr

amAn

alys

ing

the

dif

fere

nt c

hain

s of

eve

nts

built

up

duri

ng a

n in

cide

nt’s

incu

bati

on

peri

od

Retr

ospe

ctiv

e Q

ualit

ativ

eD

educ

tive

Dis

aste

rTo

ft a

nd R

eyno

lds

(200

5,

pp52

-63)

Caus

e an

d ef

fect

di

agra

mAn

alys

ing

the

poss

ible

cau

ses

rela

ted

to

spec

ific

sym

ptom

s of

poo

r se

curi

ty

perf

orm

ance

Retr

ospe

ctiv

e Q

ualit

ativ

eIn

duct

ive

Secu

rity

Beck

, Bi

lby,

Cha

pman

(2

005,

p20

6-7)

Five

why

sAn

alys

ing

the

unde

rlyi

ng c

ause

s of

sec

urit

y pr

oble

ms

Retr

ospe

ctiv

e Q

ualit

ativ

eD

educ

tive

Secu

rity

Beck

, Bi

lby,

Cha

pman

(2

005,

p20

7-8)

Faul

t tr

ee a

naly

sis

(FTA

)An

alys

ing

the

rel

atio

nshi

p be

twee

n a

syst

em

and

the

failu

re o

f th

e co

mpo

nent

s of

tha

t sy

stem

Retr

ospe

ctiv

e Q

ualit

ativ

e Q

uant

itat

ive

Ded

ucti

veSe

curi

ty,

Dis

aste

r,

Butt

on (

2008

, p1

30);

La

bib

(201

4,

p20,

69,7

9,90

,102

,132

)

Swis

s ch

eese

ana

lysi

sAn

alys

ing

secu

rity

bar

rier

s fa

ilure

and

ca

usal

ity

Retr

ospe

ctiv

e Q

ualit

ativ

eIn

duct

ive

Abdu

ctiv

eSe

curi

ty,

Hum

an

fact

ors

Reas

on (

1990

; 19

97,

pp9-

20);

Tal

bot

and

Jack

eman

(20

09,

157-

9)

84

Tabl

e 1:

Mea

ns fo

r ana

lysi

ng s

ecur

ity fa

ilure

(con

tinue

d co

ntin

ued)

Mea

ns N

ame

Des

crip

tion

Type

Reas

onin

gTh

emat

icSo

urce

for

Ref

eren

ce

Mai

nte

nan

ce e

rror

deci

sion

aid

(M

EDA)

Anal

ysin

g an

d inve

stig

atin

g m

ainte

nan

ce a

nd

safe

ty e

rror

sRe

tros

pect

ive

Qual

itat

ive

Deduct

ive

Safe

ty

Hum

an

fact

ors

Reas

on (

1997

, p15

1)

Trip

od-B

eta

Anal

ysin

g in

ciden

t in

par

alle

l w

ith a

n e

vent

inve

stig

atio

nRe

tros

pect

ive

Qual

itat

ive

Induct

ive

Safe

tyRe

ason

(19

97,

pp15

2-3)

Deci

sion

tre

eAnal

ysin

g th

e cu

lpab

ilit

y of

unsa

fe a

cts

Retr

ospect

ive

Qual

itat

ive

Deduct

ive

Safe

ty

Hum

an

fact

ors

Reas

on (

1997

, p20

9)

Hum

an f

acto

r an

alys

is a

nd

clas

sifi

cati

on s

yste

m

Anal

ysin

g th

e ro

le o

f hum

an e

rror

in a

viat

ion

acci

den

t by

dis

tingu

ishin

g bet

wee

n t

he

"act

ive f

ailu

res"

of

unsa

fe a

cts,

and "

late

nt

failure

s" o

f pre

condit

ions

for

unsa

fe a

cts,

unsa

fe s

uper

visi

on,

and o

rgan

izat

ional

in

fluence

s

Retr

ospect

ive

Qual

itat

ive

Quan

tita

tive

Induct

ive

Safe

ty

Hum

an

fact

ors

Shap

pel

l an

d W

iegm

ann

(200

0)

Syst

emat

ic hum

an

acti

on r

eliab

ilit

y pro

cedure

(SH

ARP)

Anal

ysin

g hum

an r

elia

bilit

y w

ith p

lant

logi

c m

odel deve

lopm

ent

in a

pro

bab

ilis

tic

risk

as

sess

men

t (

PRA)

wit

h a

spec

ial fo

cus

on t

he

dep

enden

cies

that

exi

st

bet

wee

n

inte

ract

ions

and b

etw

een h

um

an inte

ract

ions

and t

he s

peci

fic

acci

dent

scenar

io

Retr

ospect

ive

Qual

itat

ive

Quan

tita

tive

Induct

ive

Safe

ty

Hum

an

fact

ors

Hol

lnag

el (

1993

, p56

-9)

EPRI (1

992)

A te

chniq

ue f

or

hum

an e

vent

anal

ysis

(A

TH

EAN

A)

Anal

ysin

g an

d e

valu

atin

g th

e pro

bab

ilit

y of

hum

an e

rror

while

per

form

ing

a sp

ecif

ic t

ask

Retr

ospect

ive

Proa

ctiv

e Q

ual

itat

ive

Quan

tita

tive

Induct

ive

Safe

ty

Hum

an

fact

ors

NRC (

2000

)

85

Tabl

e 1:

Mea

ns fo

r ana

lysi

ng s

ecur

ity fa

ilure

(con

tinue

d co

ntin

ued

cont

inue

d)

Cri

me p

atte

rn

anal

ysis

Anal

ysin

g co

mple

x pat

tern

of

crim

es in o

rder

to

pro

vide

a co

gnit

ive

stru

cture

for

cri

me

even

ts u

nder

stan

din

g

Proa

ctiv

e,

Retr

ospect

ive

Quan

tita

tive

Q

ual

itat

ive

Induct

ive

Abduct

ive

Cri

min

olog

yBra

nti

ngh

am a

nd

Bra

nti

ngh

am (

1984

; 20

03;2

013)

Cri

me o

ppor

tunit

ies

anal

ysis

Anal

ysin

g th

e op

por

tunit

ies

rela

tive

to

the

perp

etr

atio

n o

f a

par

ticu

lar

type o

f cr

ime

(aka

sit

uat

ional

cau

ses

of c

rim

e)

Proa

ctiv

e Re

tros

pect

ive

Qual

itat

ive

Induct

ive

Abduct

ive

Cri

min

olog

yCla

rke (

1980

; 20

05)

Cla

rke a

nd E

ck (

2005

) Cla

rke (

2013

)

Situ

atio

nal

pre

cipit

ator

s of

cr

ime a

nal

ysis

Anal

ysin

g th

e si

tuat

ional

pre

cipit

ator

s of

cr

imes

by

focu

sing

on t

he

ante

ceden

t of

m

alevo

lent

behav

iour

Proa

ctiv

e Re

tros

pect

ive

Qual

itat

ive

Induct

ive

Abduct

ive

Cri

min

olog

yW

ortl

ey

(200

1; 2

013)

Cri

me

map

pin

g an

d

hot

spot

s an

alys

isAnal

ysin

g sp

acia

l dat

a an

d p

atte

rns

rela

tive

to

the

dis

trib

uti

on o

f cr

imes

(ge

ocod

ing

and

geov

isual

isat

ion)

Proa

ctiv

e Q

ual

itat

ive

Quan

tita

tive

Induct

ive

Abduct

ive

Cri

min

olog

yAnse

lin (

1995

) Anse

lin,

Gri

ffit

hs

and

Tita

(20

13)

Dig

gle

(201

4)

Repeat

vic

tim

isat

ion

anal

ysis

Anal

ysin

g sp

acia

l dat

a an

d p

atte

rns

rela

tive

to

the d

istr

ibuti

on o

f cr

ime a

nd p

rosp

ect

ive

crim

e m

appin

g

Proa

ctiv

e Q

uan

tita

tive

Q

ual

itat

ive

Induct

ive

Abduct

ive

Cri

min

olog

yFa

rrell (

2006

) Fa

rrell a

nd P

eas

e (

2013

)

Hum

an e

rror

as

sess

ment

and

reduct

ion t

ech

niq

ue

(HEA

RT)

Anal

ysin

g ta

sk t

ypes

wit

h t

hei

r as

soci

ated

nom

inal

err

or p

robab

ilit

ies

Retr

ospect

ive

Quan

tita

tive

Deduct

ive

Safe

ty

Hum

an

fact

ors

Reas

on (

1997

, p14

2)

Infl

uen

ce d

iagr

am

appro

ach (

IDA)

Anal

ysin

g th

e in

fluen

ces

exis

ting

at v

ario

us

orga

nis

atio

nal

lev

els,

upon

adve

rse

outc

ome

Retr

ospect

ive

Proa

ctiv

e

Qual

itat

ive

Quan

tita

tive

Induct

ive

Safe

ty

Hum

an

fact

or

Reas

on (

1997

, p14

6)

86


Appendix 10 - Outline of research methods and timescales

Because of the scarcity of information available on the topic and the difficulties inherent to the research of security failures, a mixed-methods approach has been chosen for this study. On that basis, surveys have been distributed to 2344 subjects, semi-structured interviews conducted on selected individuals and an in-depth review of the existing literature on the topics of security failure, safety failure, human error, security management and risk management carried out. Table 25 outlines the research timescales.

Table 25: Research study timescales

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May

Survey 0 1 1 0 0 0 1 1 1 0 0 0 0

Interview 0 1 1 0 0 0 1 1 1 0 0 0 0

Literature 1 1 1 1 1 1 1 1 1 1 0 0 0

�87


Appendix 11 - Framework for data analysis

To help focus the interviews in terms of reflecting the four objectives of this research and ease the analysis of the qualitative data extracted, the interviews would be structured according to five themes, all identical to those employed in the surveys and literature review indeed. This would allow the researcher to cross-compare the findings effectively. On that basis of understanding, the themes were ‘Clarifying the term security failure’; ‘analysing security failure’; ‘tackling security failure’; ‘learning from failure’; and ‘perspectives on the compulsory reporting of security failure’. Quantitative data collected via survey would be analysed using the power of statistical data analysis software (Numbers).

In terms of data presentation, simple cross-tabulation altogether with elementary graphical models such as bar, pie or line charts would be used to convey basic statistical information. Figure 4 reflects the data analysis process.

Figure 4: Data analysis process

�88

Qualitative and Quantitative Data Process

Collect Data via Survey and Interview

Compare Research Findings against Literature Review

Group Data by Themes

Present and Describe Data

Perform Analysis and Interpret Data


Appendix 12 - Centre for Security Failures Studies

For the purpose of this research study, a company limited by shares has been created and registered in UK on the 29th of June 2015.

Registered name: Centre for Security Failures Studies.

Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.

Data protection registration number: ZA154636

Director: Matthieu Petrigh

Website: www.csfssite.wordpress.com

�89

Documents

University of Portsmouth Institute of Criminal Justice ... · that organisations tend to analyse security failure in a subjective way, either proactively or retrospectively; that