The Root Cause of Data Breaches

Investigating security misconfigurations as the root cause of data breaches

Master thesis (2021)

Authors

S. Kably Technology, Policy and Management

Contributors

T. Fiebig (supervisor 1)
C. Hernandez Ganan Organisation & Governance - TPM (supervisor 1)
Mark de Reuver (coach)
Faculty
Technology, Policy and Management
Copyright: © 2021 Saif-Eddin Kably
Data Breach Security Misconfiguration Root Cause
More Info
expand_more

Published Date

20-07-2021

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Abstract

In the past decade, the world has experienced numerous severe and impactful data breaches, without indications of this development slowing down. Even worse, research has shown data breaches are still waiting to happen. The occurrence of a data breach has consequences for several involved parties and for society in general. It is therefore only natural that there exists a pursuit to prevent data breaches from happening. Research claims that data breaches happen because of simple and preventable errors made by human, also known as security misconfigurations. This study aims to investigate whether the root causes of severe data breaches are frequently related to security misconfigurations, which would make most data breaches preventable. No such structured research had been done before. We conducted a multiple case study, wherein a number of data breaches was analysed based on publicly available case literature. Assessing the data breaches with the help of our developed framework was part of that analysis, resulting in a systematic characterization of each data breach. The results indicate that in breaches the data are mostly subject to unauthorized access by outsiders, which frequently is made possible by poor security. The organizations directly responsible for that data are large organizations which get breached especially in their storage facilities. Next to the organization which got breached, these sizeable data breaches always affect individuals since at least part of the compromised data is about them or linkable to them. Usually this is not even discovered by the breached organization itself and sometimes only after a long period of time. Ultimately, it can be concluded that data are frequently caused by security misconfigurations and therefore are mostly preventable. On this basis, it is recommended that organizations responsible for sensitive data should be more incentivized to thoroughly combat security misconfigurations, instead of treating IT security as only a technical endeavor.