A System Dynamics Model of Information Security Investments

Information security management has become an increasingly serious and high-stake challenge to organizations, due to growing reliance on the Internet as the business platform, the intrinsic vulnerability of Internet technologies, and the increasing value of information stored in information systems. Because of the complex nature and the large number of closely coupled variables associated with information security problems, sophisticated analytical tools are needed to help decision makers to address the management of information security with limited resources. In this paper, we adopt the system dynamics approach to security analysis, with the help of an information security life cycle model. By identifying the causal loop among such variables as the attractiveness of information target and the total number of attacks, we develop a system dynamics model for analyzing the effect of organizational security investments in the attack stage of the information security life cycle. Using this model, we simulate a number of security management scenarios and demonstrate the feasibility and validity of the system dynamics approach. The model presented in this paper is adaptive, and its parameters and relationships can be calibrated with empirical data for further refinement and customization for specific situations in real world organizations.

[1]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[2]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[3]  Eliot H. Rich,et al.  Simulating Insider Cyber-Threat Risks : A Model-Based Case and a Case-Based Model , 2005 .

[4]  Linda Pesante,et al.  CERT® Coordination Center , 2002 .

[5]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[6]  Adolfo Crespo Marquez,et al.  A Decision Support System for evaluating operations investments in high-technology business , 2006, Decis. Support Syst..

[7]  Julio M. Ottino,et al.  Complex systems and networks: Challenges and opportunities for chemical and biological engineers , 2004 .

[8]  Ignacio J. Martínez-Moyano,et al.  Structure as Behavior: Exploring Elements of the System Dynamics Modeling Process * , 2003 .

[9]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[10]  David F. Andersen,et al.  Preliminary System Dynamics Maps of the Insider Cyber-threat Problem , 2004 .

[11]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[12]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[13]  Lawrence A. Gordon,et al.  Return on information security investments: Myths vs. Realities. , 2002 .

[14]  Jose J. Gonzalez,et al.  A system dynamics model of an insider attack on an information system , 2003 .

[15]  Qing Hu,et al.  Economics of Information Security Investment in the Case of Simultaneous Attacks , 2006, WEIS.

[16]  Christopher J. Coyne,et al.  THE ECONOMICS OF COMPUTER HACKING , 2005 .

[17]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[18]  J. Forrester Industrial Dynamics , 1997 .

[19]  Steffen Bayer,et al.  Business dynamics: Systems thinking and modeling for a complex world , 2004 .

[20]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2003, CCS '03.

[21]  J. Forrester Principles of systems : text and workbook, chapters 1 through 10 , 1968 .

[22]  Dmitri Nizovtsev,et al.  Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies , 2006, WEIS.

[23]  Stephen F. King,et al.  Beyond critical success factors: A dynamic model of enterprise system innovation , 2006, Int. J. Inf. Manag..

[24]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[25]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..