论文信息 - Proper Incentives for Proper IT Security Management - A System Dynamics Approach

Proper Incentives for Proper IT Security Management - A System Dynamics Approach

It has been known for many years that security failures are caused at least as often by bad incentives as by bad design. However, the regulatory correction of bad incentives is not easy in practice and it is still lacking. In the meantime, system dynamics models of security systems can improve the situation by increasing the awareness that misaligned incentives can backfire as long-term consequences of security failures hit back the principal. We illustrate our argument using system archetypes and concept simulation models revealing the impact of two different security strategies, viz. misaligned incentives (the customer having the burden of proof in case of alleged fraud) vs the bank having the burden of proof. From this we argue that online system dynamics could be used in eGovernment to educate principals and the public. Also, legal measures could become more effective when supported with forensic evidence from simulation models.

Jose J. Gonzalez | Denis Trcek

[1] George A. Akerlof. The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[2] John D. W. Morecroft,et al. Strategic Modelling and Business Dynamics: A Feedback Systems Approach , 2007 .

[3] Kenneth Cooper. Naval Ship Production: A Claim Settled and a Framework Built , 1980 .

[4] Tyler Moore,et al. The economics of cybersecurity: Principles and policy options , 2010, Int. J. Crit. Infrastructure Prot..

[5] D. Cabrera,et al. Systems thinking. , 2008, Evaluation and program planning.

[6] David N. Ford,et al. System Dynamics Applied to Project Management: A Survey, Assessment, and Directions for Future Research , 2007, System Dynamics.

[7] Ross J. Anderson. Why cryptosystems fail , 1993, CCS '93.

[8] Kostiantyn Lenchik. The economics of cybersecurity: Boomerang effects from misaligned incentives , 2016 .

[9] George A. Akerlof,et al. The Market for `Lemons , 1970 .

[10] E. F. Wolstenholme,et al. Towards the definition and use of a core set of archetypal structures in system dynamics , 2003 .

[11] Steffen Bayer,et al. Business dynamics: Systems thinking and modeling for a complex world , 2004 .

[12] Fran Ackermann,et al. Modeling for Litigation: Mixing Qualitative and Quantitative Approaches , 1997 .

[13] George P. Richardson,et al. Concept models in group model building , 2013 .