A System Dynamics Model of Information Security Investments

Information security management has become an increasingly serious and high-stake challenge to organizations, due to growing reliance on the Internet as the business platform, the intrinsic vulnerability of Internet technologies, and the increasing value of information stored in information systems. Because of the complex nature and the large number of closely coupled variables associated with information security problems, sophisticated analytical tools are needed to help decision makers to address the management of information security with limited resources. In this paper, we adopt the system dynamics approach to security analysis, with the help of an information security life cycle model. By identifying the causal loop among such variables as the attractiveness of information target and the total number of attacks, we develop a system dynamics model for analyzing the effect of organizational security investments in the attack stage of the information security life cycle. Using this model, we simulate a number of security management scenarios and demonstrate the feasibility and validity of the system dynamics approach. The model presented in this paper is adaptive, and its parameters and relationships can be calibrated with empirical data for further refinement and customization for specific situations in real world organizations.