View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by AIS Electronic Library (AISeL) Association for Information Systems AIS Electronic Library (AISeL) AMCIS 2012 Proceedings Proceedings Information Security Management: A System Dynamics Approach Derek Nazareth University of Wisconsin Milwaukee, Milwaukee, WI, United States., [email protected] Jae Choi Computer Information Systems, Alabama State University, Montgomery, AL, United States., [email protected] Follow this and additional works at: http://aisel.aisnet.org/amcis2012 Recommended Citation Nazareth, Derek and Choi, Jae, "Information Security Management: A System Dynamics Approach" (2012). AMCIS 2012 Proceedings. 3. http://aisel.aisnet.org/amcis2012/proceedings/ISSecurity/3 This material is brought to you by the Americas Conference on Information Systems (AMCIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in AMCIS 2012 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact [email protected]. Nazareth et. al. Information Security Management Information Security Management: A System Dynamics Approach Derek L. Nazareth Jae Choi University of Wisconsin-Milwaukee Alabama State University [email protected] [email protected] ABSTRACT Managing security for information assets presents a challenging task. The need for effective information security management assumes greater importance with growing reliance on distributed systems and Internet-accessible systems. Many factors play a role in determining the vulnerability of information assets to security threats. Using a system dynamics approach, this study evaluates information security management strategies from a financial and asset loss perspective, with a view to providing managers guidance for information security decisions. Keywords information security, security management, simulation, system dynamics INTRODUCTION Recent surveys indicate that information security has become a key issue in the IT industry (Richardson 2011). As security incidents continue to increase in frequency and sophistication (Johnston and Warkentin 2010), it is not surprising that almost all IT trade publications now include a security-related section and several new publications dedicated to IT security have emerged (Cremonini and Martini 2005). Published statistics indicate almost all organizations have made some preventive efforts in areas of firewalls and antivirus programs, and many larger firms have ongoing projects aimed at protecting their assets from internal and external security threats. However, in a number of cases, increases in information security investment are driven by knee-jerk reactions to new perceived risks rather than by pragmatic cost-benefit analyses of solutions (Cremonini and Martini 2005). In addition, many cost-benefit analysis models do not factor in qualitative or nonfinancial criteria, which remain a significant aspect of information security (Bodin et al. 2005). One of the more pressing issues that security managers face is the selection of appropriate security management strategies. Given the wide variety of security threats that need to be countered, managers need to consider a portfolio of counter strategies, each with different costs and potential benefits. The business value derived by an organization from investment in information security is determined by multiple factors, including security expenditure, the magnitude of any damage sustained and averted, the loss of reputation, perceived attractiveness for follow-up targets, among others. It has been suggested that the business value associated with security investment is coupled with the preferred level of security which varies depending upon a variety of internal and external factors. The inability to effectively assess the consequences of decisions about information security investments in an a-priori manner leaves security managers to speculate if the decisions made were the appropriate ones. A model that captures the complexities of the security decision while permitting a systematic exploration of alternative security options would serve as an invaluable aid to security managers. Using the design science research methodology (Hevner et al. 2004), this paper develops a dynamic model that allows security managers to examine the effects of alternative security decisions on the organization’s information assets. The model can be adapted and calibrated for different organization contexts. The rest of the paper is organized as follows. The theoretical background that serves as the foundation for building the model of information security management is presented in the next section. A dynamic model of the mechanics underlying the impact of security attacks and their financial implications is assembled and presented thereafter. The model is used to examine the implications of alternative security investment strategies. Research and managerial implications of the simulations round out the paper. THEORETICAL BACKGROUND Security in the information systems area has been a topic of interest for a while, with studies dating back to the early nineties (Straub 1990, Baskerville 1993). A number of aspects of security have been studied, including external attacks, internal Proceedings of the Eighteenth Americas Conference on Information Systems, Seattle, Washington, August 9-11, 2012. 1 Nazareth et. al. Information Security Management abuse, password security, among others. Despite the importance of the topic, there are comparatively few published studies. Some of this may reflect the reluctance of organizations to reveal information about their security procedures, and hence elect to not participate in security studies (Kotulic & Clark 2004). Even the latest CSI study, which surveys security personnel, has indicated a drop in the number of responses and the response rate when compared to prior studies (Richardson 2011). With the greater urgency associated with effective security, mainstream journals have devoted special issues to it, and a host of security oriented journals have emerged. A number of meta-analyses of research in information security have emerged (Baskerville 1993, Dhillon and Backhouse 2011, Siponen 2005, Sunyaev et. al. 2009), calling for a more holistic approach to addressing information security issues. They identify areas needed additional research, including the economics of information security. Though economists have studied the interplay between economics and security for a considerable period, it is only recently that research on the economic aspects of information system security has gained more attention. One stream of research is devoted to economic modeling of security investments using a net present value approach, examining optimal expenditure levels (Gordon and Loeb 2006), risk management (Hoo 2000), and bypass rate of security technologies (Arora et al. 2004). A different stream uses classic economic analysis, adopting the utility maximization principle to derive optimal investment levels of a firm under a limited number of constraining conditions (Gordon and Loeb 2002b, Huang et al. 2005). Yet other approaches utilize the principle of equating marginal financial benefits of information security to the marginal financial costs of such security (Gordon and Loeb 2002a). These research efforts typically adopt a quantitative approach to the security problem. However, a major aspect of security relates to qualitative and non-functional criteria. In an effort to include these, some researchers have employed the analytic hierarchy process (AHP) to combine quantitative and qualitative criteria (Bodin and Epstein 1999, Bodin and Gass 2003). These studies typically adopt a static view of the information security problem. In actuality, information security is a complex system of many closely and circularly coupled variables. It involves people, organizational factors, technology, tasks, and the working environment (Carayon and Kraemer 2002, Smith and Carayon-Sainfort 1999). In addition, the security management system often involves multiple controls, including technical controls, formal controls, and informal controls (Dhillon 2001). Technical controls refer to mechanisms that protect the system from incidents or attacks. Formal controls represent business structures and processes that ensure the correct general conduct of business and reduce the probability of an incident or an attack. Informal controls address the culture, value and belief system of the organization. Clearly, information system security is not just a matter of implementing technical security mechanisms (Melara et al. 2003). Diverse factors and dynamic relationships among them need to be investigated. The dynamic aspects of information security can be captured through simulation studies. Several simulations options are available for understanding the dynamic aspects of information security, including discrete event simulation, continuous simulation, system dynamics, and agent-based simulation, among others. Discrete event simulation models the phenomenon at the individual transaction level, in this case at the level of individual attacks, and provides security managers with the ability to examine the efficacy of different security strategies under a variety of attacks within a specified period. Continuous simulation deals with dynamic systems that are amenable to description via differential equations, and is less applicable as a viable technique given the discrete