Dynamics of organizational information security

Dynamics of organizational information security

0.00 Avg rating0 Votes
Article ID: iaor200970525
Country: United Kingdom
Volume: 24
Issue: 3
Start Page Number: 349
End Page Number: 375
Publication Date: May 2008
Journal: Systems Dynamics Review
Authors: ,
Keywords: security
Abstract:

While technology is important, organizational and human factors also play a crucial role in achieving information security. In this paper we develop a system dynamics model of the interplay between technical and behavioral security factors, along with their impact on business value of an organization's IT infrastructure. The model captures delays associated with perception of security risk, the mechanics of user compliance and the mechanics of risk mitigation achieved by investments in security technology and user training. These structural model components interact to mediate the impact of security incidents on the business value generated by information technology enabled transactions. The model reveals the dynamics of erosion in and recovery of business value resulting from security incidents. Experiments with the model suggest that information security drills, analogous to fire drills, may be useful in maintaining user compliance, in addition to usual training and awareness activities. Among the management policy parameters examined, we find that improvement in realized business value is statistically significant for the minimum security risk the firm is willing to accept, and the proportion of security‐related investment spent on security technology versus security training and awareness. We also discuss how our model can be extended to help justify an organization's investments in information security, an objective that has been notoriously difficult to achieve in practice.

Reviews

Required fields are marked *. Your email address will not be published.