System dynamics modelling to investigate the cost-benefit of cyber security investment

Abstract

Cyber-attacks pose a major modern era threat to organisations that use networks (e.g., corporate networks and the Internet) to facilitate and improve business processes. The complexity of Internet vulnerability and increasing value of information stored in systems, make information security management a high-stake challenge to organizations. The objective of cyber-attacks may be identity theft, espionage, and disrupting operations of critical infrastructure. Defence against cyber-attacks requires substantial investment in cyber security resources. This complex problem with a large number of closely coupled variables associated with information security requires different analytical tools to support decisions on investment strategies. Not being able to effectively assess the consequences of information security investment decisions, leaves managers to speculate on the cost benefit. The assessment model needs to capture the complexities of the security decision while permitting a systematic exploration of alternative security options would serve as an invaluable aid to security managers. System dynamics provide a tool for analysing complex situations. It helps to identify the causal loop amongst the variables of information target attractiveness and total number of attacks to analyse the effect of organizational security investments. The models can be simulated for different security management scenarios.