Information security management has become an increasingly serious and high-stake challenge to organizations, due to growing reliance on the Internet as the business platform, the intrinsic vulnerability of Internet technologies, and the increasing value of information stored in information systems. Because of the complex nature and the large number of closely coupled variables associated with information security problems, sophisticated analytical tools are needed to help decision makers to address the management of information security with limited resources. In this paper, we adopt the system dynamics approach to security analysis, with the help of an information security life cycle model. By identifying the causal loop among such variables as the attractiveness of information target and the total number of attacks, we develop a system dynamics model for analyzing the effect of organizational security investments in the attack stage of the information security life cycle. Using this model, we simulate a number of security management scenarios and demonstrate the feasibility and validity of the system dynamics approach. The model presented in this paper is adaptive, and its parameters and relationships can be calibrated with empirical data for further refinement and customization for specific situations in real world organizations. 

Amaral, L.A.N. and Ottino, J.N. (2004) :Complex Systems and Networks: Challenges and Opportunities for Chemical and Biological Engineers," Chemical Engineering Science, 59, 1653-1666.

Anderson, D.F., Cappelli, D.M., Gonzalez, J.J., Mojtahedzadeh, M., Moore, A.P., Rich, E., Sarriegui, J.M., Shimeall, T.J., Stanton, J.M., Weaver, E., and Zagonel, A. (2004) "Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem," Proceedings of the 22nd International Conference of the System Dynamics Society, Oxford, England, July 25-29. Available online at http://www.cert.org/archive/pdf/InsiderThreatSystemDynamics.pdf. Last accessed on April 29, 2006.

Arora, A., Hall, D., Pinto, C.A., Ramsey, D., and Telang, R. (2004). "Measuring the Risk-Based Value of IT Security Solutions," IT Professional, 6(6), 35-42.

Bodin, L.D., Gordon, L.A., and Loeb, M.P. (2005) "Evaluating Information Security Investments Using Analytical Hierarchy Process," Communications of the ACM, 48(2), 79-83.

Cavusoglu, H., Mishra, B., and Raghunathan, S. (2004) "A Model for Evaluating IT Security Investments," Communications of the ACM, 47(7), 87-92.

Cavusoglu, H., Mishra, B., and Raghunathan, S. (2005) "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, 16(1), 28-46.

CERT. (2006) CERT/CC Statistics 1988-2006. 2004. CERT Coordination Center. Available online at http://www.cert.org/stats/cert_stats.html. Last accessed on April 28, 2006.

Marco, C. and Nizovtsev, D. (2006) "Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies," Proceedings of the Fifth Workshop on the Economics of Information Security, June 26-28, Cambridge, England.

Drake, D. and Morse, K. L. (1997) "Applying the Eight-Stage Risk Assessment Methodology to Firewalls," Proceedings of the 13th Annual Computer Security Applications Conference (ACSAC'97), 44-52.

Forrester, J.W. (1961) Industrial Dynamics. Cambridge, MA: MIT Press.

Forrester, J.W. (1968) Principles of Systems. Cambridge, MA: Wright-Allen Press.

Gonzalez, J.J., Sawicka, A. (2002) "A Framework for Human Factors in Information Security," Proceeding of the WSEAS International Conference on Information Security, Rio de Janeiro, Brazil.

Gordon, L.A., and Loeb, M.P. (2002a) "The Economics of Information Security Investment," ACM Transactions on Information and Systems Security, 5(4), 438-457.

Gordon, L.A., and Loeb, M.P. (2002b) "Return on Information Security Investments: Myths vs. realities," Strategic Finance, 84(5), 26-31.

Gordon, L.A., Loeb, M.P., Lucyshyn, W., and Richardson, R. (2004) Ninth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute.

Gordon, L.A., Loeb, M. P., Lucyshyn, W., and Richardson, R. (2005) Tenth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute.

Hoo, K.S. (2000). "How Much Is Enough? A Risk-Management Approach to Computer Security," Working Paper, Consortium for Research on Information Security and Policy (CRISP), Stanford University, Palo Alto, California.

Huang, C.D., Hu, Q., and Behara, R.S. (2005) "In Search for Optimal Level of Information Security Investment in Risk-Averse Firms," Proceedings of the Third Annual Security Symposium: Information Security in the Knowledge Economy, Tempe, Arizona, September 8-9, 2005.

Huang, C.D., Hu, Q., and Behara, R.S. (2006) "Economics of Information Security Investment in the Case of Simultaneous Attacks," Proceedings of the Fifth Workshop on the Economics of Information Security. June 26-28, Cambridge, England.

Jonsson, E. and Olovsson, T. (1997) "A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior," IEEE Transactions on Software Engineering, 23(4), 235-245.

King, S.F. and Burgess, T.F. (2006) "Beyond Critical Success Factors: A Dynamic Model Of Enterprise System Innovation," International Journal of Information Management, 26, 59-69.

Liu, P., Zang, W. and Yu, M. (2005) "Incentive-Based Modeling and Inference of Attacker Intent, Objectives, and Strategies," ACM Transactions on Information and System Security, 8(1), 78-118.

Leeson P.T. and Coyne, C.J. (2006) "The Economics of Computer Hacking," Journal of Law, Economics and Policy, forthcoming.

Marqueza, A.C. and Blanchar, C. (2006) "A Decision Support System for Evaluating Operations Investments in High-Technology Business," Decision Support Systems, 41, 472-487.

Martínez-Moyano, I.J. (2003) "Structure as Behavior: Exploring Elements of the System Dynamics Modeling Process," Proceedings of the 21st International Conference of the System Dynamics Society, New York, New York.

Melara, C., Sarriegui, J.M., Gonzalez, J.J., Sawicka, A., and Cooke, D.L. (2004) "A System Dynamics Model of an Insider Attack on an Information System," Proceedings of the 22ndInternational Conference of the System Dynamics Society.

Mercuri, R. T. (2003) "Analyzing Security Costs," Communications of the ACM, 46(6), 15-18.

Rich, E., Martinez-Moyano, I. J., Conrad, S., Cappelli, D. M., Moore, A. P., Shimeall, T. J., Andersen, D. F., Gonzalez, J. J., Ellison, R. J., Lipson, H. F., Mundie, D. A., Sarriegui, J. M., Sawicka, A., Stewart, T. R., Torres, J. M., Weaver, E. A., & Wiik, J. (2005) "Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model," Proceedings of the 23rd International Conference of the System Dynamics Society. Boston, MA, July 17-21, 2005. Available online at http://www.systemdynamics.org/conf2005/proceed/index.htm. Last accessed on April 29, 2006.

Sauders, J. (2003) "A Risk Management Methodology for Information Security: The Analytic Hierarchy Process," available at http://www.johnsaunders.com/papers/risk-ahp/riskahp.htm. Last accessed on June 12, 2006,

Sterman, J.D. (2000) Business Dynamics: Systems Thinking and Modeling for a Complex World. New York: Irwin McGraw-Hill.