Understanding the dynamics of Information Security Investments. A Simulation-Based Approach

Thumbnail Image
Issue Date
Journal Title
Journal ISSN
Volume Title
Today, information security breaches are steadily increasing, constantly puzzling security managers on how to make the best investment decisions to fight against cyberattacks. The problem is that there is a lack of understanding about the dynamic interaction between attackers and defender when making security investment decisions. The goal of this thesis is to develop a system dynamics model that describes the dynamic interaction between a defender, who initially invests a portion of the security budget and defers the remaining investments until security breaches occurs, known as wait and see strategy; and an attacker, who repeatedly targets and exploits the weakest link of the defense, known as weakest link strategy. The research employed qualitative and quantitative system dynamic modeling tools based on theoretical frameworks from the information security investment literature. A simulation model was built to understand the behavior of both adversaries when applying the aforementioned strategies under uncertainty and propose policy options to solve the problematic behavior. Scenario and policy analyses were conducted to test the hypothesis that under uncertainty the wait and see and the weakest link approaches, are not effective security investment strategies. Scenarios show that when uncertainty increases, it is rational for the defender to under-invest in information security and rather cope with attacks. In situations of high uncertainty, effective security investment requires acquiring knowledge about attacks and shifting from reactive to proactive investment strategies. Two policy options were proposed to improve defenders’ financial performance over time, 1) information sharing among defenders and 2) higher dismissal time of attacks. By implementing information sharing policy, defenders experience a worst-before-better behavior, meaning that defenders need to be patient to perceive the benefits of this policy. Furthermore, implementing higher dismissal time of attacks entails more immediate benefits, though with managerial implications such as the need of a higher security budget. Finally, implementation of the combination of information sharing and higher dismissal time depends on the size of the firm’s and the available budget (capabilities) to invest in information security.
Faculteit der Managementwetenschappen