Dynamics of organizational information security

While technology is important, organizational and human factors also play a crucial role in achieving information security. In this paper we develop a system dynamics model of the interplay between technical and behavioral security factors, along with their impact on business value of an organization's IT infrastructure. The model captures delays associated with perception of security risk, the mechanics of user compliance and the mechanics of risk mitigation achieved by investments in security technology and user training. These structural model components interact to mediate the impact of security incidents on the business value generated by information technology enabled transactions. The model reveals the dynamics of erosion in and recovery of business value resulting from security incidents. Experiments with the model suggest that information security drills, analogous to fire drills, may be useful in maintaining user compliance, in addition to usual training and awareness activities. Among the management policy parameters examined, we find that improvement in realized business value is statistically significant for the minimum security risk the firm is willing to accept, and the proportion of security‐related investment spent on security technology versus security training and awareness. We also discuss how our model can be extended to help justify an organization's investments in information security, an objective that has been notoriously difficult to achieve in practice. Copyright © 2008 John Wiley & Sons, Ltd.