Organizational information security as a complex adaptive system: insights from three agent-based models

Organizational information security as a complex adaptive system: insights from three agent-based models

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the i...

Full description

Saved in:
Bibliographic Details
Published in:Information systems frontiers Vol. 19; no. 3; pp. 509 - 524
Main Authors: Burns, A. J., Posey, Clay, Courtney, James F., Roberts, Tom L., Nanayakkara, Prabhashi
Format: Journal Article
Language:English
Published: New York Springer US 01-06-2017
Springer Nature B.V
Subjects:
Adaptive systems
Agent-based models
Business and Management
Chaos theory
Complexity
Control
Data integrity
Hackers
Information management
Information systems
IT in Business
Management of Computing and Information Systems
Network security
Operations Research/Decision Theory
Organizational aspects
Phishing
Security management
Systems Theory
Complex Adaptive Systems (CAS)
Information Assurance (IA)
Phishing
Agent-Based Modeling (ABM)
General Deterrence Theory (GDT)
Information Security
Protection Motivation Theory (PMT)
NetLogo
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).
ISSN:1387-3326
1572-9419
DOI:10.1007/s10796-015-9608-8