nach oben

Information Systems Frontiers

Erschienen in:

04.11.2015

Organizational information security as a complex adaptive system: insights from three agent-based models

verfasst von: A. J. Burns, Clay Posey, James F. Courtney, Tom L. Roberts, Prabhashi Nanayakkara

Erschienen in: Information Systems Frontiers | Ausgabe 3/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).

Vorheriger Artikel Enhancing service system design: An entity interaction pattern approach

Nächster Artikel Examining the role of initial trust in user adoption of mobile payment services: an empirical investigation

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

The introduction of this second criterion allows us to model the probability of the binary outcome (i.e., phished or not phished). For example, a 60 % chance of success equals the probability of our random number generator producing a number equal to or less than 0.60 from a set of numbers ranging from 0 to 1.

Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: a multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643.

Blumstein, A., Cohen, J., & Nagin, D. (1978). Deterrence and incapacitation: estimating the effects of criminal sanctions on crime rates. Washington: National Academy of Sciences.

Bursztein, E. (2014). Behind enemy lines in our war against account hijackers http://googleonlinesecurity.blogspot.com/2014/11/behind-enemy-lines-in-our-war-against.html. Accessed 21 Jan 2015.

Choi, T. Y., Dooley, K. J., & Rungtusanatham, M. (2001). Supply networks and complex adaptive systems: control versus emergence. Journal of Operations Management, 19(3), 351–366.CrossRef

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90–101.CrossRef

D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.CrossRef

Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. In Proceedings of the 2006 Conference on Human Factors in Computing Systems (CHI), (pp. 581–590). ACM: Montreal.

Dooley, K. J. (1997). A complex adaptive systems model of organization change. Nonlinear Dynamics, Psychology, and Life Sciences, 1(1), 69–97.CrossRef

Elffers, H., & Van Baal, P. (2008). Realistic spatial backcloth is not that important in agent based simulation research. An illustration from simulating perceptual deterrence. In J. E. Eck & L. Liu (Eds.), Artificial crime analysis systems: using computer simulations and geographic information systems (pp. 19–34). Hershey: IGI Global.CrossRef

Floyd, D. L., Prentice‐Dunn, S., & Rogers, R. W. (2000). A meta‐analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407–429.CrossRef

Gilbert, N. (2008). Agent-based models (Quantitative applications in the social sciences, Vol 153). Thousand Oaks: Sage.

Greitzer, F. L., Moore, A. P., Cappelli, D. M., Andrews, D. H., Carroll, L. A., & Hull, T. D. (2008). Combating the insider cyber threat. Security & Privacy, IEEE, 6(1), 61–64.CrossRef

Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.CrossRef

Jakobsson, M. (2005). Modeling and preventing phishing attacks. In A. S. Patrick, M. Yung (Eds.), Financial Cryptography and Data Security (Vol. 3570, pp. 89): Lecture Notes in Computer Science.

Kotenko, I. (2005). Agent-based modeling and simulation of cyber-warfare between malefactors and security agents in Internet. In.

Kotenko, I., & Ulanov, A. (2005). Agent-based simulation of DDOS attacks and defense mechanisms. International Journal of Computing, 4(2), 113–123.

Kothari, V., Blythe, J., Smith, S., & Koppel, R. (2014). Agent-based modeling of user circumvention of security. Paper presented at the Proceedings of the 1st International Workshop on Agents and CyberSecurity, Paris.

Lee, Y., & Kozar, K. A. (2008). An empirical investigation of anti-spyware software adoption: a multitheoretical perspective. Information & Management, 45(2), 109–119.CrossRef

Litan, A. (2004). Phishing attack victims likely targets for identity theft. Gartner Research.

Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479.CrossRef

McMillan, E. (2008). Complexity, management and the dynamics of change: challenges for practice. New York: Routledge.CrossRef

Miller, J. H., & Page, S. E. (2007). Complex adaptive systems: an introduction to computational models of social life. Princeton: Princeton University Press.

Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health-related behavior: a meta-analytic review of protection motivation theory. Journal of Applied Social Psychology, 30(1), 106–143.CrossRef

Mitchell, M. (2006). Complex systems: network thinking. Artificial Intelligence, 170(18), 1194–1212.CrossRef

Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., & Courtney, J. F. (2013). Insiders’ protection of organizational information assets: development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189–1210.

Railsback, S. F., & Grimm, V. (2011). Agent-based and individual-based modeling: a practical introduction. Princeton: Princeton University Press.

Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93–114.CrossRef

Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H.-J. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52(1), 92–100.CrossRef

Simon, H. A. (1996). The sciences of the artificial. Cambridge: MIT Press.

Straub, D. W. (1990). Effective IS security. Information Systems Research, 1(3), 255–276.CrossRef

Straub, D. W., & Nance, W. (1990). Discovering and disciplining computer abuse in organizations: a field study. MIS Quarterly, 14(1), 45–60.CrossRef

Tanner, M. C., Elsaesser, C., & Whittaker, G. M. (2001). Security awareness training simulation. The MITRE Corporation.

Tetri, P., & Vuorinen, J. (2013). Dissecting social engineering. Behaviour & Information Technology, 32(10), 1014–1023.CrossRef

Waldrop, M. M. (1992). Complexity: the emerging science and the edge of order and chaos. New York: Simon & Schuster.

Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems, 18(2), 101–105.CrossRef

Wilensky, U. (1999). NetLogo (and NetLogo user manual). Center for Connected Learning and Computer-Based Modeling, Northwestern University. http://ccl.northwestern.edu/netlogo.

Wilensky, U., & Rand, W. (2015). An introduction to agent-based modeling: modeling natural, social, and engineered complex systems with NetLogo: MIT Press.

Willison, R., & Warkentin, M. (2013). Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20.

Workman, M., Bommer, W. H., & Straub, D. W. (2008). Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816.CrossRef

Yu, J. (1994). Punishment celerity and severity: testing a specific deterrence model on drunk driving recidivism. Journal of Criminal Justice, 22(4), 355–366.CrossRef

Zhang, X., Tsang, A., Yue, W., & Chau, M. (2015). The classification of hackers by knowledge exchange behaviors. Information Systems Frontiers, 1–13, doi: 10.1007/s10796-015-9567-0.

Titel: Organizational information security as a complex adaptive system: insights from three agent-based models
verfasst von: A. J. Burns
Clay Posey
James F. Courtney
Tom L. Roberts
Prabhashi Nanayakkara
Publikationsdatum: 04.11.2015
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 3/2017
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-015-9608-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2017

An event based approach for quantifying the effects of securities fraud in the IT industry

Who can get money? Evidence from the Chinese peer-to-peer lending platform

Business-to-business e-commerce adoption: An empirical investigation of business factors

The effect of malicious manipulations on prediction market accuracy

Enhancing service system design: An entity interaction pattern approach

Citizens’ adoption of an electronic government system: towards a unified view