CoMSES Catalog

Organizational information security as a complex adaptive system: insights from three agent-based models

Authored by James F Courtney, A J Burns, Clay Posey, Tom L Roberts, Prabhashi Nanayakkara

Date Published: 2017

Sponsors: No sponsors listed

Platforms: NetLogo

Model Documentation: Other Narrative

Model Code URLs: https://static-content.springer.com/esm/art%3A10.1007%2Fs10796-015-9608-8/MediaObjects/10796_2015_9608_MOESM1_ESM.doc

Abstract

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).

Organizational information security as a complex adaptive system: insights from three agent-based models

Abstract

Tags