Abstract
The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The introduction of this second criterion allows us to model the probability of the binary outcome (i.e., phished or not phished). For example, a 60 % chance of success equals the probability of our random number generator producing a number equal to or less than 0.60 from a set of numbers ranging from 0 to 1.
References
Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: a multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643.
Blumstein, A., Cohen, J., & Nagin, D. (1978). Deterrence and incapacitation: estimating the effects of criminal sanctions on crime rates. Washington: National Academy of Sciences.
Bursztein, E. (2014). Behind enemy lines in our war against account hijackers http://googleonlinesecurity.blogspot.com/2014/11/behind-enemy-lines-in-our-war-against.html. Accessed 21 Jan 2015.
Choi, T. Y., Dooley, K. J., & Rungtusanatham, M. (2001). Supply networks and complex adaptive systems: control versus emergence. Journal of Operations Management, 19(3), 351–366.
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90–101.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.
Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. In Proceedings of the 2006 Conference on Human Factors in Computing Systems (CHI), (pp. 581–590). ACM: Montreal.
Dooley, K. J. (1997). A complex adaptive systems model of organization change. Nonlinear Dynamics, Psychology, and Life Sciences, 1(1), 69–97.
Elffers, H., & Van Baal, P. (2008). Realistic spatial backcloth is not that important in agent based simulation research. An illustration from simulating perceptual deterrence. In J. E. Eck & L. Liu (Eds.), Artificial crime analysis systems: using computer simulations and geographic information systems (pp. 19–34). Hershey: IGI Global.
Floyd, D. L., Prentice‐Dunn, S., & Rogers, R. W. (2000). A meta‐analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407–429.
Gilbert, N. (2008). Agent-based models (Quantitative applications in the social sciences, Vol 153). Thousand Oaks: Sage.
Greitzer, F. L., Moore, A. P., Cappelli, D. M., Andrews, D. H., Carroll, L. A., & Hull, T. D. (2008). Combating the insider cyber threat. Security & Privacy, IEEE, 6(1), 61–64.
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.
Jakobsson, M. (2005). Modeling and preventing phishing attacks. In A. S. Patrick, M. Yung (Eds.), Financial Cryptography and Data Security (Vol. 3570, pp. 89): Lecture Notes in Computer Science.
Kotenko, I. (2005). Agent-based modeling and simulation of cyber-warfare between malefactors and security agents in Internet. In.
Kotenko, I., & Ulanov, A. (2005). Agent-based simulation of DDOS attacks and defense mechanisms. International Journal of Computing, 4(2), 113–123.
Kothari, V., Blythe, J., Smith, S., & Koppel, R. (2014). Agent-based modeling of user circumvention of security. Paper presented at the Proceedings of the 1st International Workshop on Agents and CyberSecurity, Paris.
Lee, Y., & Kozar, K. A. (2008). An empirical investigation of anti-spyware software adoption: a multitheoretical perspective. Information & Management, 45(2), 109–119.
Litan, A. (2004). Phishing attack victims likely targets for identity theft. Gartner Research.
Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479.
McMillan, E. (2008). Complexity, management and the dynamics of change: challenges for practice. New York: Routledge.
Miller, J. H., & Page, S. E. (2007). Complex adaptive systems: an introduction to computational models of social life. Princeton: Princeton University Press.
Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health-related behavior: a meta-analytic review of protection motivation theory. Journal of Applied Social Psychology, 30(1), 106–143.
Mitchell, M. (2006). Complex systems: network thinking. Artificial Intelligence, 170(18), 1194–1212.
Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., & Courtney, J. F. (2013). Insiders’ protection of organizational information assets: development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189–1210.
Railsback, S. F., & Grimm, V. (2011). Agent-based and individual-based modeling: a practical introduction. Princeton: Princeton University Press.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93–114.
Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H.-J. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52(1), 92–100.
Simon, H. A. (1996). The sciences of the artificial. Cambridge: MIT Press.
Straub, D. W. (1990). Effective IS security. Information Systems Research, 1(3), 255–276.
Straub, D. W., & Nance, W. (1990). Discovering and disciplining computer abuse in organizations: a field study. MIS Quarterly, 14(1), 45–60.
Tanner, M. C., Elsaesser, C., & Whittaker, G. M. (2001). Security awareness training simulation. The MITRE Corporation.
Tetri, P., & Vuorinen, J. (2013). Dissecting social engineering. Behaviour & Information Technology, 32(10), 1014–1023.
Waldrop, M. M. (1992). Complexity: the emerging science and the edge of order and chaos. New York: Simon & Schuster.
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems, 18(2), 101–105.
Wilensky, U. (1999). NetLogo (and NetLogo user manual). Center for Connected Learning and Computer-Based Modeling, Northwestern University. http://ccl.northwestern.edu/netlogo.
Wilensky, U., & Rand, W. (2015). An introduction to agent-based modeling: modeling natural, social, and engineered complex systems with NetLogo: MIT Press.
Willison, R., & Warkentin, M. (2013). Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20.
Workman, M., Bommer, W. H., & Straub, D. W. (2008). Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816.
Yu, J. (1994). Punishment celerity and severity: testing a specific deterrence model on drunk driving recidivism. Journal of Criminal Justice, 22(4), 355–366.
Zhang, X., Tsang, A., Yue, W., & Chau, M. (2015). The classification of hackers by knowledge exchange behaviors. Information Systems Frontiers, 1–13, doi: 10.1007/s10796-015-9567-0.
Acknowledgments
An earlier version of this paper was presented at the Eighteenth Americas Conference on Information Systems, Seattle, Washington, August 9–12, 2012.
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Below is the link to the electronic supplementary material.
ESM 1
(DOC 481 kb)
Rights and permissions
About this article
Cite this article
Burns, A.J., Posey, C., Courtney, J.F. et al. Organizational information security as a complex adaptive system: insights from three agent-based models. Inf Syst Front 19, 509–524 (2017). https://doi.org/10.1007/s10796-015-9608-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-015-9608-8