Modeling and Simulating Information Security Management

  • Jose M. Sarriegi
  • Javier Santos
  • Jose M. Torres
  • David Imizcoz
  • Elyoenai Egozcue
  • Daniel Liberal
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5141)


Security Management is a complex task. It requires several interconnected activities: designing, implementing and maintaining a robust technical infrastructure, developing suitable formal procedures and building a widespread, agreed upon security culture. Thus, security managers have to balance and integrate all these activities simultaneously, which involves short and long-term effects and risks. For this reason, security managers need to correctly understand, achieve and maintain a dynamic equilibrium between all of them.

The development of a simulation model can be an efficient approach towards this objective, as it involves making explicit key factors in security management and their interconnections to efficiently reduce organizational security risks. This endogenous perspective of the problem can help managers to design and implement more effective policies.

This paper presents a methodology for developing simulation models for information security management. The use of this methodology is illustrated through examples.


Security Management Modeling Simulation System Dynamics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Botha, R.A., Gaadwinge, T.G.: Reflecting on 20 SEC conferences. Computers & Security 25, 247–256 (2006)CrossRefGoogle Scholar
  2. 2.
    Schneier, B.: Applied Cryptography: Protocols, Algorithms and Source Code in C. John Wiley & Sons, Inc., New York (1994)Google Scholar
  3. 3.
    Schneier, B.: Beyond Fear. Copernicus Book, New York (2003)Google Scholar
  4. 4.
    Forrester, J.: Industrial Dynamics. MIT Press, Cambridge (1961)Google Scholar
  5. 5.
    Sterman, J.: Business Dynamics. McGraw Hill, New York (2000)Google Scholar
  6. 6.
    Roberts, E.B. (ed.): Managerial applications of system dynamics. Productivity Press, Cambridge (1978)Google Scholar
  7. 7.
    Andersen, D., Cappelli, D., Gonzalez, J.J., Mojtahedzadeh, M., Moore, A., Rich, E., Sarriegi, J.M., Shimeall., T., Stanton, J., Weaver, E., Zagonel, A.: Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem. In: Proceedings of the 22nd International Conference of the System Dynamics Society, Oxford, UK (2004)Google Scholar
  8. 8.
    Melara, C., Sarriegi, J.M., Gonzalez, J.J., Sawicka, A., Cooke, D.L.: A System Dynamics Model of an Insider Attack on an Information System. In: Gonzalez, J.J. (ed.) From Modeling to Managing Security: A System Dynamics Approach, Norwegian Academic Press, Kristiansand (2003)Google Scholar
  9. 9.
    Forrester, J., Senge, P.: Tests for building confidence in system dynamics models. In: Legasto, A., Forrester, J., Lyneis, J. (eds.) TIMS Studies in the Management Sciences, North Holland, New York (1980)Google Scholar
  10. 10.
    Dhillon, G.: Managing and Controlling Computer Misuse. Information Management & Computer Security, 171-175 (1999)Google Scholar
  11. 11.
    Dhillon, G., Moores, A.: Computer crimes: Theorizing About the Enemy Within. Computers & Security 20(8), 715–723 (2001)CrossRefGoogle Scholar
  12. 12.
    Torres, J.M., Sarriegi, J.M.: Dynamics Aspects of Security Management of Information Systems. In: Proceedings of the 22nd International Conference of the System Dynamics Society, Oxford, UK (2004)Google Scholar
  13. 13.
    Venter, H.S., Eloff, J.H.P.: A taxonomy for information security technologies. Computers & Security 22, 299–307 (2003)CrossRefGoogle Scholar
  14. 14.
    Gonzalez, J.J., Sawicka, A.: The role of learning and risk perception in compliance. In: Proceedings of the 21st International Conference of the System Dynamics Society, New York (2003)Google Scholar
  15. 15.
    OECD: Guidelines for the Security of Information Systems and Networks: Towards a culture of security (2002)Google Scholar
  16. 16.
    Torres, J.M., Sarriegi, J.M., Santos, J., Serrano, N.: Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 530–545. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Jose M. Sarriegi
    • 1
  • Javier Santos
    • 1
  • Jose M. Torres
    • 1
  • David Imizcoz
    • 2
  • Elyoenai Egozcue
    • 2
  • Daniel Liberal
    • 2
  1. 1.Tecnun (University of Navarra) 
  2. 2.s21sec 

Personalised recommendations