Managing information security risks during new technology adoption

In the present study, we draw on previous system dynamics research on operational transition and change of vulnerability to investigate the role of incident response capability in controlling the severity of incidents during the adoption of new technology. Toward this end, we build a system dynamics model using the Norwegian Oil and Gas Industry as the context. The Norwegian Oil and Gas Industry has started to adopt new information communication technology to connect its offshore platforms, onshore control centers, and suppliers. In oil companies, the management is generally aware of the increasing risks associated with operational transition; however, to date, investment in incident response capability has not been highly prioritized because of the uncertainty related to risks and the present reactive mental model of security risk management. The model simulation shows that a reactive approach to security risk management might trap the organization into blindness to minor incidents and low incident response capability, which can lead to severe incidents. The system dynamics model can serve as a means to promote proactive investment in incident response capability.

► We study information security management during operation transition extending prior research.
► A system dynamics model is built to explain why proactive investment in security is crucial.
► The model simulation shows that proactive investment is cost-effective in our research context.
► Reactive investment could cause blindness of minor security risks and lead to severe incidents.
► The work demonstrates how system dynamics could be applied in information security management.