A system dynamics model for information security management

• We present a system dynamics model for information security management.
• We examine the effect of investment in deterrence and security tools.
• Increased investment in security tools reduces overall security cost substantially.
• Deterrence investment has a less pronounced effect on overall security cost.
• Uniform security investments are not the most effective.

Managing security for information assets is a critically important and challenging task. As organizations provide clients with ubiquitous access to information systems and the frequency and sophistication of security threats grows, the need to provide security assumes greater importance. Effective information security management requires security resources be deployed on multiple fronts, including attack prevention, vulnerability reduction, and threat deterrence. Using a system dynamics model, this study evaluates alternative security management strategies through an investment and security cost lens, to provide managers guidance for security decisions. The results suggest that investing in security detection tools has a higher payoff than does deterrence investment.