Using systems dynamics for human resources management in information systems security

To enable quantitative and qualitative modelling of information systems security management that takes into account technology and human factor.

The approach is based on systems dynamics and it is done in two phases. In the first phase two basic qualitative models are developed, while in the second phase a possibility to further develop them into quantitative models is studied.

Appropriate approach to IS security management requires addressing “hard” and “soft” factors. Further, to enable quantitative study of such systems, which are highly non‐linear, exact analytical (mathematically rigorous) treatment is close to impossible. Thus, computer simulations have to be used. One appropriate methodological answer to the above requirements is systems (business) dynamics.

Research limitations are partially related to system dynamics, which operates on an aggregates level. This prevents or makes harder study of phenomena at the micro level, from where the above‐mentioned aggregates emerge. Further, many sub‐areas need further standardisation to enable more realistic simulations – one such case is security policy standardisation and quantification. Similar holds true for threats/vulnerabilities and related taxonomies.

The research presents one of first steps in the direction that could provide quantitative models for effective IS security policy management in organisations.

The research presents two models, one for risk management and the other, which is a generic model that identifies basic variables that have to be addressed for IS security management. Further, findings can be used for security awareness courses.