Abstract for: Proactive vs. reactive investment in information security management: an SD analysis

In information security management, many organizations adopt reactive approaches for investment in incident response capability: invest when increasing number of incidents happen, or invest when severity of incidents reach certain preset-level, or invest when incident cost reaches certain preset-level. We use system dynamics model to study how these reactive approaches might cause problem in the long run. Through simulation analysis, we identify that the problem of reactive approach lies not only in the delay of building incident response capability, but also in the reinforcing loop that traps the management into the blindness to the security risks. With the simulation result, we see that proactive approach works effectively in reducing severity of incidents. We hope to promote the idea of proactive information security management through SD model simulation and analysis.