在设计加强中小型企业网络安全复原力的政策时进行成本效益模拟的系统动力学方法

IF 2 4区管理学 Q2 INFORMATION SCIENCE & LIBRARY SCIENCE

Information Development Pub Date : 2024-05-06 DOI:10.1177/02666669241252996

Jihwon Song, Min Jae Park

{"title":"在设计加强中小型企业网络安全复原力的政策时进行成本效益模拟的系统动力学方法","authors":"Jihwon Song, Min Jae Park","doi":"10.1177/02666669241252996","DOIUrl":null,"url":null,"abstract":"The small and medium-sized enterprises (SMEs) with limited investment capacity are likely to be lax in enhancing their cybersecurity. Therefore, to strengthen cybersecurity at a national level, governments must intervene in the market by using support or regulatory policies to overcome market failures and address weaknesses. This study reviewed the efficiency of policy options to improve corporate cybersecurity resilience for SMEs that require government support, unlike large companies that can invest in security on their own. To achieve this, a causal loop diagram was created and analyzed from the perspective of system dynamics. The model incorporated government support variables and the decline in capabilities over time into the existing corporate security investment model reflecting the standard framework for cybersecurity from NIST. The simulation scenarios were constructed based on policy options considered by the Korean government. These include 1) pre-incident or post incident support services, and 2) management through tax credits and regulation. The results indicated that incentives, specifically tax credits, rather than regulation, were more effective in strengthening cyber resilience. This study describes the investment and internal capability development of a company affected by government policy, which is an external factor, and changes in profits can be observed by adding the company's profits and costs as variables. This profit variable allows for the comparison of a company's cyber resilience across scenarios. Additionally, if the government provides direct support immediately after a hacking incident, the company can recover more quickly. If these benefits are known and if the reporting of hacking damage is activated, cyber threat visibility will be secured by revealing hacking attacks that have been secretly conducted. Governments can use cyber threat visibility to strengthen national cybersecurity.","PeriodicalId":47137,"journal":{"name":"Information Development","volume":"63 1","pages":""},"PeriodicalIF":2.0000,"publicationDate":"2024-05-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A system dynamics approach for cost-benefit simulation in designing policies to enhance the cybersecurity resilience of small and medium-sized enterprises\",\"authors\":\"Jihwon Song, Min Jae Park\",\"doi\":\"10.1177/02666669241252996\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The small and medium-sized enterprises (SMEs) with limited investment capacity are likely to be lax in enhancing their cybersecurity. Therefore, to strengthen cybersecurity at a national level, governments must intervene in the market by using support or regulatory policies to overcome market failures and address weaknesses. This study reviewed the efficiency of policy options to improve corporate cybersecurity resilience for SMEs that require government support, unlike large companies that can invest in security on their own. To achieve this, a causal loop diagram was created and analyzed from the perspective of system dynamics. The model incorporated government support variables and the decline in capabilities over time into the existing corporate security investment model reflecting the standard framework for cybersecurity from NIST. The simulation scenarios were constructed based on policy options considered by the Korean government. These include 1) pre-incident or post incident support services, and 2) management through tax credits and regulation. The results indicated that incentives, specifically tax credits, rather than regulation, were more effective in strengthening cyber resilience. This study describes the investment and internal capability development of a company affected by government policy, which is an external factor, and changes in profits can be observed by adding the company's profits and costs as variables. This profit variable allows for the comparison of a company's cyber resilience across scenarios. Additionally, if the government provides direct support immediately after a hacking incident, the company can recover more quickly. If these benefits are known and if the reporting of hacking damage is activated, cyber threat visibility will be secured by revealing hacking attacks that have been secretly conducted. Governments can use cyber threat visibility to strengthen national cybersecurity.\",\"PeriodicalId\":47137,\"journal\":{\"name\":\"Information Development\",\"volume\":\"63 1\",\"pages\":\"\"},\"PeriodicalIF\":2.0000,\"publicationDate\":\"2024-05-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information Development\",\"FirstCategoryId\":\"91\",\"ListUrlMain\":\"https://doi.org/10.1177/02666669241252996\",\"RegionNum\":4,\"RegionCategory\":\"管理学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"INFORMATION SCIENCE & LIBRARY SCIENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Development","FirstCategoryId":"91","ListUrlMain":"https://doi.org/10.1177/02666669241252996","RegionNum":4,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}

引用次数: 0

摘要

投资能力有限的中小型企业（SMEs）在加强网络安全方面可能会有所松懈。因此，要在国家层面加强网络安全，政府必须利用支持或监管政策干预市场，克服市场失灵，解决薄弱环节。中小企业需要政府的支持，而大公司则可以自行投资于安全领域，本研究审查了提高中小企业网络安全复原力的政策选择的效率。为此，我们创建了一个因果循环图，并从系统动力学的角度进行了分析。该模型将政府支持变量和随时间推移能力下降纳入现有的企业安全投资模型，反映了 NIST 的网络安全标准框架。模拟情景是根据韩国政府考虑的政策选项构建的。这些方案包括：1）事故前或事故后支持服务；2）通过税收减免和监管进行管理。结果表明，在加强网络复原力方面，激励措施（特别是税收减免）比监管更为有效。本研究描述了受政府政策影响的公司投资和内部能力发展情况，政府政策是外部因素，通过将公司的利润和成本作为变量相加，可以观察到利润的变化。通过利润变量可以比较公司在不同情况下的网络复原力。此外，如果政府在黑客事件发生后立即提供直接支持，公司可以更快地恢复。如果知道这些好处，并启动黑客攻击损失报告机制，网络威胁可视性将通过揭露秘密进行的黑客攻击而得到保障。政府可以利用网络威胁可见性加强国家网络安全。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A system dynamics approach for cost-benefit simulation in designing policies to enhance the cybersecurity resilience of small and medium-sized enterprises

The small and medium-sized enterprises (SMEs) with limited investment capacity are likely to be lax in enhancing their cybersecurity. Therefore, to strengthen cybersecurity at a national level, governments must intervene in the market by using support or regulatory policies to overcome market failures and address weaknesses. This study reviewed the efficiency of policy options to improve corporate cybersecurity resilience for SMEs that require government support, unlike large companies that can invest in security on their own. To achieve this, a causal loop diagram was created and analyzed from the perspective of system dynamics. The model incorporated government support variables and the decline in capabilities over time into the existing corporate security investment model reflecting the standard framework for cybersecurity from NIST. The simulation scenarios were constructed based on policy options considered by the Korean government. These include 1) pre-incident or post incident support services, and 2) management through tax credits and regulation. The results indicated that incentives, specifically tax credits, rather than regulation, were more effective in strengthening cyber resilience. This study describes the investment and internal capability development of a company affected by government policy, which is an external factor, and changes in profits can be observed by adding the company's profits and costs as variables. This profit variable allows for the comparison of a company's cyber resilience across scenarios. Additionally, if the government provides direct support immediately after a hacking incident, the company can recover more quickly. If these benefits are known and if the reporting of hacking damage is activated, cyber threat visibility will be secured by revealing hacking attacks that have been secretly conducted. Governments can use cyber threat visibility to strengthen national cybersecurity.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Information Development INFORMATION SCIENCE & LIBRARY SCIENCE-

CiteScore

5.10

自引率

5.30%

发文量

期刊介绍： Information Development is a peer-reviewed journal that aims to provide authoritative coverage of current developments in the provision, management and use of information throughout the world, with particular emphasis on the information needs and problems of developing countries. It deals with both the development of information systems, services and skills, and the role of information in personal and national development.