Using System Dynamics to Investigate the Effect of the Information Medium Contact Policy on the Information Security Management

Computer viruses remain the information security threat for business and result a devastating effect on business continuity and profitability. In order to deploy antivirus countermeasures, it is necessary to understand and explore the computer virus propagation. This research explored further the users who contact with media and discuss information security controls, including management and technical. First, we propose the computer viruses propagation model and analysis from system viewpoint. Second, we explore and evaluate the effectiveness of preventive countermeasures. Finally, we suggest several considerations for manager to practice. The simulation results show that users contact with media for network had a significant effect on infection rate and policy enforcement has powerful influence than firewall on restrain infection rate. Based on these results, we suggest: (1) information security management policy development takes precedence over the physical security; (2) it is very important to identify all assets, define the classification of assets, and identify security roles and responsibilities of employees; (3) it is necessary to audit regularly the configurations and the parameters of security techniques; (4) the operating system and the application software on hosts and servers should be updated and patched regularly; (5) the removable storage and removable/mobile access media should be restricted.


Introduction
Today, more and more enterprises depend heavily on information and information technology to create a lot of innovative services.In most cases, information has become the vital 'asset' called 'information asset' or 'intellectual asset' for enterprises.However, information is continuously being threatened to be lost, stolen, accessed (physically or otherwise), blocked, misused or destroyed by people, computer viruses, malwares, natural disasters (e.g.earth quake), man-made disasters (e.g.911 attacks), etc.It is particularly important to protect these assets to ensure their confidentiality, integrity and availability.Obviously, managing security of information is as important as managing the core business.
According to the Computer Security Institute (CSI) of Computer Crime and Security Survey from 1999 to 2010, virus attacks have topped the list of attack types (Computer Security Institute [CSI], 2010).The annual information security reports from the CSI also show that viruses caused the biggest financial loss among all computer security incidents in industry (CSI, 2003(CSI, -2006)).This result of report is shown that attacks of the computer virus are incessant and incremental.This reason of the phenomenon may be the computer viruses awareness and prevention is deficient in users.Therefore, understanding and exploring the computer virus propagation is necessary either individuals or organizations especially in the information security policies construction and development.
Information security management (ISM) research is a relatively new issue.Most research adopts case study or survey research.Case studies can provide in-depth data on an object of study and spark ideas for further research, but we can't assume it will apply to all others with the same condition.Survey research used questionnaires or interviews to efficiently collect data from many people.These surveys have been mostly using quantitative and primarily statistical methods.Previous research indicated that the slight response rate which uncovered that the main reasons that the related information security is regarded as confidentiality and the policy of information secrecy is implemented extensively in enterprise.These above-mentioned actualities, the sufficient quantity of received survey is more arduous, hence, the amount of received survey in information security research generally are slighter than other research issues (Albrechtsen & Hovden, 2009;Department of Trade & Industry, 2004;Kotulic & Clark, 2004;Vance, Siponen, & Pahnila, 2012).On the other hand, the majority of studies on computer virus propagation published in the IS security literature a technical perspective and lack of management perspectives.In addition, user behaviors must be taken into account because "people" are always the key factor for the success of information security management in companies and organizations regardless of its size, location, culture or type of business (Eminağaoğlu, Uçar, & Eren, 2009).Based on limitations of the research methods and tools in information security research, we attempt to adopt other research method to surmount these obstacles.
In this paper, we present a virus propagation model based on SEIR (Susceptible-Exposed-Infectious-Recovered) epidemic model and develop with the use of system dynamics methodological approach to investigate the effect of users contact with media on computer virus propagation.System dynamics methodological approach shows how structure, policies, decisions and time delays within systems are interrelated and influence growth and stability (Lee & Tunzelmann, 2005).It is considered that the system function is determined by its structure, and the system behavior pattern depends on the dynamic structure and the internal feedback mechanisms of the system.The first step of implement ISM is establishing complete information security policy.ISO/IEC 27001 provides the form of guidance and recommendations for information security management, and indicates the importance of users contact with media in against computer viruses.However, most studies have focused on deployment and access control in facilities.We should notice that communication media, electronic storage and transmission of information are increase in the growth rate.Computer viruses can spread through network and media.A study by the present researcher proposed a computer virus propagation model and also discovered there was a significant effect for contacting with media in infection rate (Sung, Ku & Su, 2013).It is therefore the intent of the present study to explore the impact extent of users contact with media on computer virus propagation, and propose considerations.Our model will be generalized to represent the behavior of general computer viruses, and incorporated into user behaviors and technical security solutions to study virus propagation from a managerial perspective.

System Dynamics
System dynamics (SD) was developed in 1950 by Jay W. Forrester of Massachusetts Institute of Technology (MIT) which is the study of behavior of complex systems over time developed to model complex continuous systems for improving management policies and organizational structures (Forrester 1961(Forrester , 1968)).SD is an approach that able to deal with non-line problems, information feedbacks, time delays and complex systems, and its methodology put emphasis on conceptualization, formulation and simulation (Richardson, 1996).SD simulation is performed to learn about the dynamics of the system behavior that may impact the planning solution by using closed-loop feedback and to design policies to improve system performance.SD methodology is included two stages.In the first stage, the qualitative system model is developed in the form of a causal loop diagram which captures the major feedback mechanisms.Causal loop diagrams play two important roles in SD.First, during model development, they serve as preliminary sketches of causal hypotheses and secondly, they can simplify the representation of a model (Georgiadis, Vlachos, & Iakovou, 2005).In the second stage, the qualitative model is transformed into a stock and flow diagram and is calibrated for quantitative analysis using simulation techniques (Wolstenholme & Coyle, 1983;Wolstenholme, 1994).The structure of a system flow diagram contains stock and flow variables, also known as the stock flow diagram.Stock variables are the accumulations (i.e.inventories), while flow variables represent the flows in the system (i.e.order rate).SD modeling effort can improve understanding of the relationships between feedback structures and dynamic behaviors of a system so that policies for improving problematic behavior may be developed (Richardson & Pugh, 1981).Nowadays, SD models use graphical simulation programs to represent relationships between components of a system using stocks and flows, and support the analysis and study of these systems.Therefore, SD models allow managers to test alternative assumptions, decisions and policies (Suryani, Chou, Hartono, & Chen, 2010).
In the past decades, SD has been widely utilized to study dynamic behavior of various social systems and has been applied to policy analysis and design both in the public and private sectors (Casey & Töyly, 2012).Information security management is complexity because that involves three types of security controls: technical, policy and human controls (Botha & Gaadingwe, 2006;Dhillon & Moores, 2001;Sveen, Torres, & Sarriegi, 2009).The spread of computer viruses is a nonlinear dynamic system, similar to the spread of epidemics in human populations (Kephart & White, 1993;Pastor-Satorras & Vespignani, 2001).It is regarded as a complex system.Consequently, SD is suitable for applied in information security management and computer virus propagation.

Computer Viruses Prevention in ISO-27001 Standard
ISO/IEC 27001 is described as a suitable model for ISM and an appropriate vehicle for addressing ISM issues in organizations (Dhillon & Moores, 2001).It consists of the 11 control sections and 133 security controls for practitioners to use.However, there is no specific chapter for defense against computer viruses implementations in ISO/IEC 27001.In several chapters, the related security controls have been proposed in the security management view which is in the "Protection against malicious and mobile code", "Technical vulnerability management", and "Reporting information security events and weaknesses".These security controls are listed in Table 1.Information security events should be reported through appropriate management channels as quickly as possible

Controls against Malicious Code
In chapter 10.4 of "Protection against malicious and mobile code", the subsection 10.4.1, "Controls against malicious code" shows if software and information processing systems are vulnerable, malicious code would be introduced.Manager should establish a policy to protect the dangers of malicious code.For example, use detection software, update anti-virus software and change management controls.

Control of Technical Vulnerabilities
In Chapter 12.6.1 of ISO 27001, is for the technical vulnerability management.This control shows that a correct and complete inventory of assets is necessity for technical vulnerability management.Software vendors and employees within the organization responsible for the software have responsibility for supporting technical vulnerability management.

Reporting Information Security Events
In Chapter 13.1.1 of ISO 27001, is for the information security incident management that highlights the need for a formal information security event reporting procedure should be established.All employees, contractors and third party should be required to report any information security events as quickly as possible.

Modeling
In this research, we use SD methodology to develop the computer virus propagation model.First, we construct and analyze the causal loop diagram to describe the general computer virus propagation.Then, build up the stock and flow diagram for simulation, results, and recommendations.These stages are explored in detail below.

Causal Loop Diagram
A causal loop diagram is constructed to represent the relationships between these variables of the computer virus propagation.Figure 1 shows the causal loop diagram of computer virus infection flow.The structure can be described by 1 positive loop (R) and 1 negative loop (B).

Figure 1. Causal loop diagram of computer virus propagation
In general the major reason of user's devices infected is clicked malicious link.Each device is connected to the network could be mutually infected.Computer viruses can spread through channels, such as USB devices, e-mail, instant messengers (IM), Peer-to-Peer (P2P) file sharing, and online social network services (SNS).Computer system may be infected by clicking incidentally or wrongly an attachment of malicious executable file or malicious URL.The Contact Rate indicated the frequency of devices contacted network (e.g.Internet and Intranet) and external media (e.g.USB devices and other disks).In general users easy to be attracted by the interesting link and trust the messages that send by their friends.Due to linking and messages may be forged and included malicious code, such as ActiveX.Once users click on, the devices will be infected.Unfortunately, when user discovers that his device has been infected, the virus would have spread out.Because of computer viruses will hide themselves in device for some time preceding attack; user can't immediately detect (R).
On the other hand, in order to recover infected computers, anti-virus software adoption is regarded as one of the most effective approaches (Forrest, Hofmayer, & Somayaji, 1997).Anti-virus software adopted can reduce the probability of infection and infection rate.If user finds his device was infected, he will use anti-virus software to remove the viruses (B).The summary of the feedback loops of computer virus propagation is presented in Table 2.

Causal Loop Diagram Analysis
According to Figure 1, we find that reducing the probability of infection is control over contact rate.Users adopt anti-virus software to reduce the probability of infection; however, the source of problems is contact rate.Malicious and mobile code can spread through many channels on Internet (e.g.e-mail, IM, and Online Social Networking) and are clicked or attached incidentally to infect most of IT devices in the network.Through sending or sharing files on these channels, malicious codes (or URL) can invade devices to spread computer viruses.The system may be infected by clicking incidentally or wrongly.Therefore, the frequency of user contact network and external media is crucial to determine whether user's devices infected.
There has been a rapidly growing interest in the use of epidemiological models for understanding of computer viruses spreading since the pioneering work by Murray (1988).Following this idea, many epidemic models of computer viruses have been proposed.Some defects of previous epidemic models of computer viruses were reported recently: 1) An infected computer which is in latency can infect other computers through files downloading or files copying.Unfortunately, previous computer virus models failed to consider this passive infectivity (Yang, Yang, Zhu, & Wen, 2013); 2) Previous works on malware modeling assume that the infection rate is a constant (Fen, Liao, Han, & Li, 2013) and random.Not only constant infection rate, but random infection rate, however, there are unsuitable for virus propagation in computer networks (Yuan, Wu, & Chen, 2009); 3) Removable storage devices provide a way other than the Internet for the spread of viruses.However, nearly all previous models of computer virus propagation ignore the effect of removable devices on the spread of viruses (Yang & Yang, 2012); On the other hand, it is inevitable that mention of antivirus countermeasures in discussing computer viruses threats.According to 2010/2011 CSI Computer Crime and Security Survey (CSI, 2010), in the use of security technology, anti-virus software had the highest utilization rate of 97.0%, followed by the application of firewall (94.9%).Therefore, combination of computer virus propagation models and antivirus countermeasures is necessary.
Recently, some researchers proposed new models to overcome above defects (Table 3).However, none of these models has considered the viewpoint of ISM policies.This paper aims to understand the effect for contacting with media in infection rate.The latent period, dynamic infection rate, antivirus countermeasures, ISM policies enforcement are considered in our model.On the basis of above analysis, we focus on the contact rate that users contact with network and external media respectively.Further, we consider that the effectiveness of the firewall, and the duration of the users contact the network and external media.

Stock and Flow Diagram
In SD methodology, the causal loop diagram and the stock and flow diagram are main tools.The causal loop diagram is represented the structure of a system and major feedback mechanisms, the diagram in this paper is illustrated in Figure 1 in above section.The stock and flow diagram is the mathematical model that can be representing equations to exhibit the dynamic behavior between the factors of the objective system.Murray (1988) considered that the behavior of a virus program is analogous epidemic and suggested that understanding behavior of computer viruses through the epidemic model is more feasible and useful.In this paper, the SEIR (Susceptible-Exposed-Infective-Recovered) model (Anderson & May, 1992) was adopted because it contents exposed state (E) and takes the latent period into consideration.In this section, we will interpret explicitly the development of stock and flow diagram and the procedure of analysis in this research.The notation list is given in Table 4.In order to fight with computer viruses, users deploy antivirus countermeasures, such as firewall, to fight with computer viruses.Information security policy specifies how the rules are to be followed.These measures help to mitigate computer viruses threats consequently.We assume the initial value of probability of contact network with malicious and probability of contact external media with malicious are 0.4 and 0.6 respectively.Therefore, the equations are: (2) Computer system may be infected by clicking incidentally or wrongly an attachment of malicious executable file or malicious URL.The computer virus in latency period and the devices have been infected may infect other devices.We make the simplifying assumption that users contact the network and external media is a routine After durations of latency periods, exposed devices will become infectious devices.The capacity of antivirus company can reduce average durations of infectivity periods, but it can not affect the latency period of the computer virus.Hence average duration of latency periods is not influenced by any variables.Therefore, the equation of Exposed to Infected Rate is: Exposed to Infected Rate = Exposed / Average Durations of Latency Periods (4) This paper assumes that anti-virus software including the newest virus signatures and could be effective against attack by computer viruses.If user finds his device was become infective, he/she will use antivirus software to remove computer virus.The equation of Recovery Rate is defined as:

Recovery Rate=Infectious*Probability of Using Antivirus Software
(5) According above definitions, the equations of the stock variables, susceptible, exposed, infectious and recovered respectively are:

Model Validation
Model validation focuses on justifying the reliability of the model and providing confidence for model application.The validation of a SD model usually involves: (1) structural validity, and (2) behavior validity.Structural validity includes comparative evaluation of each model equation against its counterpart in the real system or in the relevant literature (Vlachos, Georgiadis, & Iakovou, 2007).Model behavior validity refers to how well the model-generated behavior reproduces or mimics the observed behavior of the real system (Khan, Yufeng, & Ahmad, 2009;Sterman, 2000).

Structural Validity
The SEIR model has used for modeling the spread of computer virus, though its mathematical complexity and has not been widely used.For example, based on SEIR model, Yuan and Chen (2008) and Yuan et al. (2009) proposed E-SEIR model to gain insights of virus propagation in networks with Point-to-Group information sharing patterns; Mishra and Pandey (2011) presented SEIRS model for the transmission of worms in computer network through vertical transmission.Furthermore, the mathematical relationships for our model were based on epidemiology-based models.Hence the structural validity of our research model is supported by literature and satisfied the requirements of the SD.

Behavior Validity
Behavior validity determines how consistently model outputs match real world behavior (Barlas, 1996).The usefulness of validity is running the simulation with the actual, historical data.Unfortunately, due to the non-existence data, we compare the behavior of our model with the behavior of other research model.The result of this research model behavior that is shown as Figure 4(a) is similar to previously research (Yuan & Chen, 2008;Yuan et al. 2009).Therefore, we conclude that the simulation model of this research is high behavior validity.

Initial Results
These assumptions of this research are: (1) users adopt antivirus software with the latest virus signatures and could be effective against attack by computer viruses; (2) there are no vulnerabilities in operation system because user has already patched.The results of initial are shown as Figure 4.The propagation trend of SEIR model is shown in Figure 4(a) and the dynamic of rates are shown in Figure 4(b).Users do not contact network and external media continuously; hence computer virus propagates at a slower speed and infection rate is oscillation.Because probability of use antivirus software is 0.5, the number of recovered class, R, is much smaller than total devices.The number of infectious class is not apparent because the exposed devices transform to infectious devices after latent period.

The Effects of Contact Rate for Network and External Media
In this section, the effects of contact rate on computer virus propagate are explored in Figure 5 and Figure 6.We assume probability of contact network with malicious is 0.4.In Figure 5(a), plotted trends 1, 2, and 3 show the changes in the infection rate based on contact rate for network values of 2 (CRN2), 4 (Initial) and 6 (CRN6) respectively.Obviously, the longer the duration of devices contacted network, the more significant that devices would be infected.In Figure 5(b), plotted trends 1, 2, and 3 show the changes in the infection rate based on repeattime values of 4 (RT4), 5 (Initial) and 6 (RT6) respectively.The more frequency contact network, the more significant that devices would be infected.The impact of contact rate for external media on computer virus propagation is shown in Figure 6.In our initial scenario, probability of contact external media with malicious is 0.6.In Figure 6(a), plotted trends 1, 2, and 3 show the changes in the infection rate based on contact rate for external media values of 1 (Initial), 3 (CREM3) and 5 (CREM5) respectively.In Figure 6(b), plotted trends 1, 2, and 3 show the changes in the infection rate based on repeattime1 values of 2 (RT1_2), 4 (Initial) and 6 (RT1_6) respectively.Users contact with external media will affect the infection rate but this effect is not significant.The simulation results indicate that contact for network affects the infection rate is more significant than contact for external media.Web-based systems are increasingly adopted in organizations.If networks were open, then anyone can easily access and their devices would be infected.Therefore, managers must institute the network utilization policy for all employees.For example, define a standard in accordance with employees's power or working scope.We can improve the organizational security by define and establish roles and responsibilities of staffs, enhance the awareness and training, strengthen the physical access and control, etc.The following protection mechanisms must be considered and employed: • To ensure the assets receive an appropriate level of protection, manager should identify all assets and define the classification of assets; • The authentication schemes are not only performed as the outsiders or the new-comers request these internal services, but also as the insiders request these services on the external servers; • The removable storage and removable/mobile access media should be restricted.If there are requisite, they should be restrained by classified persons; • Employing techniques such as anti-virus system, content filter and malicious code detection mechanism, to ensure the information security in the data transmission between or in networks.

The Effects of Firewall and Policy Enforcement
More and more people access information over Internet and mobile networks, and many messages are sent through e-mail or social network.As websites are vulnerabilities and existing malicious URL, computer system may be infected by clicking incidentally.We consider the probability of contact network/external media with malicious that indicated people adopt technical security solutions such as firewalls to solve information security problems and implement information security policy.Firewall are implemented more efficiently, the value of probability of contact with malicious is lower.Policy enforcement would mitigate the risk of computer viruses threats.First, we consider influences of firewall on the dynamics of infection rate.The simulation results are shown in Figure 7(a).The plotted trends 1, 2, and 3 show the changes in the infection rate based on the effectiveness of firewall values of 0.6 (FW06), 0.7 (FW07) and 0.8 (FW08) respectively.Second, we consider influences of policy enforcement on the dynamics of infection rate.The simulation results are shown in Figure 7(b).In Figure 7(b), plotted trends 1, 2, and 3 show the changes in the infection rate based on the level of compliance with the policy values of 0.6 (PE06), 0.7 (PE07) and 0.8 (PE08) respectively.Compared with the optimization of Figure 7(a) and 7(b), the trends of infection rate is shown in Figure 8.The result show that policy enforcement has powerful influence than firewall on restrain infection rate.This result has highlighted the importance of ISM and revealed an important challenge for ISM.It is difficult to implement security controls when people do not have enough orientation or education about IT security practices.In addition, it is difficult to decide how security controls could be integrated in the existing infrastructure, especially the organization has many interconnected systems, such as servers, networks and databases.The complexity of networks and systems is also a challenge when implementing security controls in organizations.Although various network security techniques such as firewalls and intrusion detection systems have been developed for detection and prevention of attacks, there are few people to maintain and audit the security rules.According to above discussions, for detection and prevention of computer viruses attacks, we suggest the following considerations: • Establish security culture and enhance education and training of information security; • According to the policies of organizations, establishing the firewalls or security gateways avoids illegal access; • The configurations and the parameters of firewalls should be audited regularly; • The operating system and the application software on hosts and servers should be updated and patched regularly.

Conclusions
In this paper, we develop a SEIR model using SD method for computer viruses propagation analysis by taking into account the effect of antivirus countermeasures and focus on the contact rate that users contact with network and external media respectively from the viewpoint of information security management policies.We assume that users adopt antivirus software with the latest virus signatures and there are no vulnerabilities in operation system.By contrast, our main contributions include the following: (1) we combine the viewpoint of ISM with computer virus propagation model to overcome the lack of managerial insights in previous research; (2) we consider the influence of antivirus countermeasures on computer virus propagation in different stage.Anti-virus software and firewall are the top list people have deployed to fight with computer viruses in the state transition path from S to E and I to R. The results show that: (1) contact for network affects the infection rate is more significant than contact for external media; (2) policy enforcement has powerful influence than firewall on restrain infection rate.The results have highlighted the importance of information security management for organizations.Information security includes both technological and human issues.Security techniques are not sufficient in mitigating computer viruses threats without management policies.Though the security techniques would be developed rapidly and have effects remarkably, management and audit policies should be enforced and continually monitoring, maintaining and improving.
Based on limitations of the research methods and tools in information security research, we adopt SD method to surmount these obstacles, and provide a new path in the research of information security management.The findings of this study include managerial implications.Protecting information often requires the application of some technology, but it always requires use of people and processes (Broderick, 2006).We should not overlook the fact that the electronic applications in businesses and sharing of information on network systems have increased.Therefore, a set of ISM policy must be established, including security requirements, asset management, roles and responsibilities, security awareness training and policy education, and compliance, etc, and should be stressed in operating activites.After implementing security techniques, configurations and the parameters of facilities should audit regularly in accordance with policy.Much remains to be done, then, but we anticipate that the study will generate important findings in the fields of information security management.
Finally, the connectors, represented by simple arrows, are the information links representing the cause and effects within the model structure, while the double line arrows represent physical flows.Double lines across the arrows indicate delayed information.The computer virus propagation model, namely stock and flow diagram, is developed by Vensim PLE in this research and illustrated in Figure 2. In this research, susceptible, exposed, infectious and recovered are principal stock variables; infection rate, exposed to infected rate, exposed to recovered rate and recovery rate are flow variables.Total device, contact rate for network, probability of contact network with malicious, infectivity and average durations of latency periods, etc., are auxiliary/constant variables.Contact rate for network link infection rate by simple arrow because the relation of these two variables is the cause and effect.Susceptible devices flow to exposed devices represents physical flows and they link by the double line arrows.Following the classic assumption, the population of the recovered class implies permanent immunity that is there is no return of the removed individuals into the susceptible class.The following equations are introduced to facilitate the model description.

Figure 3 .
Figure 3.The frequency and duration of devices contacted (a) network and (b) external media Figure 4. Initial simulation results The effects of (a) contact rate for network and (b) repeattime The effects of (a) contact rate for external media and (b) repeattime1 Figure 8.The influences of infection rate (FW08: Firewall = 0.8; PE: Policy Enforcement = 0.8)

Table 1 .
The controls in ISO/IEC 27001 about computer virus prevention

Table 2 .
Summary of the feedback loops of computer virus propagation

Table 3 .
Summary of Epidemic model in preceding information security researchers

Table 4 .
Notation listThe stock and flow diagram is constructed by stock variables, flow variables, auxiliary variables and constants variables.A stock variable (symbolized by rectangle) represents a point where content can accumulate and deplete.A flow variable (symbolized by valve) is a rate of change in a stock variable and it represents an activity, which fill in or drain the stock variable.Some examples of such activities are infects in a population or recovers from a population, improvement of capability.An auxiliary/constant variable can store an equation or a constant.