Systems Research and Behavioral Science

Syst. Res (2018)

Published online in Wiley Online Library
(wileyonlinelibrary.com) DOI: 10.1002/sres.2556

■ Research Paper

Towards the Definition of a Dynamic and

Systemic Assessment for Cybersecurity
Risks
Stefano Armenia1* , Eduardo Ferreira Franco2, Fabio Nonino3,
Emanuele Spagnoli4 and Carlo M. Medaglia1
1
Department of Research, Link Campus University of Rome, Rome, Italy
2
Department of Computer Engineering, University of São Paulo, São Paulo, SP Brazil
3
Department of Computer, Control, and Management Engineering, ‘Antonio Ruberti’ of Sapienza University of
Rome, Rome, Italy
4
PricewaterhouseCoopers Advisory SpA, Technology—Cybersecurity, Rome, Italy

Nowadays, our society is increasingly becoming economically and socially dependent on

the cyberspace. However, the cyberspace is exposed to numerous risks, and there is a con-
stant threat of exploitable vulnerabilities, which could cause significant reputational and
economic damages. For addressing these threats, the Italian National Cyber Security
Framework was developed to offer an approach to assessing cyber risks into organiza-
tions, as well as to help improve the related security through focused investments. Still,
this evaluation is not a straightforward endeavour. Using the principles of the Systems
Thinking paradigm, this work puts into causal relationships the self-assessment risk-
categories by associating them to the various aspects of an organization structure used
as a case study (composed of business areas and process). Finally, it presents a systemic
causal-effect relationship map capable of evidencing how a change in one or more
categories could impact other security-related elements of the company. © 2018 John
Wiley & Sons, Ltd.
Keywords National Cyber Security Framework; cyber-security risks; system thinking

INTRODUCTION internet, the cyberspace and its core components

are exposed to numerous risks, and since these
Although our society is increasingly becoming complex systems are rapidly evolving, there is a
economically and socially dependent on the constant threat of exploitable vulnerabilities.
* Correspondence to: Stefano Armenia, Department of Research, Link These vulnerabilities can be exploited by at-
Campus University of Rome, Via del casale di San Pio V 44, 00165
Rome, Italy.
tackers to hack into the computer systems of an
E-mail: [email protected] organization, thus allowing them to read, steal,

Received 17 October 2017

© 2018 John Wiley & Sons, Ltd. Accepted 18 August 2018
RESEARCH PAPER Syst. Res

disclose or delete critical information up to take real battlefield, and as such, enterprises and orga-
full control of physical assets. nizations should move through it with a view of
These numerous vulnerabilities, coupled with intelligence. Based on the NIST’s Cybersecurity
the fact that awareness of this situation is not Framework (NIST, 2014), the Italian National
yet well established at all levels of society, indi- Cyber Security Framework was created with the
cating that the cyber threats can become a critical aim to offer small and medium enterprises
issue for organizations, which could lead to (SMEs) and large companies, a voluntary, uni-
financial and reputational impacts. form approach for addressing cybersecurity and
The cybersecurity can thus be ensured only reducing risks associated with cyber threats.
through a consistent policy that does not con- The comparison between the practices already
sider only the technical and technological compo- adopted by a company to those proposed by
nents of the problem, but it also needs to be able the Italian framework provides an opportunity
to grasp the legal, economic and social aspects as to fill some gaps that were not properly recog-
demonstrated by some recent examples: nized or treated.
This framework relies on several standards,
• The US has expelled 35 Russian diplomats as guidelines and practices developed, managed,
punishment for alleged interference, caused and maintained by industry to help organizations
by Russian cyber activities, into 2016’s presi- achieve desired levels of resilience to risk. It
dential elections (Mazzetti & Goldman, 2016); provides a common taxonomy and mechanisms
• Yahoo had discovered another major cyber- for organizations to (i) describe their current
attack, where data from more than 1 billion cybersecurity posture; (ii) describe their target
users’ accounts were compromised on August state for cybersecurity; (iii) identify and prioritize
2013, making it the largest breach of this kind opportunities for improvement within the context
in history (Goel & Perlroth, 2016); of a continuous and repeatable process; (iv) assess
• Italy’s foreign ministry came under cyber- progress toward the target state; and (v) commu-
attack in 2016 (Kirchgaessner, 2017); nicate with internal and external stakeholders
• In Italy, 30.3% of businesses reported at least about cybersecurity risks (NIST, 2014).
some damage from a cyber-attack between For PricewaterhouseCoopers (2014), by
September 2015 and September 2016 adopting the Cybersecurity Framework compa-
(Biancotti, 2017); nies can attain ancillary benefits:
• Cyber-attacks struck Twitter, Paypal, Spotify
and other customers of an infrastructure com- • It can be used to assess their current capabili-
pany called Dyn, which acts as a switchboard ties and draft a prioritized roadmap toward
for internet traffic (Perlroth, 2016). improved cybersecurity practices;
• It creates a common language for discussing
Moreover, in the coming years, issues related cybersecurity issues that can facilitate internal
to cybersecurity will assume even greater propor- and external collaboration;
tions. In 2015, damages related to data breach • It may set cybersecurity standards for future
and systems malfunctions caused by cybercrimes legal rulings. Consequently, organizations that
were estimated in US$ 400 billion on an annual adopt it may be better positioned to comply
basis (Gandel, 2015), and according to Juniper with future regulations;
Research (2015), these costs will raise up to US$ • It represents a tipping point in the evolution of
2.1 trillion by 2019. To combat these threats, the cybersecurity, which poses a shift from reac-
global spending on cybersecurity calculated over tive compliance to proactive risk-
the period from 2016 to 2022, is estimated to be management standards.
around 172 billion dollars (Market Research
Engine, 2017). The cybersecurity theme is also attracting a
Under these conditions and using a military large community of researchers and practi-
metaphor, the cyberspace can be considered as a tioners, interested in further developing this

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

subject in its multifaceted dimension. One of the the causal-effect relationship mapping could un-
current challenges is to develop evaluation cover how acting on these leverages categories
methods and tools that support the assessment (higher polarity and loop dominance), indirectly
of future outcomes from investments made by (systemically) and synergically impacts on other
organizations for reducing their risks’ exposure. categories (intensity and direction), hence opti-
This evaluation is not a straightforward mizing outcomes and costs.
endeavour, though. These initiatives involve This work is organized in five sections.
social-technical contexts, the interplay of techno- Section 2 presents a summary of the literature re-
logical components (hardware and software), view for the formulation of the research context,
people (with cognitive capabilities and associ- followed by a summary of the Italian National
ated shortcomings), data (to capture real-life Cyber Security Framework. Section 3 lists the re-
situations) and organizational issues (policies, search methods employed for performing the
process and management). From those interac- proposed causal mapping. Section 4 presents
tions, a dynamically complex environment arises, the conclusions, the limitations of the current
displaying circularity of relationships and work and suggestions for future works.
complex interdependencies (feedback loops),
differential-equations-driven behavior (accumu-
lation), delays and unexpected consequences BACKGROUND
(causes and effects distant in time and space,
with emergent behaviours), which thus requires This section presents an overview of the litera-
non-trivial and non-intuitive solutions ture related to the economic/risk assessment of
(Georgantzas & Katsamakas, 2008). information security and cyber threats and a brief
Using the principles of the Systems Thinking description of the Italian National Cyber Security
paradigm, the purpose of this paper is to address Framework is provided.
the following research question:
How the self-assessment risk categories en-
listed in the Italian National Cyber Security Related Works
Framework can be put into causal relationship
terms, by associating each category to the various Many works in the literature explored the
aspect of one possible organizational structure, economic perspective of information security
hence deriving a systemic causal-effect relation- and cyber threats, regarding its costs, potential
ship map which is capable of evidencing how a losses and necessary investments. There are
change into one or more categories is driving models for supporting decision makers in evalu-
change also into other ones. ating different security investment strategies
When an organization (be it a big Public or (Comes, Hiete, Wijngaards, & Schultmann, 2011;
Private body or a SME, for example) makes an Fielder, Panaousis, Malacaria, Hankin, &
assessment considering those categories, they Smeraldi, 2016), for estimating the return on
are defining a risk profile against a desired cyber- security investments (Cavusoglu, Mishra, &
security level. To achieve this level, they must in- Raghunathan, 2004; Purser, 2004), and works
vest on different potential levers connected to discussing the assessment and management of
those categories (that is, management leverages risks exposure due to information security
that allow undertaking actions to improve in threats (Bojanc & Jerman-Blažič, 2008, 2013).
one or more categories). They try to move toward Dutta and McCrohan (2002) argue that most of
a different and better overall risk profile, and one these works did not take into consideration ele-
might want to infer whether changing such level ments such as organizational politics, psycholog-
of risk means acting on every category or ical and cognitive biases. Moreover, due to the
whether there are some of them that are sensitive fast-paced nature of the information security in-
leverages points on which it is possible to inter- dustry and the static viewpoint often adopted,
vene first in order to be most effective. Moreover, these works can become obsolete and limited in

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

their ability to represent current decision-making case study for application), which is also de-
process accurately, as their underlying assump- scribed into causal terms, this work proposes a
tions are affected or changed (Dor & Elovici, common ground for discussions concerning the
2016). adoption of a systemic perspective as a good
Concerning the application of system dynam- practice in cybersecurity risk assessment.
ics to evaluating cyber threats, Torres and
Sarriegi (2004) analysed how to improve the se-
curity management of information systems by The Italian National Cyber Security Framework
formal and informal technical controls; however,
they did not explore other potential sources of se- Due to its compatibility with NIST’s security
curity risks. Melara et al. (2003) investigated the profiles, the Italian National Cyber Security
risks of information systems exposure due to an Framework can favour the communication of its
inside attack and how they could be minimized. security levels to known industry standards.
Canzani and Pickl (2016) used system dynamics The Italian Framework provides a full coverage
with a game-theoretic approach to understand of the information and system security life cycle
cyber epidemics dynamics of critical infrastruc- (from its conception, development, operation
ture operations triggered by attacker and de- and maintenance), while maintaining an abstrac-
fender interactions. Sveen et al. (2007) explored tion degree that grants companies the freedom in
how a knowledge management system, designed the implementation and contextualization of
to collect information about security events and security controls, which are safeguards or coun-
incidents, could be used to overcome organiza- termeasures to avoid, detect, counteract or mini-
tional, interpersonal and social constraints for mize security risks to information, computer
companies to better understand their actual systems or other assets.
safety and security conditions. Addressing cyber threats requires a joint re-
There are also previous works that explored sponse from the public and private sectors, and
the cybersecurity risks using the system dynam- the implementation of the Framework brings
ics approach from a strategical perspective. some advantages such as:
Nazareth and Choi (2015) evaluated alternative
management strategies through the investment • For SMEs, it provides a series of security prac-
and cost perspectives to provide managers tices that are simple and economical at the
guidance for security investments decisions. In same time;
another work, Armenia et al. (2014) discussed • For large enterprises, it can be yet useful to
how a national cybersecurity act could lead to support, through a unique method, the risk
unexpected situations due to the lack of systemic management programs and processes, so to
skills in policy makers and hence their ineffec- make them evolve consistently and in a
tiveness toward a timely response to a national structured way;
cyber threat. • For sector regulators, it may be used as a tool
However, the current work differs from all to define regulations and standards in a struc-
those discussed above. Firstly, it revolves around tured and compatible way together with other
the Italian National Cyber Security Framework, regulators.
hence bringing to the discussion the concept of
industry’s good practices and inheriting its ca- The NIST Framework Core is made up of 21
pacity of communication to broaden the discus- categories1 and 98 subcategories, structured into
sion of cybersecurity across the organizations, five functions: Identify, Protect, Detect, Respond
from the executive to the operational level. and Recover. They represent the main topics to
Secondly, by joining the risks categories into a
causal mapping of a typical medium-large pri- 1
NIST Cybersecurity Framework Draft Version 1.1 includes a new cat-
egory entitled ‘Cyber Supply Chain Risk Management’, which ad-
vate organization process-structure (taken as a dresses processes to identify, assess, and mitigate its cyber supply
mere example and not necessarily as a privileged chain risks.

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

deal with to obtain an appropriate cyber risk characterized as the alignment of standards,
management. A hierarchical representation of guidelines, and practices to the Framework
the categories and functions is shown in Core in a peculiar implementation scenario.
Figure 1.
The Italian framework derives its three funda- Likewise, it extends such structure by intro-
mental concepts from the NIST one (NIST, 2014): ducing two new concepts (Baldoni & Montanari,
2016):
• Core: is a set of cybersecurity activities, desired
outcomes and applicable references that are • Priority Levels: support organizations in the
common across critical infrastructure sectors. preliminary identification of which subcate-
It presents industry standards, guidelines and gories to invest further to reduce their risk
practices that allows for communication of cy- levels, while balancing the effort to implement
bersecurity matters across the organization, them.
from the executive level to the operational • Maturity Levels: enable the measurement the
level; maturity of a security process, the maturity of
• Profile: contextualizes how an organization a specific technology implementation or an as-
views cybersecurity risk and the processes in sessment of the amount of resources needed to
place to manage that risk. It also describes implement a specific subcategory.
the degree to which an organization’s practices
exhibit the characteristics defined in the
Framework (e.g., risk and threat aware, repeat- MATERIAL AND METHODS
able and adaptive);
• Implementation Tiers: represent the outcomes This exploratory study aims to uncover the
based on business needs that an organization causal relationship among cybersecurity risks
has selected from the Framework categories categories and investigate how they correlate to
and subcategories. The Profile can be a possible organization’s structure (composed of

Figure 1 NIST categories organized into its five functions [Colour figure can be viewed at wileyonlinelibrary.com]

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

business areas, processes, functions and roles). than things, for identifying patterns of changes
For developing the dual causal mapping, a qual- rather than static ‘snapshots’ that provides a set
itative approach based on the Systems Thinking of tools and techniques, which originated within
paradigm was used, which followed the steps de- the ‘feedback’ concepts of cybernetics and in the
scribed below: ‘servomechanisms’ engineering theory.
The current work uses one of the most basic
1 Contextualization: the first step was to charac- tools, but central, to Systems Thinking: the CLD.
terize a possible organizational structure in
causal terms. For this purpose, and for sake
of simplicity and shortness of conduct, we de- Causal Loop Diagrams
cided to consider as a case study the case of a
medium-sized Italian private company, which As feedback is one of the core concepts for under-
is described in section ‘3.1’. standing systems, the CLD is a valuable tool for
2 Causal mapping: after defining the organiza- representing the feedback structures of a system.
tion’s structure and its inner elements (busi- These diagrams consist of variables connected by
ness areas, process, functions and roles), two links representing causal influence among them,
departments were selected for further analysis. which is assigned a polarity indicating how they
The ‘Management, Planning & Control’ and ‘IT influence each other. A feedback loop is a closed
& Security’ departments were then described chain of link connections, through a set of deci-
in simplified causal terms but making sure that sions, rules or actions that are dependent on the
all their relevant parts and variables as related state of the system. The most complex behav-
to the Italian National Cyber Security Frame- iours usually arise from the interaction of two
work components were included (presented basic types of feedback loops: balancing (B) and
in sections ‘3.2’ and ‘3.3’, respectively). reinforcing (R).
3 Dual mapping: lastly, using the causal loop di- Several authors suggested (Eden, Jones, &
agram (CLD) created in the prior step, each of Sims, 1979; Wolstenholme, 1982; Wolstenholme
the Italian National Cyber Security Framework & Coyle, 1983) that CLDs can be used in a free-
categories was positioned on the related spot standing mode without computer simulation to
of reference, and hence interconnected under assist issue structuring and problem solving,
the causal-relationship perspective, and in the through the referral of system’s archetypes be-
relevant businesses’ process (its results are haviours. After developed, the causal map allows
shown in section ‘4.4’). to move quite straight-forwardly to a quantita-
tive model that can be simulated by using the
Managing and investing in cybersecurity mat- System Dynamics approach, which allows to
ters inside a corporate environment can be quite look at how feedback structures of a system en-
difficult, especially if ones want to predict and dogenously explain how observed behaviour
control its outcomes. However, by using the emerge. Computer simulation models provide
Systems Thinking paradigm, and by keeping an advantage by being able to compress space
our example sufficiently simple (i.e.: using a and time, giving specific quantitative results in
SME context rather than a big corporate or big a short amount of time. The passage from a qual-
public body ones), it is possible to understand itative to a quantitative model is guaranteed by
the connections between the elements involved the inherently isomorphic approach that Systems
and endogenously explaining the relationship Thinking and System Dynamics share. In fact, a
among events and behaviours, making it possible causal-loop diagram is the representation (under
to identify ‘structures’ that underline complex causal terms) of a Stock and Flow diagram
situations, and for discerning high from low (typical of System Dynamics) before any accumu-
leverage change. lation (state) variables are identified and hence
Senge (2006) describes System Thinking as a quantified. A System Dynamics model properly
framework for seeing interrelationships rather populated with variables and parameters’ values

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

can then be simulated and certain variables’ be- and context are not clearly evident; and in which
haviours over time can be analysed. multiple sources of evidence are used.’
The following subsections present the results The Eisenhardt (1989) guidelines for defining a
from the dual causal mapping of the business or- case study research protocol was adopted, as it is
ganizational structure used as a case study. This better suited to build theory through the devel-
mapping was performed according to the Italian opment for a conceptual model. For collecting
National Cyber Security Framework risk catego- the data necessary for the proposed mapping, a
ries, described in subsection ‘2.2’. set of interviews with the leaders of each depart-
ment illustrated in Figure 2 was conducted.
These interviews were based on open questions
Case Study to gather qualitative data, where the leader de-
scribed how his department processes relate
This work presents a single in-depth longitudinal and impact cyber security matters. Whenever an
analysis of a medium-sized Italian company from inconsistent mapping was identified, further
the manufacturing sector, which consists of the interviews were arranged to solve them until
unit of analysis. As explained, a typical SME the final mapping was developed.
structure represents a sufficiently complex envi- For this work, the presented results focused on
ronment that accounts for various aspects in the the causal mapping of the ‘Top Management,’
management of organizations but at the same ‘Planning & Control,’ ‘IT’ and ‘Security’ depart-
time is also sufficiently simple and manageable ments. A brief description of these areas is pro-
for the scope of this analysis. A typical SME vided in Table 1.
structure is thus considered as paradigmatic for After contextualizing the organization, the sec-
the idea that we would like to convey through ond step was to describe the selected depart-
this paper, but at the same time does not intend ments under causal terms.
to constitute by all means an axiom. Conse- At a macro level of the causal model, the ‘Bub-
quently, the presented model represents just an ble Diagram’ (Armendariz, Armenia, & Atzori,
example of the method that we propose but does 2015) was employed to highlight the business
not intend to constitute a paradigm for all SMEs areas and their interdependencies (Figure 3).
or even more complex organizational structures. The diagram gives prominence to what is the
A general organizational structure is depicted systemic approach adopted in this work: the sys-
in Figure 2. tems thinking, which allows seeing both the parts
Yin (2003) defines the case study research (functional areas), and the system (the whole
method ‘as an empirical inquiry that investigates a company), and can operate the best of both.
contemporary phenomenon within its real-life con- The following subsections discuss the causal
text; when the boundaries between phenomenon diagrams for the selected departments, thus

Figure 2 General department structure of the hypothetical organization [Colour figure can be viewed at wileyonlinelibrary.
com]

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

Table 1 Organization’s department descriptions

Department Description

Top Management Define the business objectives and assure that they are aligned with
the company’s mission and vision. This entails not only coordination,
but also the decision-making to achieve the results in line with
corporate purposes and to satisfy the company’s stakeholders.
Planning & Control Evaluate, implement and monitor the strategic plan defined by the
Top Management to help achieve the required objectives.
IT Information technologies allow companies to control, plan and
manage all the activities in an integrated way and to quickly
process a larger amount of data.
Security Oversees the efforts directed to improvements in security policies;
the implementation of technical controls; audits and assessments;
and driving awareness among people toward secure behaviours.

Figure 3 Bubble diagram [Colour figure can be viewed at wileyonlinelibrary.com]

drilling down to ‘medium’ and ‘micro’ levels of reason, the duty of protection should be part of
details, as needed to perform the mapping of the top management responsibility of an
the Italian National Cyber Security Frameworks’ organization.
risks subcategory. Within the function ‘Identify’ (Figure 1) is lo-
cated the category ‘Business Environment’ (ID.
BE) that focus on how top management is crucial
Top Management, Planning & Control for understanding the environment in which the
Departments company operates, identifying the role that it
has in the supply chain production, and defining
The cybersecurity issue is not to be seen just in the priorities regarding the company’s mission,
technological terms, but rather requires consider- objectives, and activities.
ing the overall legal and formal duties and the Top management is also responsible for
principles of social interest, into which the public ‘Governance’ (ID.GV), which is the set of policies,
and private framework need to converge. For this procedures and processes to monitor the

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

requirements of organization, which must be un- between desired and actual KPI, however, re-
derstood and implemented to manage cybersecu- quires constant monitoring to carry out an analy-
rity risks. Top management should define sis of the fundamental differences to correct any
policies in line with the organization’s mission, problems and thus further improve the strategic
vision, business objectives, and the cyber risks plan implementation.
management practices. The achievement of specific objectives will re-
Looking at the department’s causal relation- duce the ‘KPI Gap,’ closing the balancing feed-
ships, the first interdependence identified binds back loop. Three important interdependencies
the departments ‘Top Management’ with ‘Planning among business functions are identified:
and Control’, as shown in Figure 4.
• The ‘Need for Resources’ leads to an increase
The negative links are highlighted with red
in the demand for ‘Desired Human Resources,’
arrows while the positive links with blue arrows.
which also depend on the ‘Desired Production’
The ‘Explication of objectives’ set by ‘Top
and ‘Demand for Skilled Human Resources in
Management’ finds its translation into quantita-
IT’ (from Figure 3).
tive form with the definition of ‘Desired KPI’
• ‘Organizational Complexity’ requires an ade-
(key performance indicator). It is therefore up to
quate information system. It thus creates a
the ‘Planning & Control’ department to define
gap between the information system in use
the strategic plan that has to be implemented to
and the ‘Desired Information System Size,’
achieve the ‘Desired KPI’. To implement a strate-
which will therefore need to be improved.
gic plan, various resources are needed: human,
• The information system will ensure ‘Efficient
technological and financial. Obviously, the
Communication’ at all levels and thus will im-
resources required or available will increase
prove the ‘Effective Managerial Communica-
according to the organizational complexity to
tion,’ and ‘Coordination of Departments’
manage all the departments that will have to
needed to drive the business functions.
cooperate to achieve the objectives.
To implement the various processes, after the
strategic re-planning it is necessary to increase IT & Security Departments
the annual budget allocated to each functional.
The implementation of the strategic plan leads Nowadays, any kind of organization needs an in-
to an increase of the ‘Current KPI’; the ‘KPI Gap’ formation system, formed by technical

Figure 4 Management, Planning & Control department causal loop diagram [Colour figure can be viewed at
wileyonlinelibrary.com]

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

components, organizational procedures, and proper operation and management. The Italian
dedicated human resources, to support its opera- National Cyber Security Framework impacts
tion and address the increasingly amount of ex- strongly on these functional areas, dedicating
changed data during the execution of business most of its risks subcategories to them.
processes. Information systems should not be As ‘Organizational Complexity’ increases, a
confused with the computer system, which indi- bigger ‘Desired Information System Size’ is
cates the information technologies and automa- necessary for addressing it. In an increasingly dy-
tion that support and make more efficient the namic environment, companies need to manage
information system. larger amounts of information in a more effec-
Information system, IT and security are the tive, efficient and timely manner to respond to
central functions regarding cybersecurity, and the continuous market changes. Making deci-
much of the company’s success depends on their sions quickly requires the ability to promptly

Figure 5 IT department causal loop diagram [Colour figure can be viewed at wileyonlinelibrary.com]

Table 2 Security department’s functions and categories

Function Category

Respond (RS) Response Planning (RS.RP): Procedures and response processes are executed
and maintained to ensure timely response to cybersecurity events.
Communications (RS.CO): for the promptly communication of potential attacks
at the internal staff or to external parties and effective reporting activities.
Analysis (RS.AN): analyses are conducted to ensure appropriate response and
support to recovery activities.
Mitigation (RS.MI): to mitigate the effects and remove the accident.
Improvements (RS.IM): ‘response plans’ are improved by incorporating
‘lessons learned.’
Recover (RC) Recovery Planning (RC.RP): the recovery procedures are performed to ensure
timely recovery of the systems or assets involved.
Improvements (RC.IM): Recovery plans and the related processes are improved
taking into account the ‘lessons learned.’
Communication (RC.CO): to restore the reputation and to manage the external
and internal relations.

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

have all the information that a company needs, adequate with the increased demand for hard-
which is possible only if it has an information ware and software components, and the need
system able to retrieve large amounts of data in for more investment devoted to cybersecurity.
real time. There are interdependencies within the ‘Human
At the same time, the use of computer systems Resources,’ ‘Security,’ ‘Purchase’ and ‘Research
exposes the company to threats and vulnerabil- & Development’ departments.
ities that grow with their size. The resources dedicated to the information and
To bridge the ‘Information System Gap’ computer system address the ‘Information
(Figure 5), more resources are needed: skilled hu- System Gap’; a better information and computer
man resources in ICT, a computer system that is system will increase the ‘Ability to do Business’

Figure 6 Security department causal loop diagram [Colour figure can be viewed at wileyonlinelibrary.com]

Figure 7 Cyber risks subcategories mapped to the Management, Planning & Control department processes [Colour figure can
be viewed at wileyonlinelibrary.com]

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

Table 3 Rationale for the decision taken for linking Management, Planning & Control department processes to risks
subcategories
Business process Risks subcategory Rationale

Policy Review PR.IP-1—A baseline configuration of An increasing of the pressure from Top
information technology/industrial control Management requires a refinement of the
systems is created and maintained. mission and vision of the company to
PR.IP-2—A System Development Life Cycle achieve better qualitative and quantitative
to manage systems is implemented. targets. The refinement of the mission and
ID.GV-1—Organizational information vision of the company also demands the
security policy is established. revision of its policies. Information Security
ID.GV-2—Information security roles and policy needs to be reviewed, improved and
responsibilities are coordinated and aligned communicated to all the employees. Roles
with internal roles and external partners. and responsibilities must be established for
ID.GV-3—Legal and regulatory entire workforce and third-party
requirements regarding cybersecurity, stakeholders. A baseline must also be
including privacy and civil liberties established with the initial configurations
obligations, are understood and managed. and minimum security requirements that
ID.GV-4—Governance and risk should be also included in contracts with
management processes address suppliers.
cybersecurity risks.
ID.AM-6—Cybersecurity roles and
responsibilities for the entire workforce and
third-party stakeholders (e.g., suppliers,
customers, partners) are established.
PR.AT-4—Senior executives understand
roles and responsibilities.
PR.IP-5—Policy and regulations regarding
the physical operating environment for
organizational assets are met.
Refinement of ID.BE-1—The organization’s role in the Pressure from Top Management requires a
Mission and supply chain is identified and refinement of the Mission and Vision: the
Vision communicated. company must identify and communicate his
ID.BE-2—The organization’s place in critical role in the supply chain, the objectives to be
infrastructure and its industry sector is achieved, the dependencies and the critical
identified and communicated. functions, the resilience requirements and
ID-BE-4—Dependencies and critical describe clearly what to do and what
functions for delivery of critical services are resources and tools to use.
established.
ID.BE-5—Resilience requirements to support
delivery of critical services are established.
Explication of ID.BE-3—Priorities for organizational Aligning the objectives to the policies, mission
Objectives mission, objectives and activities are and vision of the organization makes it
established and communicated. possible to explicate qualitative and
quantitative targets to be achieved. It is
necessary to prioritize objectives and
activities to better communicate and organize
the business’s functions activities.
Need for ID.AM-1—Physical devices and systems Strategic re-planning needs more dedicated
Resources within the organization are inventoried. resources to transform the strategic plan into
ID.AM-4—External information systems are an operational plan. It is necessary that the
catalogued. company catalogues and inventors all the
physical devices and systems used.
Especially for assets and devices that contain,
or process sensitive data is necessary also to
know who the owner is.

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

of the company, helping it to have a more or vulnerabilities that have not been considered
‘Efficient Communication.’ A larger computer and to enhance mitigation strategies to cyber
system, adequately monitored and updated, risks through procedures, recognized standards
provides more support to the business activities. and regulations at international level.
The cyberspace is constantly changing, and the In the ‘Security’ department, two functions
computer system will require close monitoring are located, which are listed in Table 2
that must be reflected in more frequent inspec- (Figure 6).
tions, which will lead to ‘Periodic improvements’ The ‘Investments in cybersecurity’ will serve to
and continuous ‘Updates.’ reduce vulnerability exposure and to acquire
The Italian National Cyber Security Frame- proper ‘Security Devices and Tools’ to prevent
work offers a guideline to determine any gaps attacks or to report them promptly.

Figure 8 Cyber risks categories mapped to the IT department process [Colour figure can be viewed at wileyonlinelibrary.com]

Figure 9 Cyber risks categories mapped to the security department process [Colour figure can be viewed at wileyonlinelibrary.com]

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

Table 4 Rationale for the decision taken for linking IT department processes to risks subcategories
Business process Risks subcategory Rationale

Data storage PR.DS-3—Assets are formally managed The greater is the data processing, then the
throughout removal, transfers and larger is the data storage needed. A large
disposition. amount of data requiring backups via tapes
PR.IP-4—Backups of information are or removable disks to be kept in safe places
conducted, maintained and tested both inside and outside the company. The
periodically. company must establish the period for
conduct, maintain and test all the backups.
Possibility of RS.CO-5—Voluntary information sharing Larger data storage represents a higher
Data Sharing occurs with external stakeholders to achieve possibility to share data. Sharing of data
broader cybersecurity situational awareness. should always be done through protected
PR.DS-2—Data-in-transit is protected. network and systems, and the effectiveness of
PR.IP-8—Effectiveness of protection protection technologies should be
technologies is shared with appropriate communicated with internal and external
parties. parties.
Efficient RC.CO-3—Recovery activities are Data sharing is vital for a more efficient
Communication communicated to internal stakeholders and communication to internal parties or external
executive and management teams. stakeholders, especially when an accident
ID.AM-3—Organizational communication occurs and normal business activities should
and data flows are mapped. be promptly restored. Organizational
communication, including the procedures for
the transmission and communication of
information in secure mode, and data flows
should be defined, mapped, published and
communicated to employees.
Possible Access PR.AC-1—Identities and credentials are A greater support to business activities by the
to data managed for authorized devices and users. IT department means a greater possibility to
PR.AC-2—Physical access to assets is access to data. However, it is necessary to
managed and protected. establish, document and review an access
PR.AC-3—Remote access is managed. control policy based on business and
PR.AC-4—Access permissions are managed, information security requirements. Moreover,
incorporating the principles of least privilege users shall only be provided with access to
and separation of duties. the network and network services that they
PR.AC-5—Network integrity is protected, have been specifically authorized to use. It is
incorporating network segregation where necessary to protect data and assets from
appropriate. unauthorized users and destroy them, if they
PR.DS-1—Data-at-rest is protected. are not anymore needed, according to a
PR.DS-5—Protections against data leak are defined policy.
implemented.
PR.IP-6—Data is destroyed according to
policy.
Resources PR.DS-4—Adequate capacity to ensure When the Information System Gap increases, it
dedicated availability is maintained. is necessary to allocate more resources
dedicates to reduce or eliminate the gap. It is
necessary to maintain an adequate capacity to
ensure availability of all resources needed.
Monitoring and RS.AN-1—Notifications from detection Bigger Computer System Size increases the
Maintenance systems are investigated. necessity to monitor and maintain it. The
DE.CM-1—The network is monitored to physical environment, the personal activities,
detect potential cybersecurity events. the external service provider activities, the
DE.CM-2—The physical environment is network and all the notifications from
monitored to detect potential cybersecurity detection systems must be monitored.
events. Maintenance and repair of organizational
assets must be performed promptly to
(Continues)

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

Table 4 (Continued)
Business process Risks subcategory Rationale

DE.CM-3—Personnel activity is monitored to prevent or restore business activities

detect potential cybersecurity events. interruption.
DE.CM-6—External service provider activity
is monitored to detect potential cybersecurity
events.
DE.CM-7—Monitoring for unauthorized
personnel, connections, devices and software
is performed.
DE.CM-8—Vulnerability scans are performed.
PR.MA-1—Maintenance and repair of
organizational assets is performed and
logged in a timely manner, with approved
and controlled tools.
PR.MA-2—Remote maintenance of
organizational assets is approved, logged and
performed in a manner that prevents
unauthorized access.
PR.DS-6—Integrity checking mechanisms are
used to verify software, firmware and
information integrity.
Periodic PR.IP-3—Configuration change control The monitoring and maintenance of the
improvements processes are in place. information and computer systems translate
into periodic improvements. Every time a
configuration change is made, it must be
controlled and approved.
Components ID.AM-2—Software platforms and When the computer system size increases or
Required applications within the organization are the computer system needs to be improved,
inventoried. the components requested increases. Assets
ID.AM-5—Resources (e.g., hardware, devices, and resources must be identified, prioritized
data and software) are prioritized based on and inventoried based on their classification.
their classification, criticality and business The inventory of assets must be maintained
value. and updated continuously.

The reduction of internal and external software Dual Causal Mapping

defects, combined with the simultaneous im-
provement of security procedures will ensure The dual causal mapping took place by using the
greater ‘Actual Corporate Security Level’ and causal-term organization’s description, presented
thus a reduction of corporate vulnerability, which in the previous section, and linking the cyberse-
reduces the ‘Cyber Attack Probability.’ curity risks subcategories enlisted in the Italian
Many variables that increase the likelihood National Cyber Security Framework to the rele-
of an attack need an appropriate response vant business process. The results are shown in
and recovery plans. A computer system crash the following subsections.
can cause enormous damage to the image of
the company, with the consequent loss of cus-
tomers and revenue, and for this reason, in the
case of an accident, the company needs to Management, Planning & Control Department
manage external relations, as well as promptly Figure 7 shows the linking of the cybersecurity
inform all internal parts, including the ‘Top risk subcategories to the ‘Management, Planning
Management’. & Control’ department processes.

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

Table 5 Rationale for the decision taken for linking security department processes to risks subcategories
Business process Risks subcategory Rationale

Vulnerability ID.RA-2—Threat and vulnerability Investment in Cybersecurity will improve the

Reduction information is received from information Vulnerability Reduction Efforts. To reduce
Efforts sharing forums and sources. vulnerability, it is also necessary that the
company receive and share information from
internal and external sources, using for
example, an information security forum
Security PR.IP-7—Protection processes are The Vulnerability Reduction Efforts will
Procedures continuously improved. increase the Information Security procedures
and processes, which should be reviewed and
updated continuously.
Standard and PR.PT-1—Audit/log records are determined, Improving the Information Security
Best Practice documented, implemented and reviewed in Procedures and processes will improve the
accordance with policy. implementation within the company of
PR.PT-2—Removable media is protected and standards and best practices that include for
its use restricted according to policy. example audit, asset management, access
PR.PT-3—Access to systems and assets is management, communications and operations
controlled, incorporating the principle of management policies.
least functionality.
PR.PT-4—Communications and control
networks are protected.
DE.AE-1—A baseline of network operations
and expected data flows for users and
systems is established and managed.
System ID.RA-1—Asset vulnerabilities are identified The implementation of Standards and best
Vulnerabilities and documented. practices and the use of security devices and
PR.IP-12—A vulnerability management plan tools will reduce the System Vulnerabilities
is developed and implemented. and Assets vulnerabilities. System
Vulnerabilities should also be documented for
helping the development of the vulnerability
management plan.
Security Devices DE.AE-3—Event data are aggregated and Investment in Cyber Security increases the
and Tools correlated from multiple sources and sensors. number and the use of security devices and
tools that are necessary for aggregation and
correlation of event data from multiple
sources and sensors.
Response Plans PR.IP-9—Response plans (Incident Response Invest in Cyber security increases investment
and Business Continuity) and recovery plans in prevention that improve the Response
(Incident Recovery and Disaster Recovery) Plan: a detailed set of processes and
are in place and managed. procedures to prevent, discover and mitigate
PR.IP-10—Response and recovery plans are the impact of an event that might
tested. compromise the resources and related goods.
RS.CO-4—Coordination with stakeholders It is necessary that Response Plan are
occurs consistent with response plans. managed, tested, updated and incorporate
RS.IM-1—Response plans incorporate lessons lessons learned.
learned.
RS.IM-2—Response strategies are updated.
Actual Attacks RS.MI-1—Incidents are contained. If the number of cyber-attack increase will also
RS.MI-2—Incidents are mitigated. increase the actual attacks. In case of a cyber-
attack it is necessary to timely contain and
mitigate the incident.
Recovery RS.IM-1—Response plans incorporate lessons More cyber-attacks mean more damage caused
Operations learned. to the computer system and business activities.
RS.IM-2—Response strategies are updated. To return to normal activities, it is necessary to
(Continues)

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

Table 5 (Continued)
Business process Risks subcategory Rationale

RS.RP-1—Response plan is executed during activate recovery plans and response plan and
or after an event. then to update them for any new incident or
cyber-attacks.
Risk ID.RA-4—Potential business impacts and An increase of cyber-attacks, incidents and
Management likelihoods are identified. recovery operations means an increase of Risk
Efforts ID.RA-5—Threats, vulnerabilities, likelihoods Management Efforts. Risk Management is the
and impacts are used to determine risk. process by which the risk is measured or
ID.RA-6—Risk responses are identified and estimated, and then developed strategies to
prioritized. govern them. To reduce the probability of
ID.RM-1—Risk management processes are cyber-attacks or any incidents, it is necessary
established, managed and agreed to by to identify, analyse, assess and control risks.
organizational stakeholders. Moreover, for a better risk assessment, it is
ID.RM-2—Organizational risk tolerance is necessary to categorize incidents and
determined and clearly expressed. understand their impact on business.
ID.RM-3—The organization’s determination
of risk tolerance is informed by its role in
critical infrastructure and sector specific risk
analysis.
DE.AE-5—Incident alert thresholds are
established.
RS.AN-2—The impact of the incident is
understood.
RS.AN-3—Forensics are performed.
RS.AN-4—Incidents are categorized
consistent with response plans.
Attacks Report RS.MI-3—Newly identified vulnerabilities are More cyber-attack means more damage caused
mitigated or documented as accepted risks. to business and more Attacks Report to be
RS.CO-2—Events are reported consistent developed. To better understand how the
with established criteria. attack or incident occurred it is necessary to
RS.CO-3—Physical devices and systems report all the events and all the new
within the organization. vulnerabilities identified. All the information
about an incident or a cyber-attack must be
shared internally and externally according to
the Information Security policy and the
response plans.
Detected DE.AE-2—Detected events are analysed to An improvement of the Security Devices and
Attacks understand attack targets and methods. Tools will improve detection of anomalous
DE.AE-4—Impact of events is determined. activity. It is necessary to prevent an incident
DE.CM-5—Unauthorized mobile code is to detect promptly any anomalous activities
detected. and to understand their potential impact on
the business.
High Number of ID.RA-3—Threats, both internal and external, The number of threats, both internal and
Threats are identified and documented. external, is growing faster and faster through
the years, so the number of cyber-attacks is
increasing accordingly. It is necessary to
identify and document all kind of threats to
improve future responses to any attack.
Damage to RC.CO-1—Public relations are managed. More cyber-attack means more damage to
Company Image RC.CO-2—Reputation after an event is Company Image. Public relations are critical
repaired. for business success so, in case of cyber-attack
or when an accident happens, it is necessary
to manage public relations and repair the
company reputation.

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

Table 3 presents the business processes linked Dedicated Spaces’ increases. Moreover, the
to the risks subcategories (Figure 1) selected and methodology used for the current work can be
the rationales for positioning each of them on to replicated not only for any type of organization,
the appropriate processes. but also using any sort of Cyber Security Frame-
work. Cybersecurity Framework consists of stan-
dards, guidelines and best practices and is often
IT & Security Department customized to solve specific information security
Similar to the ‘Top Management, Planning & problems or to be implemented in a specific in-
Control’ departments, the same procedure was dustry sector. Indeed, the causal map developed
applied for the ‘IT & Security’ department pro- can be quickly adapted by adding or removing
cess. The mapping results are shown in Figures 8 specific departments based on the structure of
and 9, and the rationales for the decisions taken the organization.
are described in Tables 4 and 5, respectively. Future works should evaluate different Cyber
Security Frameworks as ‘CIS Critical Security
Controls’ or ‘CIIP Framework,’ which can be eas-
CONCLUSIONS ily adapted to the organizational structure by
selecting the appropriate security controls, appli-
This work presented a causal mapping of cyber- cable to the specific context, and linking them to
security risk-categories, based on the definitions the appropriate business processes. Likewise,
laid down into the Italian National Cyber future studies should be conducted to confront
Security Framework, and applied to an organiza- and to empirically validate the causal relation-
tional structure described by its business areas, ship diagrams that were presented in this work
processes, functions and roles. For achieving this for assessing the reproducibility of the results.
objective, a case study was performed where a Furthermore, the results shown can be used as
medium-sized Italian manufacturing company a blueprint for developing a complete simulation
was selected to have its business structure de- model that could also bring quantitative data to
scribed in causal terms. Presenting the whole the evaluation of future return on security invest-
business structure in this work would not have ments, thus ultimately supporting organizations
been possible due to the limitation of space, so in deciding the optimal portfolio investment
three departments were selected for performing strategies among the categories used to define
the dual mapping and positioning each of the their cyber risks.
cyber risk categories in the appropriate business
area.
The dual CLDs described in this work can be
used to qualitatively support an organization to ACKNOWLEDGEMENTS
evaluate how an investment committed to ad-
dressing threats related to one or more categories We thank the Research Center of Cyber Intelli-
can also ‘propagate’ systemically to other ones. gence and Information Security (CIS) of Sapienza
One of the threats to the presented study is the University of Rome, with particular reference to
reproducibility of the results presented so far. Prof. Roberto Baldoni, and Dr Eng. Luca
However, to give a practical example of the Montanari for their support.
adaptability of the causal map developed to
other companies, hypothetically assume a com-
pany without the R&D Department in its organi-
REFERENCES
zational structure. Without the R&D Department,
it is possible to notice that two other variables are
Armendariz V, Armenia S, Atzori A. 2015. System
connected by links representing causal influence dynamics updates of FAO methodological guide to
among them (Figure 5): as the demand for understand the food supply and distribution
‘Components Required’ increases, the ‘Need for systems (FSDS). In Proceedings of the 33rd

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.

Syst. Res RESEARCH PAPER

International Conference of the System Dynamics Georgantzas NC, Katsamakas EG. 2008. Information
Society. Cambridge, Massachusetts, USA. systems research with system dynamics. System Dy-
Armenia S, Cardazzone A, Carlini C. 2014. Under- namics Review 24(3): 247–264 https://doi.org/
standing security policies in the cyber warfare do- 10.1002/sdr.420.
main through system dynamics. In Proceedings of Goel V, Perlroth N. 2016, December 14. Yahoo says 1
the 32nd International Conference of the System Dynam- billion user accounts were hacked. The New York
ics Society. Delft, Netherlands. Times. Retrieved from https://www.nytimes.com/
Baldoni R, Montanari L. 2016. 2015 Italian cyber security 2016/12/14/technology/yahoo-hack.html
report—a national cyber security Framework. Re- Juniper Research. 2015. Cybercrime will Cost Businesses
trieved from http://www.cybersecurityframework. Over $2 Trillion by 2019. Retrieved March 5, 2017, from
it/sites/default/files/CSR2015_ENG.pdf https://www.juniperresearch.com/press/press-releas
Biancotti C. 2017. Cyber attacks: preliminary evidence es/cybercrime-cost-businesses-over-2trillion
from the Bank of Italy’s business surveys. Questioni Kirchgaessner S 2017, February 10. Russia suspected
Di Economia e Finanza, 373. over hacking attack on Italian foreign ministry. The
Bojanc R, Jerman-Blažič B. 2008. An economic model- Guardian. Retrieved from https://www.
ling approach to information security risk manage- theguardian.com/world/2017/feb/10/russia-suspe
ment. International Journal of Information cted-over-hacking-attack-on-italian-foreign-ministry
Management 28(5): 413–422 https://doi.org/ Market Research Engine. 2017. Cyber security market:
10.1016/j.ijinfomgt.2008.02.002. global industry analysis and opportunity assessment
Bojanc R, Jerman-Blažič B. 2013. A quantitative model 2015–2022. Retrieved from https://www.
for information-security risk management. Engineer- marketresearchengine.com/reportdetails/cyber-se-
ing Management Journal 25(2): 25–37 https://doi. curity-market
org/10.1080/10429247.2013.11431972. Mazzetti M, Goldman A. 2016, December 30. ‘The
Canzani E, Pickl S. 2016. Cyber epidemics: modeling game will go on’ as U.S. Expels Russian Diplomats.
attacker-defender dynamics in critical infrastructure The New York Times. Retrieved from https://www.
systems (pp. 377–389). https://doi.org/10.1007/ nytimes.com/2016/12/30/us/politics/obama-rus-
978-3-319-41932-9_31 sian-spies.html
Cavusoglu H, Mishra B, Raghunathan S. 2004. A Melara C, Sarriegui JM, Gonzalez JJ, Sawicka A, Cooke
model for evaluating IT security investments. Com- DL. 2003. A system dynamics model of an insider at-
munications of the ACM 47(7): 87–92 https://doi. tack on an information system. In Proceedings of the
org/10.1145/1005817.1005828. 21st International Conference of the System dynamics
Comes T, Hiete M, Wijngaards N, Schultmann F. 2011. Society. Cambridge, Massachusetts, USA.
Decision maps: a framework for multi-criteria deci- Nazareth DL, Choi J. 2015. A system dynamics model
sion support under severe uncertainty. Decision for information security management. Information
Support Systems 52(1): 108–118 https://doi.org/ Management 52(1): 123–134 https://doi.org/
10.1016/j.dss.2011.05.008. 10.1016/j.im.2014.10.009.
Dor D, Elovici Y. 2016. A model of the information se- NIST, N. I. of S. and T. 2014. Framework for improving
curity investment decision-making process. critical infrastructure cybersecurity. Retrieved from
Computers & Security 63: 1–13 https://doi.org/ https://www.nist.gov/cyberframework
10.1016/j.cose.2016.09.006. Perlroth N. 2016, October 21. Hackers used new
Dutta A, McCrohan K. 2002. Management’s role in in- weapons to disrupt major websites across U.S. The
formation security in a cyber economy. California New York Times. Retrieved from https://www.
Management Review 45(1): 67–87 https://doi.org/ nytimes.com/2016/10/22/business/internet-prob-
10.2307/41166154. lems-attack.html
Eden C, Jones S, Sims D. 1979. Thinking in organisa- Purser SA. 2004. Improving the ROI of the security
tions. Macmillan. management process. Computers & Security 23(7):
Eisenhardt KM. 1989. Building theories from case 542–546 https://doi.org/10.1016/j.cose.2004.09.004.
study research. The Academy of Management Review PwC P. 2014. Why you should adopt the NIST Cyber-
14(4): 532 https://doi.org/10.2307/258557. security Framework. Retrieved from https://www.
Fielder A, Panaousis E, Malacaria P, Hankin C, pwc.com/us/en/increasing-it-effectiveness/publi-
Smeraldi F. 2016. Decision support approaches for cations/assets/adopt-the-nist.pdf
cyber security investment. Decision Support Systems Senge PM. 2006. The Fifth Discipline: The Art & Practice
86: 13–23 https://doi.org/10.1016/j.dss.2016. of The Learning Organization (Revised &). Doubleday.
02.012. Sveen FO, Rich E, Jager M. 2007. Overcoming
Gandel S. 2015, January 23. Lloyd’s CEO: cyber attacks organizational challenges to secure knowledge
cost companies $400 billion every year. Fortune. Re- management. Information Systems Frontiers 9(5):
trieved from http://fortune.com/2015/01/23/cy- 481–492 https://doi.org/10.1007/s10796-007-
ber-attack-insurance-lloyds/ 9052-5.

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Dynamic and Systemic Assessment for Cybersecurity Risks

RESEARCH PAPER Syst. Res

Torres JM, Sarriegi JM. 2004. Dynamics aspects of secu- Wolstenholme EF, Coyle RG. 1983. The development of
rity management of information systems. In Proceed- system dynamics as a methodology for system de-
ings of the 22nd International Conference of the System scription and qualitative analysis. Journal of the Oper-
Dynamics Society. Oxford, UK. ational Research Society 34(7): 569–581 https://doi.
Wolstenholme EF. 1982. System dynamics in perspec- org/10.1057/jors.1983.137.
tive. The Journal of the Operational Research Society Yin R. 2003. Case Study Research: Design and Methods, 3rd
33(6): 547 https://doi.org/10.2307/2581038. edn. SAGE Publications, Inc.: Thousand Oaks, CA.

© 2018 John Wiley & Sons, Ltd. Syst. Res (2018)

DOI: 10.1002/sres.2556

Stefano Armenia et al.