Archetypal behavior in computer security

The purpose of this study is to understand observed behavior and to diagnose and find solutions to issues encountered in organizational computer security using a systemic approach, namely system archetypes. In this paper we show the feasibility of archetypes application and the benefits of simulation. We developed a model and simulation of some aspects of security based on system dynamics principles. The system dynamics simulation model can be used in support of decision-making, training, and teaching regarding the mitigation of computer security risks. In this paper, we combine two archetypes and show the computer security relevance of such combinations. Presented are instances of the archetypes “Escalation”, in which an organization must continuously increase its efforts to counter additional attacker effort; and “Limits to Growth”, in which the gains from an organization’s security efforts plateau or decline due to its limited capacity for security-related tasks. We describe a scenario where these archetypes (individually and combined) can help in diagnosis and understanding, and present simulation of “what-if” scenarios suggesting how an organization might remedy these problems and maximize its gains from security efforts.