Modeling the “Tragedy of the Commons” Archetype in Enterprise Computer Security

The purpose of this study is to understand observed behavior and to diagnose and find solutions to issues encountered in organizational computer security using a systemic approach, namely system archetypes. In this paper we show the feasibility of archetypes application and the benefits of simulation. We developed a model and simulation of some aspects of security based on system dynamics principles. The system dynamics simulation model can be used in support of decision-making, training, and teaching regarding the mitigation of computer security risks. In this paper, we describe the archetype “Tragedy of the Commons”, in which an organization’s efforts at improvements fail to consider the consumption of a shared resource, and we show the relevance of this archetype in the context of security. We describe a scenario where this archetype can help in diagnosis and understanding, and present simulation of “what-if” scenarios suggesting how an organization might remedy problems observed and maximize its gains from security efforts.