Towards the Definition of a Dynamic/Systemic Assessment for Cyber Security Risks Through a Systems Thinking approach


  • Stefano Armenia DIAG Sapienza University of Rome - Italy
  • Eduardo Ferreira Franco University of Sao Paulo
  • Fabio Nonino Sapienza University of Rome
  • Emanuele Spagnoli Price Waterhouse Coopers


cyber security, system dynamics, risk assessment


Nowadays our society is increasingly becoming economic and social dependent on the cyberspace, which comprehends the set of networks and information systems that are used by government agencies, enterprises, critical infrastructure providers and public administration to provide several essential services.

However, the cyberspace and its core components are exposed to numerous risks, and since these complex systems are rapidly evolving, there is a constant threat of exploitable vulnerabilities. One or several of these vulnerabilities can be exploited by attackers to hack into the computer systems of an organization, thus allowing them to read, steal, disclose or delete critical information up to take full control of physical assets. These numerous vulnerabilities, coupled with the fact that awareness of this situation is not yet well established at all levels of society, meaning that the cyber threats can become an extremely important issue for organizations, which could lead to financial and reputational impacts.

The current work adopts the Italian National Cyber Security Framework for assessing cyber security risks, which has interoperability with industry standards, guidelines, and practices, it inherits its capacity of communication that permits to broaden the discussion of cyber security matters across the organization, from the executive level to the implementation/operations level. Secondly, by joining the risks categories into a causal mapping of a general process-structure of a medium-large private organization, which is also described in causal terms, this work proposes a common ground for discussions concerning the corporate adoption of a systemic perspective as a good practice in cyber security.

Due to its compatibility with NIST’s security profiles, the Italian National Cyber Security Framework can favor the communication of its security levels to known standards (for example the ISO standards), but in a cheaper way. The Italian Framework provides a full coverage of the information and system security life cycle (from its conception, development, operation, and maintenance), by maintaining an abstraction degree that ensures companies the freedom in the implementation and contextualization of controls. 

Author Biography

Stefano Armenia, DIAG Sapienza University of Rome - Italy

Stefano Armenia is a Research Fellow in the Analysis of Dynamical Systems at the Center for Cyber Intelligence and Information Security, Sapienza University of Rome. He has a degree in Computer Engineering, Industrial Automation & Control Systems, a Ph.D. in Business Engineering and a Master in Management and Business Administration. He is member of the System Dynamics International Society (SDS) since 2002, President of SYDIC (the Italian Network of the SDS) since 2011 and member of the SDS Policy Council since 2014. Since 2014 he is also the communication officer of the European Academy of Management. He has been the coordinator of the EU-funded CRISADMIN and ATTACS projects. His research interests deal with the analysis of complex systems dynamics in many fields: logistics and transportation, finance, technological innovation, policy modelling and assessment of impacts of new technologies on organizational processes. Since is affiliation as a Research Fellow at Sapienza, he has developed a specific focus on Security & Defence related problems and has since published several papers on Critical Infrastructures Protection, Interdependency and Resilience Analysis, Maritime Awareness, Asymmetric conflict against terrorism, crisis analysis and management.



How to Cite

Armenia, S., Ferreira Franco, E., Nonino, F., & Spagnoli, E. (2019). Towards the Definition of a Dynamic/Systemic Assessment for Cyber Security Risks Through a Systems Thinking approach. Proceedings of the 61st Annual Meeting of the ISSS - 2017 Vienna, Austria, 2017(1). Retrieved from