Introduction: This paper is a product of the research Project “A technological analysis of Colombia’s cybersecurity capacity: a systemic perspective from an organizational point of view” developed at the Universidad Pontificia Bolivariana in the year 2018.
Objective: Starting from the dynamics system paradigm, this study considers the technological dimension with respect to cybersecurity for incident response and critical infrastructure protection, making reference to the Cybersecurity Capability Maturity Model and the best practices defined by the National Institute of Standards and Technology - NIST.
Methodology: The research starts from the dynamics hypothesis and using the representation of a formal simulation model as its input so as to analyze different scenarios and the development of future policy in this field.
Conclusions: The risk at the organizational level represents a fundamental element for management of incidents and the protection of critical infrastructures, since it allows defining the necessary strategies, in terms of policies, guidelines, business rules, technology and other elements that allow the country to face the threats derived from interconnectivity. It is therefore necessary to develop policies aimed at organizational sensitivity in terms of cybersecurity risks.
Originality: The scenarios that we propose should assist decision makers in making investments in favor of the development and evolution of Cybersecurity in Colombia and, therefore, of the organizations that contribute to the development of the country.
Restrictions: The data we used to conclude this study, was obtained from an organization that is classified as critical to infrastructure, so it is important to obtain access to the information of the main organization in Colombia in charge of cybersecurity and other companies.
 Ministerio de Interior y Justicia et al., Conpes 3701 Lineamientos de Política para Ciberseguridad y Ciberdefensa, p. 43, 2011. [Online]. Available: https://www.mintic.gov.co/portal/604/articles-3510_documento.pdf
 OCDE, Directrices de la ocde para la seguridad de sistemas y redes de información, pp. 1–12, 2002. [Online]. Available: https://www.oecd.org/sti/ieconomy/34912912.pdf
 R. Cort, Estado actual de la política pública de ciberseguridad y ciberdefensa en Colombia, no. 14, p. 4, 2015. [Online]. doi: htp://dx.doi.org/10.15425/redecom.14.2015.06
 S. Morgan, 2017 Cybercrime Report, p. 14, 2017. [Online]. Available: https://cybersecurityventures.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf
 World Economic Forum, The global risks report 2018, p. 6, 2018. [Online]. Available: http://www3.weforum.org/docs/WEF_GRR18_Report.pdf
 Ministerio de Interior y Justicia et al., Conpes 3854 - Política Nacional De Seguridad Digital, p. 63, 2016. [Online]. Available: https://colaboracion.dnp.gov.co/CDT/Conpes/Econ%C3%B3micos/3854.pdf
 D. M. Cappelli, A. Desai, A. P. Moore, T. J. Shimeall, E. A. Weaver, and B. J. Willke, “Management and Education of the Risk of Insider Threat (MERIT),” Proc. 24th Int. Conf. Syst. Dyn. Soc., vol. 0389, pp. 52–53, 2006. [Online]. Available: https://apps.dtic.mil/dtic/tr/fulltext/u2/a632604.pdf
 E. Canzani and S. Pickl, “Cyber Epidemics: Modeling Attacker-Defender Dynamics in Critical Infrastructure Systems,” in Advances in Human Factors in Cybersecurity, pp. 377–389. vol 501,.2016, [Online]. doir: https://doi.org/10.1007/978-3-319-41932-9_31
 A. Flórez, L. Serrano, U. Gómez, L. Suárez, A. Villarraga, and H. Rodríguez, “Analysis of Dynamic Complexity of the Cyber Security Ecosystem of Colombia,” Futur. Internet, vol. 8, no. 3, p. 33, 2016. [Online]. Available: https://res.mdpi.com/futureinternet/futureinternet-08-00033/article_deploy/futureinternet-08-00033.pdf?filename=&attachment=0
 M. Porrúa and B. Contreras, Ciberseguridad ¿Estamos preparados en América Latina y el Caribe?, pp. 37 - 46, 2016. [Online]. Available: https://publications.iadb.org/publications/spanish/document/Ciberseguridad-%C2%BFEstamos-preparados-en-Am%C3%A9rica-Latina-y-el-Caribe.pdf
 J. W. Forrester, System Dynamics, Systems Thinking, and Soft OR, vol. 10, no. 2, pp. 1–14, 1992. [Online]. doi: https://doi.org/10.1002/sdr.4260100211
 P. A. Ferrillo and C. Veltsos, “Next-Level Cybersecurity Incident Response Trends 2016.,” Corp. Gov. Advis., vol. 24, no. 3, pp. 6–8, 2016. [Online]. Available: https://www.dandodiary.com/2016/03/articles/cyber-liability/guest-post-next-level-cybersecurity-incident-response-trends-2016/
 P. Cichonski, “Computer Security Incident Handling Guide : Recommendations of the National Institute of Standards and Technology,” NIST Spec. Publ., vol. 800–61, p. 79, 2012. [Online]. doi: https://doi.org/10.6028/NIST.SP.800-61r2
 NIST, “Framework for Improving Critical Infrastructure Cybersecurity,” Natl. Inst. S, pp. 1–41, 2014. [Online]. doi: https://doi.org/10.6028/NIST.CSWP.04162018
 K. Kossakowski, J. Allen, C. Alberts, C. Cohen, and G. Ford, Responding to Intrusions.,February, p. 44, 1999. [Online]. Available: https://resources.sei.cmu.edu/asset_files/SecurityImprovementModule/1999_006_001_16679.pdf
 Real Options Valuation, Risk Simulator. 2017. [Online]. Available: https://www.software-shop.com/producto/risk-simulator
 T. Holdings, Trustwave global security report. p. 21, 2016. [Online]. Available: https://www2.trustwave.com/GSR2016.html
 T. Holdings, Trustwave Global Security Report. p. 16, 2017. [Online]. Available: https://www2.trustwave.com/2017-Trustwave-Global-Security-Report.html
 D. Vose, Risk Analysis - A quantitative guide, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, p. 405, 2008.
 J. D. Sterman, Systems Thinking and Modeling for a Complex World. pp. 166 - 167, 2003.
 J. D. W. Morecroft, Strategic modelling and business dynamics. A feedback system aproach. pp. 55 - 57, 2015.
 A. García Zaballos and F. González Herranz, From Cybersecurity to Cybercrime: A Framework for Analysis and Implementation, September, p. 14, 2013. [Online]. Available: https://publications.iadb.org/publications/english/document/From-Cybersecurity-to-Cybercrime-A-Framework-for-Analysis-and-Implementation.pdf
 C. Young, Information Security Science: Measuring the Vulnerability to Data Compromises. p. 21, 2016.
 J. Vacca, Cyber Security and IT Infrastructure Protection. Steven Elliot, p. 287, 2014.
 D. Smith, “Forming an Incident Response Team,” Proc. FIRST Annu. Conf., no. January 1995, pp. 1–37, 1994. [Online]. Available: http://tech.uh.edu/conklin/IS7033Web/7033/Week11/form-irt.pdf
 H. Jindal, “Cyber security: Risk management,” J. Insur. Inst. India, no. June, pp. 95–103, 2014. [Online]. Available: http://web.a.ebscohost.com.consultaremota.upb.edu.co/ehost/pdfviewer/pdfviewer?vid=0&sid=4b2b548e-fc7e-4283-aac0-b677603fe726%40sdc-v-sessmgr05
 E. Luiijf, Cyber Crime and Cyber Terrorism Investigator’s Handbook, p. 48, 2014. [Online]. doi: https://doi.org/10.1016/B978-0-12-800743-3.00003-7
 A. Aguiar Rodríguez, “Understanding the dynamics of Information Security Investments. A Simulation-Based Approach,” Universitetet i Bergen,Radboud Universiteit Nijmegen, p. 8, 2017. [Online]. Available: http://www.scopus.com/inward/record.url?eid=2-s2.0-67249152401&partnerID=40&md5=c9da6feaf998ef1eac82ba852ac50af8
 B. Akhgar and H. R. Arabnia, Emerging Trends in ICT Security Emerging Trends in ICT Security, p. 401, 2014. [Online]. doi: http://dx.doi.org/10.1016/B978-0-12-411474-6.00006-2
 A. Ahmad, J. Hadgkiss, and A. B. Ruighaver, “Incident response teams - Challenges in supporting the organisational security function,” Comput. Secur., vol. 31, no. 5, pp. 643–652, 2012. [Online]. doi: http://dx.doi.org/10.1016/j.cose.2012.04.001
 N. Adams, N. & Heard, Data Analysis For Network Cyber-Security, p. 36, 2014. [Online]. doi: https://doi.org/10.1142/p919
 S. Chabinsky, “NIST CRIED: The Four Steps of Incident Mitigation,” SecurityMagazine.com, March, pp. 1 - 2, 2017. [Online]. Available: http://web.a.ebscohost.com.consultaremota.upb.edu.co/ehost/pdfviewer/pdfviewer?vid=0&sid=ffe0a307-b06e-43d6-b88d-d8e3269f98c3%40sessionmgr4008
 D. P. Giraldo, Análisis de la dinámica de la seguridad alimentaria en un país en desarrollo -caso colombiano-. Tesis Doctoral, Escuela de Ingeniería. Universidad Pontificia Bolivariana, p. 114, 2013.
As the author of the article, I declare that is an original unpublished work exclusively created by me, that it has not been submitted for simultaneous evaluation by another publication and that there is no impediment of any kind for concession of the rights provided for in this contract.
In this sense, I am committed to await the result of the evaluation by the journal Ingeniería Solidaría before considering its submission to another medium; in case the response by that publication is positive, additionally, I am committed to respond for any action involving claims, plagiarism or any other kind of claim that could be made by third parties.
At the same time, as the author or co-author, I declare that I am completely in agreement with the conditions presented in this work and that I cede all patrimonial rights, in other words, regarding reproduction, public communication, distribution, dissemination, transformation, making it available and all forms of exploitation of the work using any medium or procedure, during the term of the legal protection of the work and in every country in the world, to the Universidad Cooperativa de Colombia Press.