A technological analysis of Colombia’s cybersecurity capacity: a systemic perspective from an organizational point of view


Incident Response
Critical Infrastructure
System Dynamics

How to Cite

Serna Patiño, A., & Giraldo Ramírez, D. (2019). A technological analysis of Colombia’s cybersecurity capacity: a systemic perspective from an organizational point of view. Ingeniería Solidaria, 15(28), 1-30. Retrieved from https://revistas.ucc.edu.co/index.php/in/article/view/2750


Introduction:  This paper is a product of the research Project “A technological analysis of Colombia’s cybersecurity capacity: a systemic perspective from an organizational point of view” developed at the Universidad Pontificia Bolivariana in the year 2018. Objective: Starting from the dynamics system paradigm, this study considers the technological dimension with respect to cybersecurity for incident response and critical infrastructure protection, making reference to the Cybersecurity Capability Maturity Model and the best practices defined by the National Institute of Standards and Technology - NIST. Methodology: The research starts from the dynamics hypothesis and using the representation of a formal simulation model as its input so as to analyze different scenarios and the development of future policy in this field. Conclusions: The risk at the organizational level represents a fundamental element for management of incidents and the protection of critical infrastructures, since it allows defining the necessary strategies, in terms of policies, guidelines, business rules, technology and other elements that allow the country to face the threats derived from interconnectivity. It is therefore necessary to develop policies aimed at organizational sensitivity in terms of cybersecurity risks. Originality: The scenarios that we propose should assist decision makers in making investments in favor of the development and evolution of Cybersecurity in Colombia and, therefore, of the organizations that contribute to the development of the country.  Restrictions: The data we used to conclude this study, was obtained from an organization that is classified as critical to infrastructure, so it is important to obtain access to the information of the main organization in Colombia in charge of cybersecurity and other companies.


A. Cardazzone and C. Carlini, Understanding security policies in the Cyber warfare domain through system dynamics, no. 1, p. 5. [Online]. Available: https://www.systemdynamics.org/assets/conferences/2014/proceed/papers/P1262.pdf

Ministerio de Interior y Justicia et al., Conpes 3701 Lineamientos de Política para Ciberseguridad y Ciberdefensa, p. 43, 2011. [Online]. Available: https://www.mintic.gov.co/portal/604/articles-3510_documento.pdf

OCDE, Directrices de la ocde para la seguridad de sistemas y redes de información, pp. 1–12, 2002. [Online]. Available: https://www.oecd.org/sti/ieconomy/34912912.pdf

R. Cort, Estado actual de la política pública de ciberseguridad y ciberdefensa en Colombia, no. 14, p. 4, 2015. [Online]. doi: htp://dx.doi.org/10.15425/redecom.14.2015.06

S. Morgan, 2017 Cybercrime Report, p. 14, 2017. [Online]. Available: https://cybersecurityventures.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf

World Economic Forum, The global risks report 2018, p. 6, 2018. [Online]. Available: http://www3.weforum.org/docs/WEF_GRR18_Report.pdf

Ministerio de Interior y Justicia et al., Conpes 3854 - Política Nacional De Seguridad Digital, p. 63, 2016. [Online]. Available: https://colaboracion.dnp.gov.co/CDT/Conpes/Econ%C3%B3micos/3854.pdf

D. M. Cappelli, A. Desai, A. P. Moore, T. J. Shimeall, E. A. Weaver, and B. J. Willke, “Management and Education of the Risk of Insider Threat (MERIT),” Proc. 24th Int. Conf. Syst. Dyn. Soc., vol. 0389, pp. 52–53, 2006. [Online]. Available: https://apps.dtic.mil/dtic/tr/fulltext/u2/a632604.pdf

E. Canzani and S. Pickl, “Cyber Epidemics: Modeling Attacker-Defender Dynamics in Critical Infrastructure Systems,” in Advances in Human Factors in Cybersecurity, pp. 377–389. vol 501,.2016, [Online]. doir: https://doi.org/10.1007/978-3-319-41932-9_31

A. Flórez, L. Serrano, U. Gómez, L. Suárez, A. Villarraga, and H. Rodríguez, “Analysis of Dynamic Complexity of the Cyber Security Ecosystem of Colombia,” Futur. Internet, vol. 8, no. 3, p. 33, 2016. [Online]. Available: https://res.mdpi.com/futureinternet/futureinternet-08-00033/article_deploy/futureinternet-08-00033.pdf?filename=&attachment=0

M. Porrúa and B. Contreras, Ciberseguridad ¿Estamos preparados en América Latina y el Caribe?, pp. 37 - 46, 2016. [Online]. Available: https://publications.iadb.org/publications/spanish/document/Ciberseguridad-%C2%BFEstamos-preparados-en-Am%C3%A9rica-Latina-y-el-Caribe.pdf

J. W. Forrester, System Dynamics, Systems Thinking, and Soft OR, vol. 10, no. 2, pp. 1–14, 1992. [Online]. doi: https://doi.org/10.1002/sdr.4260100211

P. A. Ferrillo and C. Veltsos, “Next-Level Cybersecurity Incident Response Trends 2016.,” Corp. Gov. Advis., vol. 24, no. 3, pp. 6–8, 2016. [Online]. Available: https://www.dandodiary.com/2016/03/articles/cyber-liability/guest-post-next-level-cybersecurity-incident-response-trends-2016/

P. Cichonski, “Computer Security Incident Handling Guide : Recommendations of the National Institute of Standards and Technology,” NIST Spec. Publ., vol. 800–61, p. 79, 2012. [Online]. doi: https://doi.org/10.6028/NIST.SP.800-61r2

NIST, “Framework for Improving Critical Infrastructure Cybersecurity,” Natl. Inst. S, pp. 1–41, 2014. [Online]. doi: https://doi.org/10.6028/NIST.CSWP.04162018

K. Kossakowski, J. Allen, C. Alberts, C. Cohen, and G. Ford, Responding to Intrusions.,February, p. 44, 1999. [Online]. Available: https://resources.sei.cmu.edu/asset_files/SecurityImprovementModule/1999_006_001_16679.pdf

Real Options Valuation, Risk Simulator. 2017. [Online]. Available: https://www.software-shop.com/producto/risk-simulator

T. Holdings, Trustwave global security report. p. 21, 2016. [Online]. Available: https://www2.trustwave.com/GSR2016.html

T. Holdings, Trustwave Global Security Report. p. 16, 2017. [Online]. Available: https://www2.trustwave.com/2017-Trustwave-Global-Security-Report.html

D. Vose, Risk Analysis - A quantitative guide, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, p. 405, 2008.

J. D. Sterman, Systems Thinking and Modeling for a Complex World. pp. 166 - 167, 2003.

J. D. W. Morecroft, Strategic modelling and business dynamics. A feedback system aproach. pp. 55 - 57, 2015.

A. García Zaballos and F. González Herranz, From Cybersecurity to Cybercrime: A Framework for Analysis and Implementation, September, p. 14, 2013. [Online]. Available: https://publications.iadb.org/publications/english/document/From-Cybersecurity-to-Cybercrime-A-Framework-for-Analysis-and-Implementation.pdf

C. Young, Information Security Science: Measuring the Vulnerability to Data Compromises. p. 21, 2016.

J. Vacca, Cyber Security and IT Infrastructure Protection. Steven Elliot, p. 287, 2014.

D. Smith, “Forming an Incident Response Team,” Proc. FIRST Annu. Conf., no. January 1995, pp. 1–37, 1994. [Online]. Available: http://tech.uh.edu/conklin/IS7033Web/7033/Week11/form-irt.pdf

H. Jindal, “Cyber security: Risk management,” J. Insur. Inst. India, no. June, pp. 95–103, 2014. [Online]. Available: http://web.a.ebscohost.com.consultaremota.upb.edu.co/ehost/pdfviewer/pdfviewer?vid=0&sid=4b2b548e-fc7e-4283-aac0-b677603fe726%40sdc-v-sessmgr05

E. Luiijf, Cyber Crime and Cyber Terrorism Investigator’s Handbook, p. 48, 2014. [Online]. doi: https://doi.org/10.1016/B978-0-12-800743-3.00003-7

A. Aguiar Rodríguez, “Understanding the dynamics of Information Security Investments. A Simulation-Based Approach,” Universitetet i Bergen,Radboud Universiteit Nijmegen, p. 8, 2017. [Online]. Available: http://www.scopus.com/inward/record.url?eid=2-s2.0-67249152401&partnerID=40&md5=c9da6feaf998ef1eac82ba852ac50af8

B. Akhgar and H. R. Arabnia, Emerging Trends in ICT Security Emerging Trends in ICT Security, p. 401, 2014. [Online]. doi: http://dx.doi.org/10.1016/B978-0-12-411474-6.00006-2

A. Ahmad, J. Hadgkiss, and A. B. Ruighaver, “Incident response teams - Challenges in supporting the organisational security function,” Comput. Secur., vol. 31, no. 5, pp. 643–652, 2012. [Online]. doi: http://dx.doi.org/10.1016/j.cose.2012.04.001

N. Adams, N. & Heard, Data Analysis For Network Cyber-Security, p. 36, 2014. [Online]. doi: https://doi.org/10.1142/p919

S. Chabinsky, “NIST CRIED: The Four Steps of Incident Mitigation,” SecurityMagazine.com, March, pp. 1 - 2, 2017. [Online]. Available: http://web.a.ebscohost.com.consultaremota.upb.edu.co/ehost/pdfviewer/pdfviewer?vid=0&sid=ffe0a307-b06e-43d6-b88d-d8e3269f98c3%40sessionmgr4008

D. P. Giraldo, Análisis de la dinámica de la seguridad alimentaria en un país en desarrollo -caso colombiano-. Tesis Doctoral, Escuela de Ingeniería. Universidad Pontificia Bolivariana, p. 114, 2013.



Download data is not yet available.